HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

231

232

233

234

235

236

237

238

239

240

Step 3: Configuring Authentication Records for Preshared Keys

This section describes configuration requirements for authentication records if you are using

preshared keys for IKE authentication. If you are not using preshared keys for IKE authentication,

go to “Step 4: Configuring Authentication Records for Certificates” (page 239).

The preshared key information must be the same on all nodes in the cluster. Configure

authentication records with preshared keys on one Serviceguard cluster node. The authentication

records are stored in the configuration database, /var/adm/ipsec/config.db , which you

distribute to the other cluster nodes.

Use the procedure described in Chapter 4, “Step 3: Configuring Authentication Records and

Preshared Keys” (page 85) to configure authentication records and preshared keys, with the

additional requirements described in the following sections.

Preshared Key Configuration on Cluster Nodes

Configure an authentication record with a preshared key for each cluster client. HP recommends

that you configure a unique key for each client.

The authentication records can also contain local and remote ID information. You do not have

to configure local ID information on the cluster nodes. You do not have to configure remote ID

information if the client is an HP-UX system, or a system from another vendor that uses its IP

address as its IKE ID.

Preshared Key Configuration on Client Nodes

On each cluster client, you configure an authentication record for each package address, using

the preshared key configured on the cluster for this client.

You do not have to configure local or remote ID information if the client is an HP-UX system, or

a system from another vendor that uses its IP address as its IKE ID.

Example

In Figure G-1 (page 222), the cluster has three nodes:

• Node1 (10.1.1.1 and 15.1.1.1)

• Node2 (10.2.2.2 and 15.2.2.2)

• Node3 (10.3.3.3 and 15.3.3.3)

The 10.*.*.* network is a dedicated heartbeat LAN. The 15.*.*.* network is a shared heartbeat and

data LAN.

The cluster also has two packages:

• pkgA (15.98.98.98)

• pkgB (15.99.99.99)

There are two package clients:

• Client1 (15.4.4.4)

• Client2 (15.5.5.5)

HP-UX IPSec is securing the traffic between the clients and the package addresses.

The local ID used by the cluster nodes is the FQDN mycluster.hp.com.

The local IDs used by the clients are their IP addresses.

Authentication Records on Cluster Nodes

On each cluster node, the ipsec_config batch file contains the following entries:

add auth client1 -remote 15.4.4.4 -kmp IKEV1 \

-ltype FQDN -lid mycluster.hp.com \

-rtype IPV4 -rid 15.4.4.4 \

-psk my_client1_key

add auth client2 -remote 15.5.5.5 -kmp IKEV1 \

236 HP-UX IPSec and Serviceguard