HP-UX IPSec A.03.02.02 Release Notes HP-UX 11i version 3 (766158-001, April 2014)
3. Check if you need to make any additional changes to the configuration database. See
“Additional configuration tasks” (page 22) for more information.
4. Start HP-UX IPSec:
ipsec_admin -start
Additional configuration tasks
The ipsec_migrate utility changes object types and values when converting a configuration
database for HP-UX IPSec A.03.0x. Check the following list for additional changes that may be
needed after running ipsec_migrate:
• Check the IKEv1 policies. The migration utility converts each existing ike policy to an ikev1
policy as follows:
◦ The IKE authentication (-auth) value is ignored. The ikev1 policies do not include a
value for the IKE authentication method. The IKE authentication method is now specified
in authentication records using the -local_method and -remote_method arguments.
In most cases, you do not need to explicitly specify the -local_method and
-remote_method arguments. If the authentication record specifies a preshared key
value (-preshared), the -local_method and -remote_method arguments default
to PSK; if no preshared key value is specified, these arguments default to RSASIG.
◦ The maximum quick modes (-maxqm) value is converted to a value for perfect forward
secrecy (PFS, -pfs). The ikev1 policies do not include a value for maximum quick
modes. If the -maxqm value is 1, the migration utility creates an ikev1 policy with PFS
ON. If the -maxqm value is greater than 1, the migration utility creates an ikev1 policy
with PFS OFF.
◦ Converts any DES authentication (-hash) values to 3DES. (DES is not supported in HP-UX
IPSec A.03.0x).
• Check the action in the host and tunnel policies. The ipsec_migrate utility replaces DES
transforms and nested transforms in host and tunnel policies with the default actions in the
/var/adm/ipsec/.ipsec_profile file. For host policies, the default action is DISCARD.
For tunnel policies, the default action is the ESP_AES128_HMAC_SHA1 transform.
• Check the priority value in authentication records. In previous releases, authentication records
did not have a priority value; if multiple authentication records had a remote IP address value
that matched the peer's address, HP-UX IPSec selected the record with the longest IP address
prefix.
The ipsec_migrate utility sorts existing authentication records using the address prefix
length (longest to shortest). The migration utility sets the priority for the first record to the value
of the priority parameter value in the AuthPolicy-Defaults section of the HP-UX IPSec profile
file; the default priority value is 10. The utility increments the priority value for each subsequent
record by the priority value.
• Configure additional authentication records if needed. In previous releases, an authentication
record was not required if the authentication method was RSASIG, the systems were not
multihomed, and the systems used IPv4 addresses for the IKE IDs. HP-UX IPSec A.03.0x requires
an authentication record for every peer.
• Check for preshared key values beginning with 0x. HP-UX IPSec A.03.0x stores preshared
key values beginning with 0x as hexadecimal values. In prior releases, HP-UX IPSec stored
all preshared key values as ASCII strings. If you have a preshared key value beginning with
22 Migrating to HP-UX IPSec A.03.0x