Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
181182183184185186187188189190
AM ) and remote ID information (-rtype and -rid arguments). You can configure one
authentication record for multiple autoconfiguration clients that use a common preshared key.
However, HP strongly recommends that you configure an individual authentication record for
each remote system with a unique preshared key. In this example, the Server1 configuration
contains one authentication record for each autoconfiguration client.
On Server1, you must configure an IKE policy with a remote address and prefix that matches
the autoconfiguration address pool (2001:db8:11:11::/64 ). In this example, the IKE
authentication is preshared keys (-auth PKEY ), but RSA signatures (-auth RSASIG ) are
also supported with autoconfiguration clients.
Host Policy
add host autoconf_clients \
-destination 2001:db8:11:11::/64 \ (autoconf client subnet addr.
)-action ESP_AES128_HMAC_SHA1 \
Authentication Records
There is one authentication record for each autoconfiguration client. Each authentication record
contains a unique remote ID for each client, which matches the local ID configured on the client.
The IKE exchange type must be Aggressive Mode (-exchange AM ) and the AUTOCONF flag must
be specified (-flags AUTOCONF).
add auth joe_s \
-remote 2001:db8:11:11::/64 \
(autoconf client subnet addr.
)
-ltype FQDN -lid server1.corp.com
-rtype USER-FQDN -rid joe_s@corp.com
-exchange AM
-preshared secret1111 \
-flags AUTOCONF
add auth mick_j \
-remote 2001:db8:11:11::/64 \
(autoconf client subnet addr.
)
-ltype FQDN -lid server1.corp.com
-rtype USER-FQDN -rid mick_j@corp.com
-exchange AM
-preshared secret2222 \
-flags AUTOCONF
add auth paul_s \
-remote 2001:db8:11:11::/64 \
(autoconf client subnet addr.
)
-ltype FQDN -lid server1.corp.com
-rtype USER-FQDN -rid paul_s@corp.com
-exchange AM
-preshared secret3333 \
-flags AUTOCONF
IKE Policy
The default IKEv1 policy is used with no modifications.
Client Configuration
The configuration is the same on each client, except for the local ID in the authentication record.
This section lists the configuration for the system with local ID joe_s@corp.com .
Host Policy
The host policy on the client is as follows:
Autoconfiguration Clients 187