HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

201

202

203

204

205

206

207

208

209

210

Cluster Node

On each cluster node, add entries to the ipsec_config batch file with add auth operations

to configure an authentication record for each cluster client as follows:

• Remote IP Address (-remote ): The cluster client address.

• Local ID type (-ltype ): The IKE ID type sent by the cluster nodes. This must be X500-DN,

or one of the types of identifiers in the subjectAlternativeName field of the cluster certificate,

such as IPV4. The default is the address type (IPV4 or IPV6) of the interface used to

communicate with the remote system.

• Local ID value (-lid ): The ID value that corresponds to the local ID type. This must match a

value in the cluster certificate. The default is the IP address of the interface used to communicate

with the remote system.

• Remote ID type (-rtype ): The IKE ID type sent by the remote system (cluster client). This must

be X500-DN, or one of the types of identifiers in the subjectAlternativeName field of the client

certificate. The default is the address type (IPV4 or IPV6) for the -remote argument.

• Remote ID value (-rid ): The IKE ID value sent by the remote system (cluster client). This must

match the appropriate value in the client certificate. The default is the address specified for

the -remote argument.

If the cluster client is an HP-UX IPSec system and is not multihomed, you can use the default

values for the remote ID type and value.

NOTE: If all clients are in the same subnet and use FQDNs or X.500 DNs with a common base

or IP addresses for IDs, you can use a subtree or address range remote ID to configure one

authentication record for all clients. For more information, see “Subtree and Address Range Remote

ID Matching” (page 83).

Cluster Clients

On each cluster client, configure an authentication record for each package address in the cluster.

If the cluster client is an HP-UX system, configure the authentication record as follows:

• Remote IP Address (-remote ): The package address.

• Local ID type (-ltype ): The IKE ID type sent by the cluster client. This must be X500-DN, or

one of the types of identifiers in the subjectAlternativeName field of the client certificate, such

as IPV4. This must match the remote ID type configured on the cluster nodes.

The default is the address type (IPV4 or IPV6) of the interface used to communicate with the

remote system.

• Local ID value (-lid ): The IKE ID value sent by the cluster client. This must match a value in

the client certificate and the remote ID value configured on the cluster node.

The default is the IP address of the interface used to communicate with the remote system.

• Remote ID type (-rtype ): The ID type sent by the cluster nodes. This must match the local ID

type sent by the cluster nodes.

• Remote ID value(-rid ): The remote ID value. This must match the appropriate field in the

cluster certificate and the local ID value sent by the cluster nodes.

NOTE: If the client is an HP-UX IPSec system using version A.03.00 or later, you can use a subtree

or address range remote ID to configure one authentication record for all package addresses. For

more information, see “Subtree and Address Range Remote ID Matching” (page 83).

Step 4: Configuring Authentication Records for Certificates 209