Manualshelf

HP-UX IPSec A.03.02.02 Release Notes HP-UX 11i version 3 (766158-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
11121314151617181920
IKEv1 Perfect Forward Secrecy supported with keys only
HP-UX IPSec now supports IKE Perfect Forward Secrecy (PFS) with key protection only. This enables
IKE to reuse an existing IKE SA to negotiate a new IPsec SA pair and establish new keying
information when negotiating the IPsec SA pair.
In releases prior to A.03.00, HP-UX IPSec provided a form of PFS when the IKE maximum quick
modes value (-maxqm) was 1. This form of PFS used key and identity protection and required IKE
to establish a new IKE SA for each IPsec SA pair negotiated.
Do not enable PFS for negotiations with systems using an HP-UX IPSec release prior to A.03.00.
IKE support for multiple hash, encryption, and group values
IKEv1 and IKEv2 policies support multiple values for IKE hash, encryption, and Diffie-Hellman
(Oakley) group parameters.
IKE support for Diffie-Hellman groups 5 and 14
IKEv1 and IKEv2 policies support Diffie-Hellman groups 5 and 14.
IKE support for AES128-CBC encryption
IKEv1 and IKEv2 policies support AES128-CBC encryption.
Authentication record changes
The following sections describe product changes related to authentication records.
Authentication records are mandatory
In releases prior to A.03.00, authentication records were optional when the following conditions
were true:
the exchange mode was Main Mode (MM)
the authentication method was RSA signatures (RSASIG)
the local and remote nodes were not multihomed
the local and remote nodes used IPv4 addresses for IKE IDs
Authentication records are now mandatory for all peers. You can configure one authentication
record for multiple peers.
If you have a configuration from a prior release that does not have an authentication record for
all peers, you must create authentication records for all peers. The migration utility does not create
authentication records.
Authentication records include a priority alue
Authentication records now include a priority value. HP-UX IPSec searches the records in priority
order (lowest value to highest). The search fields differ according to the role of the daemon in the
IKE negotiation, the IKE version, and the IKEv1 exchange mode.
The migration utility sorts existing authentication records using the address prefix length (longest
to shortest). The migration utility sets the priority for the first record to the value of the priority
parameter value in the AuthPolicy-Defaults section of the HP-UX IPSec profile file; the default
priority value is 10. The utility increments the priority value for each subsequent record by the
priority value.
Authentication records specify the IKE (key management protocol) version
Authentication records now include a kmp (key management protocol) field that specifies the IKE
version (IKEv1 or IKEv2). The default IKE version is IKEv1.
12 New and changed features