Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
81828384858687888990
Table 8 Authentication Record Flags (continued)
Column HeadFlag
To use HP-UX IPSec with autoconfiguration clients, the
configuration must meet the following requirements:
The local system cannot be the initiator in IKE SA
negotiations with autoconfiguration clients.
If the IKE version is IKEv1 (the kmp argument is IKEV1,
the default value), the exchange mode (the exchange
argument) must be Aggressive Mode (AM).
The remote ID type (rtype argument) cannot be IPV4
or IPV6.
The -remote argument must specify the address and
prefix of the autoconfiguration address pool. The
authentication method can be RSA signatures or
preshared keys.
No flags.NONE
Default: The value of the flags parameter in the AuthPolicy-Defaults section of the profile file used.
The default flags value is NONE in /var/adm/ipsec/.ipsec_profile.
Subtree and Address Range Remote ID Matching
The subtree and address range remote ID matching features enable you to configure one
authentication record for multiple IKE peers. To use one of these features, configure an authentication
record with:
A remote subnet address. For example, -remote 10.1.1.1/24
A remote ID value (-rid) that applies to all peers in the remote subnet. This can be one of
the following:
a subtree of the FQDN, user FQDN, or X.500 DN ID
IP address range or subnet address
HP recommends that you use subnet and subtree remote IDs only when using certificate-based
authentication. Although it is possible to specify a subtree remote ID with a preshared key to
configure one preshared key for multiple remote systems, HP strongly recommends that you do not
do this.
Subtree Remote ID Matching
To specify a subtree for the remote ID, use one of the formats in the following sections.
FQDN
Prefix the FQDN value with a dot (.). For example:
-rid .foo.example.com
This matches the following FQDNs:
alpha.foo.example.com
alpha.beta.foo.example.com
It does not match the following FQDNs:
foo.example.com
example.com
Step 3: Configuring authentication records and preshared keys 83