HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

201

202

203

204

205

206

207

208

209

210

Example

This example uses the same topology as the preshared key example, as shown in Figure 23

(page 194). The cluster has three nodes:

• Node1 (10.1.1.1 and 15.1.1.1)

• Node2 (10.2.2.2 and 15.2.2.2)

• Node3 (10.3.3.3 and 15.3.3.3)

The 10.*.*.* network is a dedicated heartbeat LAN. The 15.*.*.* network is a shared heartbeat

and data LAN.

The cluster also has two packages:

• pkgA (15.98.98.98)

• pkgB (15.99.99.99)

There are two package clients:

• Client1 (15.4.4.4)

• Client2 (15.5.5.5)

HP-UX IPSec is securing the traffic between the clients and the package addresses.

The local ID used by the cluster nodes is the FQDN mycluster.hp.com.

The local IDs used by the clients are their IP addresses.

Authentication Records on Cluster Nodes

On each cluster node, the ipsec_config batch file contains the following entries:

add auth client1 -remote 15.4.4.4 -kmp IKEV1 \

-ltype FQDN -lid mycluster.hp.com \

-rtype IPV4 -rid 15.4.4.4

add auth client2 -remote 15.5.5.5 -kmp IKEV1 \

-ltype FQDN -lid mycluster.hp.com \

-rtype IPV4 -rid 15.5.5.5

Authentication Records on Client1 and Client2

On each cluster client, the ipsec_config batch file contains the following entries. The

authentication records use the default local ID type (IPV4) and default local ID value (the IP address

of the interface used to communicate with the remote system). If the cluster clients were multihomed,

you would add entries for the additional addresses on the cluster clients, and specify local ID type

and local ID value arguments.

Note that the -rid argument is the same for both records. The cluster nodes use the same certificate

on all nodes and for all package addresses.

add auth pkgA -remote 15.98.98.98 -kmp IKEV1 \

-rtype FQDN -rid mycluster.hp.com

add auth pkgB -remote 15.99.99.99 -kmp IKEV1 \

-rtype FQDN -rid mycluster.hp.com

Step 5: Verifying and Testing the HP-UX IPSec Configuration

Start and verify HP-UX IPSec on the cluster node on which you configured IPsec using the procedure

in Chapter 4, “Step 8: Committing the Batch File Configuration and Verifying Operation” (page 96).

Use ipsec_policy to test your configuration to ensure it meets the following conditions:

• HP-UX IPSec allows messages sent between the heartbeat IP addresses to pass in clear text,

including Serviceguard heartbeat messages (TCP and UDP destination port 5300).

• HP-UX IPSec does not discard control messages for optional Serviceguard services, including

Quorum Server and Serviceguard Manager messages. Table 18 (page 205) lists the port

numbers and protocols for Serviceguard services control messages.

210 HP-UX IPSec and Serviceguard