HP-UX IPSec Version A.03.00 Administrator's Guide
This matches the following FQDNs:
alpha.foo.example.com
alpha.beta.foo.example.com
It does not match the following FQDNs:
foo.example.com
example.com
User FQDN
Specify only the FQDN (do not specify a user name) preceded by an at sign (@) to match any
user at that FQDN, or specify the FQDN preceded by a dot (.) to match any user in the subtree
domain. For example:
-rid @foo.example.com
This matches the following user FQDNs:
root@foo.example.com
user1@foo.example.com
The user FQDN value
.foo.example.com
matches the following user FQDNs:
root@alpha.foo.example.com
root@alpha.beta.foo.example.com
It does not match the following user FQDNs:
root@foo.example.com
root@example.com
X.500 DN
HP-UX IPSec supports the C, O, OU, and CN X.500 DN attributes in authentication records. Specify
only the attributes that are shared by the nodes you want to match, and omit the attribute or
attributes that are unique. In most cases, you will omit the CN (commonName) attribute. For
example:
-rid “C=US,O=My Company,OU=Blue Lab”
This matches the following DNs:
“CN=host1,C=US,O=My Company,OU=Blue Lab”
“CN=host2,C=US,O=My Company,OU=Blue Lab”
Address Range Remote ID matching
To specify a subnet address for the remote ID, specify a remote IP address and prefix
(address/prefix) or an IP address range (address-address) for the -rid argument. For
example, -rid 10.1.1.0/24 or -rid 10.0.0.1-10.0.0.254.
Authentication Record Examples with Preshared Keys
This section contains authentication record examples for preshared key authentication.
IKEv1
The following command configures an IKEv1 authentication record for preshared key
authentication for a remote HP-UX system. Neither system is multihomed. Each system uses the
default local ID type and value (the local IPv4 address). The local and remote authentication
methods default to PSK because the -preshared argument is specified. The IKE version (-kmp)
defaults to IKEV1.
92 Configuring HP-UX IPSec