HP-UX IPSec version A.02.00 Administrator's Guide
Using Certificates with HP-UX IPSec
Configuring Authentication Records with IKE IDs
Chapter 4 135
If the matching authentication record has remote ID information,
HP-UX IPSec uses it to verify what the remote system sends in the
ISAKMP ID payload. HP-UX IPSec also verifies that the remote ID
information matches ID information in the remote system’s certificate.
If the matching authentication record has no remote ID information for
the remote system, HP-UX IPSec uses the remote system’s IP address
(the source IP address from the inbound packet) as the remote ID value
and the appropriate IP address type as the remote ID type. HP-UX then
verifies that the remote ID information matches the information it
receives in the ISAKMP ID payload and ID information in the remote
system’s certificate.
Configuring Authentication Records with
Certificate-Based Authentication
You must configure IKE/ISAKMP ID information in authentication
records if any systems using certificate-based authentication meet the
following conditions:
• The local system is multihomed.
You must configure authentication records for the remote systems
with local type set to IPV4, and the local ID value set to the IPv4
address in the security certificate for the local system. This causes
HP-UX IPSec to send the correct local ID type and value to the
remote system.
Use the procedures in “Determining the IPv4 Address in the
SubjectAlternativeName” on page 136 if you do not know the IPv4
address in the SubjectAlternativeName.
• The remote system using certificate-based authentication is
multihomed.
You must configure an authentication record for each IPv4 address
on the remote system. Set the remote ID type and remote ID value to
match the values configured on the multihomed system.
• The remote system using certificate-based authentication is a
non-HP system that does not use IPv4 addresses for IKE
identification (the ISAKMP ID payload). For example, Microsoft
systems use the Subject Distinguished Name as the ID type.
Configure the remote ID type and remote ID value to match the type
and value configured on the non-HP system.