HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

131

132

133

134

135

136

137

138

139

140

Configuring HP-UX IPSec

Step 4: Configuring Preshared Keys Using Authentication Records

Chapter 4 133

• If HP-UX IPSec is the initiator in an IKE Phase 1 negotiation (Main

Mode or Aggressive Mode), IKE uses the remote system’s IP address

to search for an authentication record.

• If HP-UX IPSec is a responder in an IKE Phase 1 negotiation and the

exchange type is Main Mode, IKE uses the remote system’s IP

address (from the IP packet header) to search for an authentication

record.

• If HP-UX IPSec is a responder in an IKE Phase 1 negotiation and the

exchange type is Aggressive Mode, IKE searches for an

authentication record by comparing the ID information (the IKE

Identity payload) sent by the remote system with the remote ID

fields configured in the authentication records. IKE then uses the

remote address field in the authentication record to search for the

IKE policy.

If IKE is using an authentication record that contains local ID

information, HP-UX IPSec sends the configured local ID information in

an IKE (ISAKMP) Identity payload. If IKE is using an authentication

record that has no local ID information configured, HP-UX IPSec sends

the IP address of the interface it is using for the IKE negotiation as the

local ID value, and sends the address type (IPv4 or IPv6) as the local ID

type.

If IKE is using an authentication record that contains remote ID

information, HP-UX IPSec uses it to verify what the remote system

sends in the IKE (ISAKMP) Identity payload. If the matching

authentication record does not have remote ID information and the

exchange mode is Main Mode, HP-UX IPSec verifies that the source IP

address from the inbound packet matches the ID value sent by the

remote system, and uses the IP address type as the ID type.

ipsec_config add auth Syntax for Preshared Keys

with ID Information

You can use the following ipsec_config add auth syntax to configure

preshared keys in most installations:

ipsec_config add auth

auth_name

-remote

ip_addr

prefix

] [-exchange|x AM|MM]

[-ltype local_id_type] [-lid local_id]

[-rtype remote_id_type] [-rid remote_id]

-preshared

preshared_key