HP UX IPSec Software Configuring a Windows Host-to-HostPolicy

—Tunnel Settings

The tunnel settings specify if the rule is a tunnel rule. If it is a tunnel rule, the settings also specify the tunnel destination endpoint.

—Connection Type

The connection type specifies the connection (link) types for the rule, such as LAN.

•General

The general parameters for a policy specify IKE SA parameters, such as the IKE encryption algorithm, IKE hash (integrity algorithm), Diffie-Hellman Group, and IKE SA key lifetimes. The parameters correspond to IKE SA proposals. You can configure multiple IKE SA proposals and specify the preference order. The proposals are used for all rules in the policy.

By comparison, a minimal HP-UX IPSec configuration consists of one or more IPsec host policies, one or more IKE policies, and one or more authentication records. The IPsec host policies specify address filters, and you can configure separate IKE policies for each peer. “Comparing HP-UX and Windows IPsec Configuration Parameters” (page 40) lists IPsec configuration parameters and how they are configured in the HP-UX IPSec and the Windows IP Security configuration utilities.

Configuring a Windows Host-to-Host Policy

This section describes one method for configuring host-to-host policy on a Windows XP client using the IP Security Policies snap-in utility. Windows also supports command-line utilities to configure IP Security policies: ipseccmd on Windows XP systems and netsh on Windows 2003 systems. For more information about these utilities, see the Windows documentation set.

To use this method, complete the following steps:

1.Start the IP Security Policies snap-in utility. See “Step 1: Starting the IP Security Policies Snap-in Configuration Utility” (page 15).

2.Create an IP Security policy. See “Step 2: Creating a Policy” (page 15).

3.Add a rule to the policy. See “Step 3: Adding a Rule” (page 16).

4.Create a Filter List for the rule and configure filters. See “Step 4: Creating the IP Filter List and Filters for the Rule” (page 18).

5.Configure filter actions for the rule. The filter actions contain IPsec transforms or other actions. See “Step 5: Configuring Filter Actions for the Rule” (page 21).

6.Configure the IKE authentication method and preshared key for the rule. See “Step 6: Configuring the IKE Authentication Method and Preshared Key for the Rule” (page 25).

7.Specify the network link (connection) types for the rule. See“Step 7: Configuring the Connection Type for the Rule” (page 26).

8.Modify the IKE SA parameters for the policy. By default, Windows clients will use IKE SA parameters that are compatible with the default HP-UX IPSec parameters. If these parameters are acceptable, you can skip this step. See “Step 8: Modifying IKE Parameters for the Policy” (page 26).

9.Start the IP Security service. The IP Security service must be running before you can assign the new IP Security policy. See “Step 9: Starting the IP Security Service” (page 29).

10.Assign (activate) the new IP Security Policy. See “Step 10: Assigning the IP Security Policy” (page 30).

11.Verify the configuration. See “Step 11: Verifying the Configuration” (page 31).

Because this is a host-to-host rule, we will use the default value for the rule tunnel setting (no tunnel). For information about configuring a tunnel rule and the tunnel setting, see “Configuring a Windows End-to-End Tunnel Policy” (page 33).