Manualshelf

HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
161162163164165166167168169170
Using Certificates with HP-UX IPSec
Step 4: Configuring Authentication Records with IKE IDs
Chapter 5 163
Step 4: Configuring Authentication Records
with IKE IDs
You can skip this section if all systems using certificate-based
authentication meet the following conditions:
None of the systems are multihomed.
All of the remote systems using certificate-based authentication use
the IPV4 or IPV6 as the IKE ID (IKE Identity payload).
You are using Main Mode for IKE Phase 1 negotiations.
If all system using certificate-based authentication meet these
conditions, continue to “Step 5: Adding the CRL to HP-UX IPSec” on
page 171.
As part of the IKE SA negotiation, the IKE peers exchange and verify ID
types and ID values. During an IKE Phase 1 negotiation, HP-UX IPSec
uses the remote system address to search for an authentication record.
An authentication record can contain the following IKE ID information:
•local ID type
•local ID value
remote ID type
remote ID value
If HP-UX finds an authentication record that matches the remote IP
address, HP-UX IPSec sends the configured local ID information in an
IKE Identity payload. If the matching authentication record has no local
ID information, HP-UX IPSec sends the IP address of the interface it is
using for the IKE negotiation as the local ID value, and sends the
appropriate address type (IPV4 or IPV6) as the local ID type.
If the matching authentication record has remote ID information,
HP-UX IPSec uses it to verify what the remote system sends in the IKE
Identity payload. HP-UX IPSec also verifies that the remote ID
information matches ID information in the remote system’s certificate.
If the matching authentication record has no remote ID information for
the remote system, HP-UX IPSec uses the remote system’s IP address
(the source IP address from the inbound packet) as the remote ID value