HP-UX IPSec Version A.03.00 Administrator's Guide
Table 4-4 Local and Remote ID Types and Values (continued)
ID ValueID Type
User-Fully Qualified Domain Name (User-FQDN) in SMTP format (also referred
to as RFC 822 email address format), such as user@myhost.hp.com.
If you are using certificate-based authentication, this must match the
subjectAlternativeName field in the certificate.
USER-FQDN
X.500 Distinguished Name (DN; also referred to a ASN.1 DN). This ID type is
valid only if you are using certificate-based authentication.
You do not need to specify a local ID value (-lid) for X.500 DNs. When the local
ID type is X500-DN, HP-UX IPSec uses the subjectName from the local certificate
for the local ID value and ignores any configured local ID value.
HP-UX IPSec supports the following attributes in the DN:
CN=commonName
C=country
O=organization
OU=organizationalUnit
All attributes are optional, but you must specify at least one of the above attributes.
When HP-UX IPSec searches for an authentication record that matches a remote
ID payload sent by a peer, every attribute specified in the authentication record
must be present and matched in the peer's remote ID payload. When verifying
the peer's certificate, HP-UX IPSec compares all attributes in the remote ID payload
with the subjectName in the certificate and verifies that they match.
Separate multiple attributes using commas. The order of the attributes is ignored
and the DN is not case sensitive.
If there are spaces in the DN, you must enclose the DN in double quotes (““ ).
For example, “CN=host1,C=US,O=My Company,OU=Blue Lab”.
The values are defined as follows:
commonName: The commonName of the DN in printable string format. This field
cannot contain commas and must be 64 bytes or less.
country: The two-character ISO 3166-1 code for the country listed in the DN,
for example US for United States of America. This field cannot contain commas.
organization: The organization of the DN, for example Hewlett-Packard.
This field cannot contain commas and must be 64 bytes or less.
organizationalUnit: The organizationalUnit for the DN, for example
Marketing. This field cannot contain commas and must be 64 bytes or less.
X500-DN
Defaults: The address of the interface the local system uses to communicate with the remote
system for the ID value and the appropriate IP address type (IPV4 or IPV6 ) for the ID type.
-rtype remote_id_type and -rid remote_id
The remote_id_type and remote_id are used to verify the ID type and ID value sent by the
remote system when negotiating a IKE SA. This must match what is sent by the remote system.
You can use remote subnet or subtree matching to configure an authentication record that matches
multiple peers. See “Subtree and Address Range Remote ID Matching” (page 91).
Valid Values: Table 4-4 (page 88) lists the valid ID types and corresponding ID values.
Defaults: If remote_id_type and remote_id are not specified, ipsec_config uses the IP
address specified for the -remote argument and the appropriate ID type (IPV4 or IPV6 ).
-local_method method
The IKE authentication method the local system uses to authenticate itself to the remote system.
HP-UX IPSec uses the same method type for the local method and the remote method (the method
the local system uses to authenticate the remote system). You can specify the -local_method
or -remote_method argument but not both.
Step 3: Configuring Authentication Records and Preshared Keys 89