Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
191192193194195196197198199200
Destination PortSource PortProtocolDestination IP Address/
Prefix
Source IP Address/
Prefix
00ALL15.1.1.1/3215.0.0.0/8
00ALL15.2.2.2/3215.0.0.0/8
00ALL15.3.3.3/3215.0.0.0/8
CAUTION: Use caution when configuring “open” host ipsec policies (policies that allow all or
most packets to pass in clear text). For more information, see “Maximizing security” (page 57).
Private Dedicated Heartbeat Networks
If you are using a dedicated heartbeat network that is also a private network, you can simplify
your configuration by replacing the heartbeat address filters in the private network with one host
IPsec policy for the subnet. For example, you could replace the policies for the first three address
pairs in the above table with one host IPsec policy that has the following filter:
Destination PortSource PortProtocolDestination IP Address/
Prefix
Source IP Address/
Prefix
00ALL10.0.0.0/810.0.0.0/8
Configuring Host IPsec Policies for External Access
You can also configure host IPsec policies for packets exchanged between cluster nodes and
external nodes. This section describes how to configure policies for the following applications and
services:
“Serviceguard Quorum Server” (page 199)
“Remote Command Execution” (page 200)
“Serviceguard Manager Plug-in Version” (page 201)
“Serviceguard Manager Standalone Version” (page 202)
“WBEM Access” (page 202)
“Cluster Object Manager (COM)” (page 203)
“Consolidated Log (clog)” (page 204)
Serviceguard Quorum Server
If you are using a Quorum Server for the Serviceguard cluster, configure HP-UX IPSec so it does
not discard packets listed in the sections below.
Cluster Node IPsec Policies for Quorum Server
For each cluster node, configure host IPsec policies so HP-UX IPSec does not discard (the transform
list contains any transform except DISCARD ) the packets listed below. If HP-UX IPSec is not installed
on the Quorum Server, configure PASS host IPsec policies for these packets.
Destination PortSource PortProtocolDestination IP AddressSource IP Address
12380TCPQuorum Server addresscluster node address (or
wildcard)
Step 1: Configuring HP-UX Host IPsec Policies for Serviceguard 199