HP-UX IPSec version A.02.01 Administrator's Guide
HP-UX IPSec Configuration Examples
Autoconfiguration Clients
Appendix D268
Autoconfiguration Clients
The system Server1 has the address 2001:db8:11:11::1111 on the
subnet 2001:db8:11:11::/64. This subnet has three autoconfiguration
clients, configured with the user FQDN IKE IDs joe_s@corp.com,
mick_j@corp.com, and paul_s@corp.com.
Server1 Configuration
The configuration on Server1 specifies the subnet address for the
autoconfiguration clients as the remote address.
The host policy on Server1 must specify the AUTOCONF flag, which forces
the following requirements:
• Server1 cannot be the initiator in IKE Phase 1 negotiations
(Aggressive Mode negotiations) with the autoconfiguration clients.
Server1 can only be a responder in IKE Phase 1 negotiations with
the autoconfiguration clients.
• On Server1, you must configure an IKE policy with a remote address
and prefix that matches the autoconfiguration address pool
(2001:db8:11:11::/64). In this example, the IKE authentication is
preshared keys (-auth PKEY), but RSA signatures (-auth RSASIG)
are also supported with autoconfiguration clients.
• On Server1, you must configure authentication records for the
autoconfiguration clients. The authentication records must specify
Aggressive Mode for the exchange mode (-exchange AM) and remote
ID information (-rtype and -rid arguments). You can configure one
authentication record for multiple autoconfiguration clients that use
a common preshared key. However, HP strongly recommends that
you configure an individual authentication record for each remote
system with a unique preshared key. In this example, the Server1
configuration contains one authentication record for each
autoconfiguration client.