HP-UX IPSec A.03.02.02 Release Notes HP-UX 11i version 3 (766158-001, April 2014)
You can specify both IKE versions. The IKE daemon uses the first version for all negotiations it
initiates, and responds to negotiations for both versions.
Authentication records support the AUTOCONF flag
Authentication records now support the AUTOCONF flag for address autoconfiguration clients, such
as DHCP and DHCPv6 clients.
The AUTOCONF flag was configured in host policies in previous releases. Support for the AUTOCONF
flag in host policies is deprecated (supported but not documented).
Authentication records support subtrees and address ranges for remote ID matching
Authentication records now support subtree matching for FQDN, user FQDN, and X.500 DN
remote IDs and IP address range matching for remote IDs. This enables you to configure one
authentication record for multiple remote peers.
Hexadecimal storage for preshared key values starting with 0x
The ipsec_config utility now stores preshared key values that start with 0x as hexadecimal
values. (In releases prior to A.03.00, ipsec_config stored all preshared key values as ASCII
strings.)
This change can cause configuration mismatches with previous HP-UX IPSec versions. For example,
if an HP-UX IPSec A.03.00 system and an HP-UX IPSec A.02.00 system both configure the value
0x123 for a preshared key, IKE negotiations will fail.
Host and tunnel policy changes
The following sections describe product changes related to host and tunnel policies.
Nested transforms and DES transforms are obsolete
Nested transforms and all transforms using DES are obsolete. The migration utility replaces any
DES transforms (actions) in host or tunnel policies with the default actions in the /var/adm/ipsec/
.ipsec_profile file. For host policies, the default action is DISCARD. For tunnel policies, the
default action is the ESP_AES128_HMAC_SHA1 transform.
Support for fallback to clear in host policies
Host policies now support the flag FALLBACK_TO_CLEAR. This flag enables you to configure a
host policy to secure packets if the peer supports IPsec and allow packets to pass in clear text
(fallback to clear) if IKE requests to the remote system fail, or if the remote system initiates packets
in clear text.
This feature is useful when configuring host policies for remote subnets where not all nodes in the
subnet support IPsec.
WARNING! Using the FALLBACK_TO_CLEAR flag is a security risk. It can allow packets from
non-secure nodes to communicate with the local system.
Support for multiple source and destination arguments in host and tunnel policies
You can specify up to 20 instances of the -source and -destination arguments in the
ipsec_config add host and ipsec_config add tunnel commands.
This feature is not supported with manual keys.
Support for IP Address and port number ranges in host policies
You can specify IP address or port number ranges in source and destination arguments (-source
and -destination) for IPsec host policies.
This feature is not supported with manual keys.
New and changed features in A.03.00.00 13