HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

100

database, incremented by the automatic priority increment value (priority) specified in the

AuthPolicy-Defaults section of the profile file (this policy will be the last authentication record

evaluated). The default automatic priority increment value (priority) is 10.

If this is the first authentication record created, ipsec_config uses the automatic priority

increment value as the priority.

-flags flags

Specifies additional options for this record.

Table 4-5 Authentication Record Flags

Column HeadFlag

Specifies that this authentication record is used for clients

that use stateless or stateful address autoconfiguration,

such as DHCP and DHCPv6 clients.

To use HP-UX IPSec with autoconfiguration clients, the

configuration must meet the following requirements:

• The local system cannot be the initiator in IKE SA

negotiations with autoconfiguration clients.

• If the IKE version is IKEv1 (the kmp argument is

IKEV1, the default value), the exchange mode (the

exchange argument) must be Aggressive Mode (AM).

• The remote ID type (rtype argument) cannot be IPV4

or IPV6.

• The -remote argument must specify the address and

prefix of the autoconfiguration address pool. The

authentication method can be RSA signatures or

preshared keys.

AUTOCONF

No flags.

NONE

Default: The value of the flags parameter in the AuthPolicy-Defaults section of the profile file

used. The default flags value is NONE in /var/adm/ipsec/.ipsec_profile.

Subtree and Address Range Remote ID Matching

The subtree and address range remote ID matching features enable you to configure one

authentication record for multiple IKE peers. To use one of these features, configure an

authentication record with:

• A remote subnet address. For example, -remote 10.1.1.1/24

• A remote ID value (-rid) that applies to all peers in the remote subnet. This can be one of

the following:

— a subtree of the FQDN, user FQDN, or X.500 DN ID

— IP address range or subnet address

HP recommends that you use subnet and subtree remote IDs only when using certificate-based

authentication. Although it is possible to specify a subtree remote ID with a preshared key to

configure one preshared key for multiple remote systems, HP strongly recommends that you

do not do this.

Subtree Remote ID Matching

To specify a subtree for the remote ID, use one of the formats in the following sections.

FQDN

Prefix the FQDN value with a dot (.). For example:

-rid .foo.example.com

Step 3: Configuring Authentication Records and Preshared Keys 91