HP-UX IPSec version A.02.00 manpages
ipsec_config(1M) ipsec_config(1M)
Synopsis
ipsec_config add auth
auth_name [
-nocommit
|
nc][
-rem
[
ote] ip_address [/prefix]] [
-ltype
local_id_type ][
-lid
local_id ][
-rtype
remote_id_type][
-rid
remote_id ][
-preshared
|
psk
preshared_key ]
Description
Authentication records contain preshared key and IKE identification information. You must configure
authentication records if you are using preshared keys for IKE authentication.
You must also configure authentication records if you are using security certificates and RSA signatures
(RSASIG) for IKE authentication, and the local or remote system is multi-homed (has more than one IP
address configured), or if the remote system is not an HP-UX system and uses an IKE ID type other than
IPv4 addresses.
When HP-UX IPSec negotiates an ISAKMP/MM SA with a remote system, it uses the remote system’s IP
address to find an authentication record. If a remote system is multi-homed, you must configure an
authentication record for each of the remote system’s IP addresses.
You do not have to configure authentication records in the following topologies:
• topologies that use only manual keys
• topologies that use only security certificates and RSA signatures (RSASIG) for IKE authentica-
tion, and the local and remote systems are HP-UX systems and not multi-homed
Options and Operands
The
ipsec_config add auth command recognizes the following options and operands.
auth_name
Specifies the user-defined name for the authentication record. This name must be unique for
each authentication record and is case-sensitive.
Acceptable values: 1 - 63 characters. Each character must be an ASCII alphanumeric char-
acter, hyphen (
-), or underscore (
_).
-nocommit
|nc
The
ipsec_config utility verifies the authentication record, but does not add it to the
configuration database. This option is not valid if you are specifying an
add auth
operation
in a batch file.
-rem[ote] ip_addr[/prefix]
Specifies the IP address and network prefix length that specifies the remote system or subnet
for this authentication record. The values for ip_addr and prefix are defined as follows:
ip_addr
Specifies the IP address of the remote system.
Each ip_addr and prefix combination (the significant bits of the ip_addr ,as
specified by prefix) must be unique. If the remote system’s IP address matches mul-
tiple IP address and prefix combinations, HP-UX IPSec uses the authentication
record with the most specific address (longest prefix length).
Acceptable values: An IPv4 address in dotted-decimal notation or an IPv6
address in colon-hexadecimal notation. HP-UX IPSec does not support unspecified
IPv6 addresses. However, you can use the double-colon (::) notation within a
specified IPv6 address to denote a number of zeros (0) within an address. The
address cannot be a broadcast, subnet broadcast, multicast, or anycast address.
Default: None.
prefix
Specifies the prefix length, or the number of leading bits, that must match when
comparing an IP address of the remote system with ip_addr .
For IPv4 addresses, a prefix length of 32 bits indicates that all the bits in both
addresses must match. Use a value less than 32 to specify a subnet address filter.
For IPv6 addresses, a prefix length of 128 bits indicates that all the bits in both
addresses must match. Use a value less than 128 to specify a subnet address filter.
6 Hewlett-Packard Company − 2 − HP-UX IPSec A.02.00