HP-UX IPSec version A.02.01 Administrator's Guide
Using Certificates with HP-UX IPSec
Step 4: Configuring Authentication Records with IKE IDs
Chapter 5 169
organizationalUnit
: The organizationalUnit for the DN, for example
Marketing. Commas are not accepted as part of this value. The size of
this value must not exceed 64 bytes.
Default: If you do not configure the
local_id_type
and
local_id
,
HP-UX uses the IPv4 or IPv6 address of the interface the IKE daemon
uses to communicate with the remote system as the
local_id
and the
corresponding IP address type (IPV4 or IPV6) as the
local_id_type
.
-rtype
remote_id_type
and -rid
remote_id
IKE uses the
remote_id_type
and
remote_id
values to verify the ID
type and value sent by the remote system when negotiating a IKE SA.
This must also match information in the remote system’s certificate.
You do not have to configure the remote ID type if the remote system
uses IPV4 or IPV6 as the ID type, and is not multihomed.
Acceptable Values: Table 5-1 on page 167 lists the valid ID types and
corresponding ID values.
Default: If you do not configure
remote_id_type
and
remote_id
,
HP-UX IPSec uses the IPv4 or IPv6 address of the IP address of the
remote system from the source address of the inbound IP packets as the
remote_id
and the appropriate IP address type (IPV4 or IPV6) as the
remote_id_type
.
Examples
The remote system Mike with address 192.1.1.1 uses X.500
Distinguished Names as IKE IDs. The local system is not multihomed, so
you do not have to specify local ID information.
ipsec_config add auth Mike -remote 192.1.1.1 \
-rtype X500-DN -rid CN=hostn,c=us,O=myco
You are using certificate-based authentication between HP-UX systems
Black (10.10.10.10) and Zebra. Zebra is multihomed, with addresses
10.20.20.20 and 192.6.2.20. The security certificate for Zebra
contains the address 10.20.20.20 as the subjectAlternativeName.
On Black, you add the following entries to the ipsec_config batch file:
add auth Zebra1 -remote 10.20.20.20 -rtype IPV4 \
-rid 10.20.20.20
add auth Zebra2 -remote 192.6.2.21 -rtype IPV4 \
-rid 10.20.20.20