HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

191

192

193

194

195

196

197

198

199

200

Table 18 (page 205) provides a summary of the port numbers and protocols for these services.

This section describes the Serviceguard cluster information you need to determine before configuring

host IPsec policies. It also describes how to configure host IPsec policies for package addresses,

heartbeat IP addresses, and optional Serviceguard services. This section also contains a summary

of the port numbers and protocols used by Serviceguard services.

This section contains the following subsections:

• “Determining Serviceguard Cluster Information” (page 198)

• “Configuring Host IPsec Policies for Package Addresses” (page 198)

• “Configuring PASS Host IPsec Policies for Intracluster Messages” (page 198)

• “Configuring Host IPsec Policies for External Access” (page 199)

• “Summary: Serviceguard Port Numbers and Protocols” (page 204)

Determining Serviceguard Cluster Information

Before configuring IPsec policies, determine the following information about the Serviceguard

cluster:

• Heartbeat IP addresses

The heartbeat IP address for each cluster node is specified using the HEARTBEAT_IP parameter

in the node definitions section of the cluster configuration file.

• Package addresses

Package addresses are configured using the ip_address parameter within the package_ip

module in a package configuration file. In legacy package control scripts, package addresses

are configured using IP[i ] statements.

Configuring Host IPsec Policies for Package Addresses

On the cluster nodes, configure host IPsec policies with source IP address set to the package

addresses.

On the cluster clients, configure host IPsec policies with the destination address set to the package

addresses.

Configuring PASS Host IPsec Policies for Intracluster Messages

Configure a PASS host IPsec policy (host IPsec policy with -action PASS ) for each pair of

heartbeat IP addresses in the cluster to ensure that Serviceguard heartbeat and intracluster control

messages pass in clear text.

Since the IPsec configuration database is the same for all cluster nodes, you must configure a PASS

host IPsec policy for each heartbeat IP address pair in the cluster.

Specify the following values for the remaining filter parameters in the host IPsec policies:

• Protocol: ALL

• Source and destination ports: 0 (all ports)

For the cluster shown in Figure 23 (page 194), configure a host ipsec policy for each heartbeat

address pair is to configure six host ipsec policies with the following filter specifications:

Destination PortSource PortProtocolDestination IP Address/

Prefix

Source IP Address/

Prefix

00ALL10.1.1.1/3210.0.0.0/8

00ALL10.2.2.2/3210.0.0.0/8

00ALL10.3.3.3/3210.0.0.0/8

198 HP-UX IPSec and Serviceguard