HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

100

ipsec_config add auth hostB -remote 10.2.2.2 \

-preshared my_hostA_hostB_key

IKEv2

The following command configures an IKEv2 authentication record for preshared key

authentication.

ipsec_config add auth hostC -remote 10.5.5.5 \

-kmp IKEV2 \

-preshared my_hostA_hostC_key

Multihomed Example

The following batch file entries IKEv1 configure authentication records with preshared key

authentication for a remote multihomed HP-UX IPSec system that has addresses 10.8.8.8 and

11.8.8.8:

add auth hostX_10net -remote 10.8.8.8\

-preshared my_hostA_hostX_key

add auth hostX_11net -remote 11.8.8.8 \

-preshared my_hostA_hostX_key

Authentication Record Examples with RSA Signatures

This section contains authentication record examples for RSA signature (certificate) authentication.

IKEv1 Example

The following command configures an IKEv1 authentication record using RSA signatures. The

remote system is also an HP-UX system and is not multihomed. Each system uses the default

local ID type and value (the local IPv4 address). Because no preshared key argument is specified,

the local and remote authentication methods default to RSASIG.

ipsec_config add auth hostO -remote 10.44.44.44

Distinguished Name Example

The remote system pc99 uses certificate-based authentication and sends and expects the Subject

DistinguishedName for IKE IDs. The corresponding authentication record is as follows:

ipsec_config add auth pc99 -remote 10.99.99.99 \

-ltype X500-DN -lid CN=hostA,C=US,O=HP,OU=Lab \

-rtype X500-DN -rid CN=pc99,C=US,O=HP,OU=Lab

The local ID (lid) value is optional; when the local ID type (ltype) is X500–DN, ipsec_config

overwrites any specified value with the subjectName field from the local system certificate.

Multihomed Example

You are using certificate-based authentication between HP-UX systems Black (10.10.10.10 )

and Zebra. Zebra is multihomed, with addresses 10.20.20.20 and 192.6.2.20. The security

certificate for Zebra contains the address 10.20.20.20 as the subjectAlternativeName.

On Black, you add the following entries to the ipsec_config batch file.

add auth Zebra1 -remote 10.20.20.20 \

-rtype IPV4 \

-rid 10.20.20.20

add auth Zebra2 -remote 192.6.2.21 \

-rtype IPV4 \

-rid 10.20.20.20

You do not have to specify local ID information in the above entries because Black is not

multihomed and uses its IPv4 address as its ID.

On Zebra, you add the following entry to the ipsec_config batch file:

Step 3: Configuring Authentication Records and Preshared Keys 93