HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

231

232

233

234

235

236

237

238

239

240

NOTE: If all clients are in the same subnet and use FQDNs or X.500 DNs with a common base

or IP addresses for IDs, you can use a subtree or address range remote ID to configure one

authentication record for all clients. For more information, see “Subtree and Address Range

Remote ID Matching” (page 91).

Cluster Clients

On each cluster client, configure an authentication record for each package address in the cluster.

If the cluster client is an HP-UX system, configure the authentication record as follows:

• Remote IP Address (-remote ): The package address.

• Local ID type (-ltype ): The IKE ID type sent by the cluster client. This must be X500-DN,

or one of the types of identifiers in the subjectAlternativeName field of the client certificate,

such as IPV4. This must match the remote ID type configured on the cluster nodes.

The default is the address type (IPV4 or IPV6) of the interface used to communicate with

the remote system.

• Local ID value (-lid ): The IKE ID value sent by the cluster client. This must match a value

in the client certificate and the remote ID value configured on the cluster node.

The default is the IP address of the interface used to communicate with the remote system.

• Remote ID type (-rtype ): The ID type sent by the cluster nodes. This must match the local

ID type sent by the cluster nodes.

• Remote ID value(-rid ): The remote ID value. This must match the appropriate field in the

cluster certificate and the local ID value sent by the cluster nodes.

NOTE: If the client is an HP-UX IPSec system using version A.03.00 or later, you can use a

subtree or address range remote ID to configure one authentication record for all package

addresses. For more information, see “Subtree and Address Range Remote ID Matching”

(page 91).

Example

This example uses the same topology as the preshared key example, as shown in Figure G-1

(page 222). The cluster has three nodes:

• Node1 (10.1.1.1 and 15.1.1.1)

• Node2 (10.2.2.2 and 15.2.2.2)

• Node3 (10.3.3.3 and 15.3.3.3)

The 10.*.*.* network is a dedicated heartbeat LAN. The 15.*.*.* network is a shared heartbeat and

data LAN.

The cluster also has two packages:

• pkgA (15.98.98.98)

• pkgB (15.99.99.99)

There are two package clients:

• Client1 (15.4.4.4)

• Client2 (15.5.5.5)

HP-UX IPSec is securing the traffic between the clients and the package addresses.

The local ID used by the cluster nodes is the FQDN mycluster.hp.com.

The local IDs used by the clients are their IP addresses.

Authentication Records on Cluster Nodes

On each cluster node, the ipsec_config batch file contains the following entries:

add auth client1 -remote 15.4.4.4 -kmp IKEV1 \

-ltype FQDN -lid mycluster.hp.com \

240 HP-UX IPSec and Serviceguard