Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
81828384858687888990
Step 3: Configuring Authentication Records and Preshared Keys
This section describes how to configure IKE authentication records and preshared keys. You
must configure authentication records if you are using certificates or preshared keys for IKE
authentication. You do not need to configure or modify authentication records if you are using
manual keys or are using HP-UX IPSec only to discard packets.
The main components of an authentication record are:
Remote IP address. This can be a subnet address.
IKE version number to use when negotiating with the remote system. (This is also referred
to as the key management protocol or KMP version.) The default is IKEv1.
IKE ID information. The IKE daemon sends local ID information to the remote system as
part of IKE SA negotiations, and uses remote ID information to verify the ID information it
receives, as described in “Determining the IKE Version” (page 176).
You can use the default IDs in most topologies if the remote system is also an HP-UX system
and the local and remote systems are not multihomed.
IKE local and remote authentication methods. These methods can be preshared key or
security certificate using RSA signatures. The local and remote methods must be the same.
In most cases, you do not have to set these values; ipsec_config can set these values
appropriately according to the inclusion or exclusion of a preshared key value.
Preshared key value, if the local and remote authentication method used is preshared key.
To configure authentication records, use the ipsec_config add auth command.
Remote Multihomed Systems
If a remote system is multihomed (the remote systems has multiple IP addresses), you must
configure an authentication record or records to match each IP address on the remote system. If
you are using certificates with RSA signatures, specify the same ID information in each
authentication record for the remote system.
Authentication Record Order and Selection
When HP-UX IPSec searches for an authentication record, it searches the records according to
the value of the priority parameter for each record and selects the first record with the IP
address and prefix specifications that match the remote system’s address.
You can configure an authentication record with a remote subnet address to match multiple
remote systems. See “Subtree and Address Range Remote ID Matching” (page 91).
Automatic Priority Increment
There are two ways to set the priority of an authentication record:
Specify the priority argument to explicitly set the priority.
Omit the priority argument and have ipsec_config assign a priority using the automatic
priority increment value so that the new policy is the last policy evaluated before the default
policy.
If you omit the priority argument, ipsec_config assigns a priority value that is set to the
current highest priority value (lowest priority) for the authentication records in the configuration
database, incremented by the automatic priority increment value for authentication recoreds.
The result is that the new policy will be the last authentication record. The automatic priority
increment values are specified by the priority parameter values in the AuthPolicy-Defaults
section of the profile file. The default value is 10.
If you are configuring the first authentication record and do not specify a priority argument,
ipsec_config assigns the automatic priority increment value as the priority.
Step 3: Configuring Authentication Records and Preshared Keys 85