Manualshelf

HP-UX IPSec version A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
131132133134135136137138139140
Using Certificates with HP-UX IPSec
Configuring Authentication Records with IKE IDs
Chapter 4134
Configuring Authentication Records with IKE
IDs
HP-UX IPSec uses IKE ID information to verify the identity that the
remote system sends as part of the ISAKMP negotiation. HP-UX IPSec
also verifies the IKE ID with the information in the remote system’s
certificate.
HP-UX IPSec stores IKE information in authentication records. You do
not have to configure authentication records with ID information if all
the systems using certificate-based authentication meet the following
conditions:
The local system is not multihomed.
None of the remote systems using certificate-based authentication
are multihomed.
All of the remote systems using certificate-based authentication are
HP-UX systems or systems from other vendors that use IPv4
addresses as the IKE ID (ISAKMP payload ID).
If you do not have to configure ID information, continue to “Retrieving
the Certificate Revocation List (CRL)” on page 142.
As part of the ISAKMP/MM SA negotiation, the IKE peers exchange and
verify ID types and ID values. During an ISAKMP/MM negotiation,
HP-UX IPSec uses the remote system address to search for an
authentication record. For certificate-based authentication, the
authentication record can contain the following IKE ID information:
•local ID type
•local ID value
remote ID type
remote ID value
If HP-UX finds an authentication record that matches the remote IP
address, HP-UX IPSec sends the configured local ID information in an
ISAKMP ID payload. If the matching authentication record has no local
ID information, HP-UX IPSec sends the IP address of the interface it is
using for the IKE negotiation as the local ID value, and sends the
appropriate address type (IPv4) as the local ID type.