Manualshelf

HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
161162163164165166167168169170
Using Certificates with HP-UX IPSec
Step 4: Configuring Authentication Records with IKE IDs
Chapter 5164
and the appropriate IP address type as the remote ID type. HP-UX then
verifies that the remote ID information matches the information it
receives in the IKE Identity payload and ID information in the remote
systems certificate.
Configuring Authentication Records with
Certificate-Based Authentication
You must configure IKE ID information in authentication records if any
systems using certificate-based authentication meet the following
conditions:
The local system is multihomed.
You must configure authentication records for the remote systems so
that IKE will send the correct local ID type and value to the remote
system. You must specify the ID type and ID value to match the
values in the certificate for the local certificate. If you followed the
HP recommendation when creating the Certificate Signing Request,
the local certificate will contain the system’s IPv4 or IPv6 address as
the subjectAlternativeName.
The remote system using certificate-based authentication is
multihomed and the local system sends packets to multiple IP
addresses on the remote system.
You must configure an authentication record for each IP address on
the remote system. Set the remote ID type and remote ID value to
match the values configured on the multihomed system.
The remote system using certificate-based authentication does not
use IP addresses for IKE identification (the IKE Identity payload;
also referred to as the ISAKMP Identity payload). For example,
Microsoft systems use the Subject Distinguished Name as the ID
type.
Configure the remote ID type and remote ID value to match the type
and value configured on the remote system.
Syntax
You can use the following ipsec_config add auth syntax to configure
authentication records with ID information in most installations: