Manualshelf

HP-UX IPSec A.03.02.02 Release Notes HP-UX 11i version 3 (766158-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
11121314151617181920
Support for IP Address ranges in tunnel policies
You can specify IP address ranges in the end-to-end source and destination arguments (-source
and -destination) for IPsec tunnel policies.
Port numbers and services are ignored in tunnel policies
Port numbers and service names are ignored in end-to-end source and destination arguments for
IPsec tunnel policies. They are no longer documented.
Support for ICMPv4 and ICMPv6 type codes in host policies
The ipsec_config add host command supports the following options to specify ICMPv4 and
ICMPv6 message type codes in packet filters:
dst_icmp_type and src_icmp_type (source and destination ICMPv4 type values)
dst_icmpv6_type and src_icmpv6_type (source and destination ICMPv6 type values)
Support for IPv6 mobility header type codes in host policies
The ipsec_config add host command supports dst_mh_type and src_mh_type options
to specify IPv6 Mobility Header (MH) type codes in packet filters.
Certificate changes
The following sections describe product changes related to certificate configuration and processing.
The ipsec_config add cert command is deprecated
The ipsec_config add cert command and related commands (ipsec_config show cert,
ipsec_config delete cert) are deprecated. These commands are still supported, but not
documented. The ipsec_config add cert command will be obsolete in future releases and
HP recommends that you use the following commands instead:
ipsec_config add mycert
ipsec_config add cacert
The ipsec_config delete mycert command deletes the local system certificate and the
associated private key. It does not delete any CA certificate or CRL files.
Support for 4096 bit key pairs for certificates
HP-UX IPSec now supports 4096-bit public/private key pairs for certificate-based IKE authentication.
The ipsec_config add csr command also supports the argument -key_length 4096.
Support for PKCS#12 certificates
HP-UX IPSec supports certificates stored in Public Key Cryptography Standards (PKCS) #12 format
(commonly referred to as PKCS#12). A PKCS#12 file can also include the private key for the
certificate.
Previous versions of HP-UX IPSec required administrators to generate a local certificate signing
request (CSR) and public-private key pair using the ipsec_config add certreq command,
and exporting the CSR to the Certificate Authority (CA) for signing. Support for PKCS#12 certificates
enables administrators to use alternate methods to obtain certificates, such as public key infrastructure
(PKI) utilities that generate the public-private key pair and export a file that contains the certificate
and the keys.
Certificate retrieval from LDAP directories
HP-UX IPSec can import system and CA certificates from LDAP directories that are stored in
Distinguished Encoded Rules (DER) format. The ipsec_config add mycert and ipsec_config
add cacert commands support options to import certificates from LDAP directories.
14 New and changed features