Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
41424344454647484950
46
The IKE policy specifies parameters used to establish an IKE security association with the
specified remote IP address. The authentication method is PSK (preshared key). The default
HP-UX IPSec values are used for all other parameters.
An authentication record
The authentication record contains the specified remote IP address and preshared key value.
The default HP-UX IPSec values are used for all other parameters.
HP-UX IPSec Default Parameter Values
For IPSec parameters that SRP does not prompt for, SRP uses the IPSec default values in the
configuration records. The IPSec default values are read from the default IPSec profile file,
/var/adm/ipsec/.ipsec_profile. You can view this text file to determine the default IPSec
parameters and determine what values need to be configured on the peer system. Some of the main
parameters and the default values set in the factory-installed profile file are as follows:
IKE exchange type: Main Mode
IKE hash algorithm: MD5
IKE encryption algorithm: 3DES
IKE Diffie-Hellman group: 2
Policy Selection and Priority
When IPSec selects policies, it selects the first policy that matches the search criteria. Because of this
selection algorithm, IPSec policies are typically ordered from most specific to least specific. SRP adds
the policies using the IPSec automatic priority increment mechanism, where IPSec determines the
priority for a new policy by adding n to the current highest priority for that policy category, where n
is the automatic priority increment value. When a policy is added with this mechanism, it becomes the
last policy evaluated before the default policy in the category; you might have to modify the priority
value for your policies.
Using IPSec with IPFilter
HP-UX IPFilter is located below HP-UX IPSec in the networking stack. HP-UX IPFilter processes inbound
IP packets before HP-UX IPSec and processes outbound packets after HP-UX IPSec.
To use IPSec with IPFilter, you must configure IPFilter to pass the following packets:
IP packets with protocol 50 (IPsec Encapsulating Security Payload protocol, ESP)
IP packets with protocol 51 (IPsec Authentication Header protocol, AH)
UDP packets with port 500 (IPsec Internet Key Exchange protocol, IKE)
If HP-UX IPSec secures a packet (the packet has an AH or ESP header), HP-UX IPFilter cannot filter the
packet based on upper layer information, such as TCP port numbers and connection states, and ICMP
message types. The only upper-layer protocol information that HP-UX IPFilter processes is the IP
protocol number IPSec packets do not match any IPFilter rules based on the TCP, UDP, or ICMP
protocol type or based on field values for these protocols (such as port numbers).
6.1.9 Completing the Configuration
After you configure a base compartment, you can apply an application template to add application-
specific configuration data. For more information, see
6 Using the base Template, 7 Using the apache
Template
, 8 Using the tomcat Template, and 9 Using the custom Template.