HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
-ltype local_id_type and -lid local_id
The local_id_type and local_id are the local ID type and value the local system sends to
the remote system when negotiating an IKE SA. These values must match what is configured on
the remote system.
You do not have to configure local ID type and value if your topology meets the following criteria:
• the local system is not multihomed
• the remote system an HP-UX system or is a non-HP system configured to accept IPv4 or IPv6
addresses as the ID type
Valid Values: Table 7 lists valid ID types and corresponding ID values.
Table 7 Local and Remote ID Types and Values
ID ValueID Type
IPv4 address in dotted-decimal notation.IPV4
If you are using certificate-based authentication, this must match the
subjectAlternativeName field in the certificate.
For remote IDs, the value can be a subnet with a prefix or an IP address range.
See “Subtree and Address Range Remote ID Matching” (page 83).
IPv6 address in colon-hexadecimal notation.IPV6
If you are using certificate-based authentication, this must match the
subjectAlternativeName field in the certificate.
For remote IDs, the value can be a subnet with a prefix or an IP address range.
See “Subtree and Address Range Remote ID Matching” (page 83).
Fully Qualified Domain Name (FQDN), also known as Domain Name Server or
DNS name, such as myhost.hp.com.
FQDN
If you are using certificate-based authentication, this must match the
subjectAlternativeName field in the certificate.
Key identifier; a character string used to identify the preshared key. The maximum
length is 320 characters.
KEY-ID
This ID type is valid only for IKE authentication using preshared keys.
User-Fully Qualified Domain Name (User-FQDN) in SMTP format (also referred to
as RFC 822 email address format), such as user@myhost.hp.com.
USER-FQDN
If you are using certificate-based authentication, this must match the
subjectAlternativeName field in the certificate.
X.500 Distinguished Name (DN; also referred to a ASN.1 DN). This ID type is
valid only if you are using certificate-based authentication.
You do not need to specify a local ID value (-lid) for X.500 DNs. When the local
ID type is X500-DN, HP-UX IPSec uses the subjectName from the local certificate
for the local ID value and ignores any configured local ID value.
X500-DN
HP-UX IPSec supports the following attributes in the DN:
CN=commonName
C=country
O=organization
OU=organizationalUnit
All attributes are optional, but you must specify at least one of the above attributes.
When HP-UX IPSec searches for an authentication record that matches a remote
ID payload sent by a peer, every attribute specified in the authentication record
must be present and matched in the peer's remote ID payload. When verifying the
peer's certificate, HP-UX IPSec compares all attributes in the remote ID payload
with the subjectName in the certificate and verifies that they match.
Separate multiple attributes using commas. The order of the attributes is ignored
and the DN is not case sensitive.
80 Configuring HP-UX IPSec