Table 1 IPsec Parameters on Windows and HP-UX (continued)

Parameter

Windows Configuration

HP-UX Configuration

Notes

IKE Preshared Key

Specify it in the

Specify it using the

 

 

Authentication Methods for

-preshared argument of

 

 

a rule.

the ipsec_config add

 

 

 

auth command.

 

IKE Exchange Type

Windows supports only

Specify it using the

 

 

Main Mode exchanges.

-exchangeargument of

 

 

 

the ipsec_config add

 

 

 

auth command. The

 

 

 

default value is MM (Main

 

 

 

Mode).

 

Maximum IKE SA Lifetime,

Specify it in the Key

Specify it using the-life

The Windows IP Security

measured by time

Exchange Settings dialog

argument in the

Policy snap-in utility uses

 

box. (To navigate to the Key

ipsec_config add ike

minutes as the time unit.

 

Exchange Setting dialog

command.

The HP-UXipsec_config

 

box, select the General tab

 

command uses seconds as

 

in the Policy Properties

 

the time unit. See “IKE SA

 

dialog box, then select

 

Key (Master Key) Lifetime

 

Advanced settings.)

 

Values” (page 42) for

 

 

 

additional information.

Maximum Quick Mode

Specify it in the Key

Specify it using the-maxqm

See “Maximum Quick

(QM) negotiations per IKE

Exchange Settings dialog

argument in the

Modes” (page 43) for

SA

box. (To navigate to the Key

ipsec_config add ike

additional information.

 

Exchange Setting dialog

command.

 

 

box, select the General tab

 

 

 

in the Policy Properties

 

 

 

dialog box, then select

 

 

 

Advanced settings.)

 

 

Perfect Forward Secrecy

Windows supports PFS for

(PFS)

keys only (PFS for session

 

keys) and supports PFS for

 

keys in conjunction with

 

PFS for all identities (PFS

 

for master keys).

 

Specify PFS for master keys

 

in the Key Exchange

 

Settings dialog box. (To

 

navigate to the Key

 

Exchange Setting dialog

 

box, select the General tab

 

in the Policy Properties

 

dialog box, then select

 

Advanced settings.)

HP-UX does not support PFS for session keys. HP-UX supports only PFS for master keys.

Specify PFS for master keys using the-maxqm 1 argument in the

ipsec_config add ike command.

IKE SA Proposals

Specify it in the General

 

parameters for a policy. You

 

can configure multiple IKE

 

SA proposals and their

 

preference order.

You can specify the parameters for one IKE SA proposal in an IKE policy, using the -encryption, -hash, and -grouparguments in an

ipsec_config add ike

command.

See “IKE Parameter Selection” (page 42) for additional information.

Mirrored Filters

Microsoft filters can be mirrored (bi-directional) or not mirrored (uni-directional). If the filter is mirrored, the filter will match IP packets with the source and destination addresses and ports reversed. For example, a filter has the following specifications:

Source address: 10.1.1.1

Destination address: 10.2.2.2

Comparing HP-UX and Windows IPsec Configuration Parameters 41