Cluster I/O Protocols (CIP) Configuration and Management Manual (H06.16+, J06.05+)

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series

371

372

373

374

375

376

377

378

379

380

address[/prefixlen][[port]]

-d dst-range

Specifies the destination of the secure communication as an IPv4 or IPv6 address and an

optional port number between square brackets. This takes the following form:

address[/prefixlen][[port]]

-u upperspec

Specifies the upper layer protocol. Any of the protocols from the /etc/protocols file can

be specified as upperspec, icmp6, ip4, or any. The any option indicates any protocol.

You can also specify the protocol number.

NOTE: The upperspec parameter does not work in the forwarding case.

There are many protocols in /etc/protocols, but protocols other than TCP, UDP, and ICMP

may not be suitable to use with IPSec.

-dir direction

Specifies in or out.

-policy policy

Is one of the values: discard, none, or ipsec.

The discard parameter causes the packet-matching indexes to be discarded. The none

parameter causes the IPSec operation not to take place on the packet. The ipsec parameter

causes the IPSec operation to take place on the packet.

-protocol protocol

One of: esp, ah, or ipcomp.

-mode mode

Either transport or tunnel.

-srcdst src_ip-dst_ip

Specifies the end-point addresses of the tunnel. This parameter is specified as two addresses

separated by a hyphen (-). If -mode is transport, this option is not required. If -mode is

tunnel, this parameter is required.

-level policy-level

Specifies the policy level. The value is one of: default, use, require, or unique. If the

SA is not available in every level, the kernel requests the key-exchange daemon to establish a

suitable SA.

The default option causes the kernel, when the kernel processes the packet, to consult the

system-wide default for the protocol specified; for example, the esp_trans_deflev sysctl

variable.

The use sysctl option causes the kernel to use an SA if it is available; otherwise the kernel

continues to run in normal operation.

The require option causes the SA to be required whenever the kernel sends a packet matched

with the policy.

The unique option is the same as the require option. Additionally, the unique option

allows the policy to match the unique out-bound SA. If policy level -level is specified as

unique, racoon configures the SA for the policy.

-load

Causes the SP to be loaded into the SPD. This parameter optional, and is used with the sp

-add command.

373