HP-UX IPSec A.03.02.02 Release Notes HP-UX 11i version 3 (766158-001, April 2014)

The following sections describe product changes related to IKE policies.

HP-UX IPSec now supports IKE version 2 (IKEv2) in addition to IKE version 1 (IKEv1).

Policies for ike are replaced by ikev1 and ikev2 policies.

The migration utility converts each existing ike policy to an ikev1 policy as follows:

• The IKE authentication (-auth) value is ignored. The ikev1 policies do not include a value

for the IKE authentication method. The IKE authentication method is now specified in

authentication records using the -local_method and -remote_method arguments.

policies, but cannot delete them. The default policies are always last in the search order.

The ipsec_config add ike command and related commands (ipsec_config delete ike,

ipsec_config show ike) are deprecated. These command are still supported, but not

documented. The ipsec_config add ike command and related commands will be obsolete in

future releases. HP recommends that you use the following commands instead:

If you use the ipsec_config add ike command, ipsec_config creates an IKEv1 policy

HP-UX IPSec no longer supports DES encryption for IKEv1 SAs. If an existing IKE policy has DES

encryption configured, the migration utility converts the DES value to the default IKEv1 encryption

algorithm in the profile file (3DES). The migration utility also converts the policy type to IKEv1 and

displays a warning.

If you are using an IKE policy with DES encryption to communicate with peers that still support

DES, you must modify the peer configuration to use 3DES or an alternate algorithm.