Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX IPSec version A.02.00 Administrator's Guide: HP-UX 11i version 1 and HP-UX 11i version 2 > Preface: About This Document

New and Changed Documentation in This Edition
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

The documentation reflects the following changes to the HP-UX IPSec product:

  • IPSec policies, bypass list and startup parameters are now configured using the ipsec_config command-line utility. The ipsec_config utility also supports batch files.

    The ipsec_mgr GUI is still used to configure security certificates.

  • The IPSec policy, preshared key and startup configuration information is now stored in a configuration database, /var/adm/ipsec/config.db. The policy configuration file (default /var/adm/ipsec/policies.txt), preshared key file (/var/adm/ipsec/pskeys.txt), and startup file (/etc/rc.config.d/ipsecconf) files are no longer used.

  • HP-UX IPSec was enhanced to support dynamic configuration updates. Administrators can update the configuration without stopping and re-starting HP-UX IPSec.

  • HP-UX IPSec now supports manual keys for IPSec Security Associations.

  • HP-UX IPSec was enhanced to secure Mobile IPv6 packets with manual keys when the local system is a Mobile IPv6 Home Agent.

  • HP-UX IPSec can act as a gateway (IP router) and forward IP packets, but only for HP-UX Mobile IPv6.

  • In previous releases, there was only one type of IPSec policy, which contained both host and tunnel IPSec information. There are now separate host IPSec policies and tunnel IPSec policies. There are also gateway IPSec policies, which are supported only for HP-UX Mobile IPv6.

  • ISAKMP policies are now referred to as IKE policies.

  • The default Oakley group (Diffie-Hellman group) is now 2.

  • Preshared keys are configured in authentication records.

  • Administrators can now configure preshared keys for remote subnets.

  • IKE ID parameters can now be configured for IKE negotiations when using preshared keys.

  • Certificate IDs are configured as IKE ID information in authentication records. The authentication records are indexed and searched by remote IP address. There is no longer a certificate ID record for the local system (127.0.0.0).

  • The ipsec_report utility supports the following new options:

    • -entity (used with the -audit option): The -entity option allows you to specify one or more entities when displaying an audit file (-audit). This allows you to selectively display audit records logged by specify entities.

    • -host: The -host option displays IPSec policies loaded by the policy daemon.

    • -ike: The -ike option displays IKE policies loaded by the policy daemon.

    • -gateway: The -gateway option displays gateway IPSec policies loaded by the policy daemon.

    • -tunnel: The -tunnel option displays tunnel IPSec policies loaded by the policy daemon.

      The ipsec_report options -ipsec and -isakmp are still supported, but only for backwards compatibility and are not documented. The ipsec_report option -ipsec reports host IPSec policies (it is now equivalent to the -host option). The ipsec_report option -isakmp reports IKE policies (it is now equivalent to the -ike option).

  • The ipsec_policy utility now allows you to specify a direction for the packet parameters.

  • The ipsec_admin utility supports the following new options to set general operating parameters:

    • -spd_soft: The -spd_soft option allows you to specify the “soft” limit for the size of the Security Policy Database (SPD). The SPD is the HP-UX IPSec runtime policy database, with cached policy decisions for packet descriptors (five-tuples consisting of exact, non-wildcard source IP address, destination IP address, protocol, source port, and destination port).

    • -spd_hard: The -spd_hard option allows you to specify the “hard” limit for the size of the SPD.

    • -spi_min: The -spi_min option allows you to specify the lower bound for inbound, dynamic key Security Parameters Index (SPI) numbers.

    • -spi_max: The -spi_max option allows you to specify the upper bound for inbound, dynamic key Security Parameters Index (SPI) numbers.

  • IPv6 IKE functionality, formerly provided by the daemon ikmpdv6, is now provided by ikmpd. The ikmpdv6 daemon is no longer shipped with the product.



Intended Audience
  		 


Publishing History  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2004 Hewlett-Packard Development Company, L.P.