Configuring a Windows End-to-End Tunnel Policy

The only IPsec tunnel topology supported between an HP-UX system and a Windows system is an end-to-end tunnel.5The procedure for configuring an end-to-end tunnel policy on Windows system is the same as procedure for configuring a host policy, except that you must configure two, non-mirrored rules: one rule for outbound packets and one rule for inbound packets, as described in the sections that follow.

NOTE: Do not configure any other rules in the policy with the HP-UX system address as the destination address. This prevents the Microsoft system from applying the tunnel transform over a host-to-host (transport) transform. In end-to-end tunnel topologies, HP-UX IPSec does not support transport transforms over a tunnel transform.

Outbound Tunnel Rule Requirements

The outbound tunnel rule must have the following parameters:

Filter List: One filter, with the following parameters:

Address:

Source address: the HP-UX system's address.

Destination address: this must be a specific IP address and must be the Windows system's address.

Mirrored: no (the Mirrored box is cleared).

Protocol Type: none (wildcard). The Windows documentation states that the filters in tunnel rules must not specify protocols or ports to ensure that IP Security can correctly process IP fragments.

Tunnel Setting

Tunnel endpoint: the HP-UX system's address. This is the address of the tunnel endpoint closest to the destination. Since this is an end-to-end tunnel, it is the same as the destination address in the address filter.

Inbound Tunnel Rule Requirements

The inbound tunnel rule must have the following parameters:

Filter List: One filter, with the following parameters:

Address:

Source address: the Windows system's address.

Destination address: this must be a specific IP address and must be the HP-UX system's address.

Mirrored: no (the Mirrored box is cleared).

Protocol Type: none (wildcard).

Tunnel Setting

Tunnel endpoint: the Windows system's address. This is the address of the tunnel endpoint closest to the destination. Since this is an end-to-end tunnel, it is the same as the destination address in the address filter

Configuring a Tunnel Rule

Use the following procedure to configure an outbound or inbound tunnel rule.

5.You can also configure an IPsec topology where packets exchanged between an HP-UX system and a Windows system are tunneled through an IPsec gateway device, but neither HP-UX nor Windows systems can be configured as IPsec gateways. The only topology in which an HP-UX system can act as an IPsec gateway is when the HP-UX system is a Home Agent for Mobile IPv6 clients. The HP-UX IPSec Administrator's Guide describes how to configure a host-to-gateway IPsec topology using HP-UX and a Cisco router.

Configuring a Windows End-to-End Tunnel Policy 33