Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
71727374757677787980
Step 3: Configuring authentication records and preshared keys
This section describes how to configure IKE authentication records and preshared keys. You must
configure authentication records if you are using certificates or preshared keys for IKE authentication.
You do not need to configure or modify authentication records if you are using manual keys or
are using HP-UX IPSec only to discard packets.
The main components of an authentication record are:
Remote IP address. This can be a subnet address.
IKE version number to use when negotiating with the remote system. (This is also referred to
as the key management protocol or KMP version.) The default is IKEv1.
IKE ID information. The IKE daemon sends local ID information to the remote system as part
of IKE SA negotiations, and uses remote ID information to verify the ID information it receives,
as described in “Determining the IKE Version” (page 153).
You can use the default IDs in most topologies if the remote system is also an HP-UX system
and the local and remote systems are not multihomed.
IKE local and remote authentication methods. These methods can be preshared key or security
certificate using RSA signatures. The local and remote methods must be the same.
In most cases, you do not have to set these values; ipsec_config can set these values
appropriately according to the inclusion or exclusion of a preshared key value.
Preshared key value, if the local and remote authentication method used is preshared key.
To configure authentication records, use the ipsec_config add auth command.
Remote Multihomed Systems
If a remote system is multihomed (the remote systems has multiple IP addresses), you must configure
an authentication record or records to match each IP address on the remote system. If you are
using certificates with RSA signatures, specify the same ID information in each authentication record
for the remote system.
Authentication Record Order and Selection
When HP-UX IPSec searches for an authentication record, it searches the records according to the
value of the priority parameter for each record and selects the first record with the IP address
and prefix specifications that match the remote system’s address.
You can configure an authentication record with a remote subnet address to match multiple remote
systems. See “Subtree and Address Range Remote ID Matching” (page 83).
Automatic Priority Increment
There are two ways to set the priority of an authentication record:
Specify the priority argument to explicitly set the priority.
Omit the priority argument and have ipsec_config assign a priority using the automatic
priority increment value so that the new policy is the last policy evaluated before the default
policy.
If you omit the priority argument, ipsec_config assigns a priority value that is set to the
current highest priority value (lowest priority) for the authentication records in the configuration
database, incremented by the automatic priority increment value for authentication recoreds. The
result is that the new policy will be the last authentication record. The automatic priority increment
values are specified by the priority parameter values in the AuthPolicy-Defaults section
of the profile file. The default value is 10.
If you are configuring the first authentication record and do not specify a priority argument,
ipsec_config assigns the automatic priority increment value as the priority.
Step 3: Configuring authentication records and preshared keys 77