HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
1. The client sends a cryptographically protected packet to the adoptive node using an IPsec or
IKE SA established with the original package node.
2. The adoptive node does not recognize the Security Parameters Index (SPI). This causes the
adoptive node to send an unencrypted IKEv2 Notify payload indicating an invalid SPI.
3. The client starts a liveness test with the adoptive node by sending an empty INFORMATIONAL
message (an IKE header followed by an encrypted payload that contains no payloads) that
requires an acknowledgement.
4. The adoptive node does not respond because it does not have any SAs established with the
client. The client's INFORMATIONAL message times out. The client presumes that the original
peer (the original package node) is dead based on the repeated failures to receive
acknowledgements.
The client deletes all IKE and IPsec SAs it had previously established with the original packet
node. Subsequent packets to the package address trigger new IKE and IPsec SA negotiations.
Configuration Overview
Requirements
To use HP-UX IPSec with Serviceguard, your topology must meet the following requirements:
• The same version of HP-UX IPSec must be installed on all cluster nodes.
• Serviceguard version A.11.16 or later must be installed on all cluster nodes.
• All cluster nodes must have the same HP-UX IPSec configuration database file.
Serviceguard Heartbeat Requirement and Recommendation
• You must allow Serviceguard heartbeat messages to pass in clear text. Do not use HP-UX IPSec
to encrypt or authenticate Serviceguard heartbeat and control messages exchanged between
the cluster nodes. The overhead for establishing IKE and IPsec Security Associations (SAs),
and for encrypting or authenticating heartbeat messages may cause unnecessary cluster
reformations.
• When using HP-UX IPSec to secure a cluster, HP recommends that you have at least one
network dedicated for Serviceguard heartbeat messages (one network used only to send and
receive Serviceguard heartbeat messages).
Configuration Steps
When configuring HP-UX IPSec for Serviceguard, configure HP-UX IPSec using an ipsec_config
batch file according to the instructions in Chapter 4: “Configuring HP-UX IPSec” (page 57) on one
cluster node, referred to as the configuration node. Additional configuration requirements are listed
below and described in the following sections. After you have verified the HP-UX IPSec configuration
on the configuration node, copy the configuration files to the other cluster nodes.
After you have configured HP-UX IPSec, configure Serviceguard as described in the Serviceguard
product documentation.
The general procedure for configuring HP-UX IPSec with Serviceguard is listed below:
• “Step 1: Configuring HP-UX Host IPsec Policies for Serviceguard” (page 197)
You must ensure that HP-UX IPSec allows Serviceguard heartbeat messages pass in clear
text to avoid unnecessary cluster reformations. Configure HP-UX IPSec to allow all traffic
between the heartbeat IP addresses to pass in clear text.
◦
◦ If you are using optional Serviceguard features such as Quorum Server or Serviceguard
Manager, you must configure HP-UX IPSec so it does not discard messages for these
services that are exchanged with systems external to the cluster.
• “Step 2: Configuring HP-UX IPSec IKE policies” (page 206)
Configure IKE policies that include the Serviceguard package addresses and client addresses.
196 HP-UX IPSec and Serviceguard