HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
Serviceguard periodically sends heartbeat messages to determine if a cluster node is available.
When using Serviceguard with HP-UX IPSec, HP recommends that you have at least one network
dedicated to sending and receiving heartbeat messages. In Figure 23, the interface addresses
10.1.1.1, 10.2.2.2 and 10.3.3.3 are attached to a network used only for heartbeat messages.
The cluster nodes also send and receive heartbeat messages on interfaces attached to the second
network (the 15.*.*.* LAN), which used for both heartbeat and data packets.
Each package can have one or more unique package addresses . A package address is a
relocatable IP address that is dynamically assigned to the cluster node on which the package is
currently running. In Figure 23, the package pkgA is currently running on Node1 , and its
relocatable package address, 15.98.98.98, is assigned to an interface on Node1 . The package
clients connect to or access the packages using the package addresses.
If Node1 fails or a resource on Node1 fails, pkgA can fail over to another node in the cluster,
such as Node2 . The address for pkgA , 15.98.98.98, will be re-assigned to an interface on
Node2 . The package clients can continue to access pkgA using address 15.98.98.98.
Using HP-UX IPSec with Serviceguard
HP-UX IPSec can provide the following functions when used with Serviceguard:
• HP-UX IPSec can secure Serviceguard network traffic. If a package fails over to an adoptive
node and package clients are using HP-UX IPSec A.01.07 or later, the package clients will
automatically establish IPsec SAs with the adoptive node as needed, without operator
intervention.
• HP-UX IPSec is compatible with redundant network interfaces. If Serviceguard fails over from
a primary interface to a standby interface, HP-UX IPSec will continue operating and use the
standby interface with no change in the operation of the Security Associations (SAs).
• HP-UX IPSec includes a monitor script, /var/adm/ipsec/ipsec_status.sh , that an
Serviceguard package can use as a package service to monitor HP-UX IPSec. You can configure
the package to fail or fail over if HP-UX IPSec is unavailable.
Client Failover Detection
If a package fails over to an adoptive node and a package client had IPsec SAs established with
the original package node, it is the responsibility of the client to detect the dead peer (the failure
of the original package node), and flush all IKE and IPsec SAs previously established with the
original node. Subsequent packets to the package address will trigger new IKE and IPsec SA
negotiations.
If a package fails over to an adoptive node and a package client had IPsec SAs established with
the original package node, the adoptive node will send INITIAL-CONTACT notify messages to the
package client. In this situation, the intention of the INITIAL-CONTACT notify message is to notify
the package client that it should delete existing SA information for the package address, and
establish new SAs as needed.
If the IKEv1 protocol is used, the expected sequence of events is as follows:
1. The client sends a cryptographically protected packet to the adoptive node using an IPsec or
IKE SA established with the original package node.
2. The adoptive node does not recognize the Security Parameters Index (SPI). This causes the
adoptive node to send an INITIAL-CONTACT notify message to the client.
3. The client interprets the INITIAL-CONTACT notify message as an indication that the peer was
down and has now restarted. The client deletes any existing SA information for the package
address. Subsequent packets to the package address trigger new IKE and IPsec SA negotiations.
If a package client is an HP-UX system using a version of HP-UX IPSec released prior to
A.01.07, or if it is not an HP-UX system, the package client may not delete SA information
when it receives the INITIAL-CONTACT notify message. In these cases, an administrator must
manually delete the SAs on the package client.
If the IKEv2 protocol is used, the expected sequence of events is as follows:
Introduction 195