Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
81828384858687888990
User FQDN
Specify only the FQDN (do not specify a user name) preceded by an at sign (@) to match any user
at that FQDN, or specify the FQDN preceded by a dot (.) to match any user in the subtree domain.
For example:
-rid @foo.example.com
This matches the following user FQDNs:
root@foo.example.com
user1@foo.example.com
The user FQDN value
.foo.example.com
matches the following user FQDNs:
root@alpha.foo.example.com
root@alpha.beta.foo.example.com
It does not match the following user FQDNs:
root@foo.example.com
root@example.com
X.500 DN
HP-UX IPSec supports the C, O, OU, and CN X.500 DN attributes in authentication records. Specify
only the attributes that are shared by the nodes you want to match, and omit the attribute or
attributes that are unique. In most cases, you will omit the CN (commonName) attribute. For example:
-rid C=US,O=My Company,OU=Blue Lab
This matches the following DNs:
CN=host1,C=US,O=My Company,OU=Blue Lab
CN=host2,C=US,O=My Company,OU=Blue Lab
Address Range Remote ID matching
To specify a subnet address for the remote ID, specify a remote IP address and prefix
(address/prefix) or an IP address range (address-address) for the -rid argument. For
example, -rid 10.1.1.0/24 or -rid 10.0.0.1-10.0.0.254.
Authentication Record Examples with Preshared Keys
This section contains authentication record examples for preshared key authentication.
IKEv1
The following command configures an IKEv1 authentication record for preshared key authentication
for a remote HP-UX system. Neither system is multihomed. Each system uses the default local ID
type and value (the local IPv4 address). The local and remote authentication methods default to
PSK because the -preshared argument is specified. The IKE version (-kmp) defaults to IKEV1.
ipsec_config add auth hostB -remote 10.2.2.2 \
-preshared my_hostA_hostB_key
IKEv2
The following command configures an IKEv2 authentication record for preshared key authentication.
ipsec_config add auth hostC -remote 10.5.5.5 \
-kmp IKEV2 \
-preshared my_hostA_hostC_key
84 Configuring HP-UX IPSec