HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

211

212

213

214

215

216

217

218

219

220

Autoconfiguration Clients

The system Server1 has the address 2001:db8:11:11::1111 on the subnet

2001:db8:11:11::/64 . This subnet has three autoconfiguration clients, configured with the

user FQDN IKE IDs joe_s@corp.com , mick_j@corp.com , andpaul_s@corp.com .

Server1 Configuration

The configuration on Server1 specifies the subnet address for the autoconfiguration clients as

the remote address.

The host policy on Server1 must specify the AUTOCONF flag, which forces the following

requirements:

• Server1 cannot be the initiator in IKEv1 Phase 1 negotiations (Aggressive Mode negotiations)

with the autoconfiguration clients. Server1 can only be a responder in IKEv1 Phase 1

negotiations with the autoconfiguration clients.

• On Server1, you must configure authentication records for the autoconfiguration clients.

The authentication records must specify Aggressive Mode for the exchange mode

(-exchange AM ) and remote ID information (-rtype and -rid arguments). You can

configure one authentication record for multiple autoconfiguration clients that use a common

preshared key. However, HP strongly recommends that you configure an individual

authentication record for each remote system with a unique preshared key. In this example,

the Server1 configuration contains one authentication record for each autoconfiguration

client.

• On Server1, you must configure an IKE policy with a remote address and prefix that matches

the autoconfiguration address pool (2001:db8:11:11::/64 ). In this example, the IKE

authentication is preshared keys (-auth PKEY ), but RSA signatures (-auth RSASIG ) are

also supported with autoconfiguration clients.

Host Policy

add host autoconf_clients \

-destination 2001:db8:11:11::/64 \ (autoconf client subnet addr.

)-action ESP_AES128_HMAC_SHA1 \

Authentication Records

There is one authentication record for each autoconfiguration client. Each authentication record

contains a unique remote ID for each client, which matches the local ID configured on the client.

The IKE exchange type must be Aggressive Mode (-exchange AM ) and the AUTOCONF flag

must be specified (-flags AUTOCONF).

add auth joe_s \

-remote 2001:db8:11:11::/64 \

(autoconf client subnet addr.

)

-ltype FQDN -lid server1.corp.com

-rtype USER-FQDN -rid joe_s@corp.com

-exchange AM

-preshared secret1111 \

-flags AUTOCONF

add auth mick_j \

-remote 2001:db8:11:11::/64 \

(autoconf client subnet addr.

)

-ltype FQDN -lid server1.corp.com

-rtype USER-FQDN -rid mick_j@corp.com

-exchange AM

-preshared secret2222 \

-flags AUTOCONF

Autoconfiguration Clients 211