Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
81828384858687888990
Multihomed Example
The following batch file entries IKEv1 configure authentication records with preshared key
authentication for a remote multihomed HP-UX IPSec system that has addresses 10.8.8.8 and
11.8.8.8:
add auth hostX_10net -remote 10.8.8.8\
-preshared my_hostA_hostX_key
add auth hostX_11net -remote 11.8.8.8 \
-preshared my_hostA_hostX_key
Authentication Record Examples with RSA Signatures
This section contains authentication record examples for RSA signature (certificate) authentication.
IKEv1 Example
The following command configures an IKEv1 authentication record using RSA signatures. The
remote system is also an HP-UX system and is not multihomed. Each system uses the default local
ID type and value (the local IPv4 address). Because no preshared key argument is specified, the
local and remote authentication methods default to RSASIG.
ipsec_config add auth hostO -remote 10.44.44.44
Distinguished Name Example
The remote system pc99 uses certificate-based authentication and sends and expects the Subject
DistinguishedName for IKE IDs. The corresponding authentication record is as follows:
ipsec_config add auth pc99 -remote 10.99.99.99 \
-ltype X500-DN -lid CN=hostA,C=US,O=HP,OU=Lab \
-rtype X500-DN -rid CN=pc99,C=US,O=HP,OU=Lab
The local ID (lid) value is optional; when the local ID type (ltype) is X500DN, ipsec_config
overwrites any specified value with the subjectName field from the local system certificate.
Multihomed Example
You are using certificate-based authentication between HP-UX systems Black (10.10.10.10 ) and
Zebra. Zebra is multihomed, with addresses 10.20.20.20 and 192.6.2.20. The security certificate
for Zebra contains the address 10.20.20.20 as the subjectAlternativeName.
On Black, you add the following entries to the ipsec_config batch file.
add auth Zebra1 -remote 10.20.20.20 \
-rtype IPV4 \
-rid 10.20.20.20
add auth Zebra2 -remote 192.6.2.21 \
-rtype IPV4 \
-rid 10.20.20.20
You do not have to specify local ID information in the above entries because Black is not multihomed
and uses its IPv4 address as its ID.
On Zebra, you add the following entry to the ipsec_config batch file:
add auth Black -remote 10.10.10.10 \
-ltype IPV4 \
-lid 10.20.20.20
This causes Zebra to send 10.20.20.20 as its local ID, even when it transmits packets on its
192.6.2.1 interface. You do not have to specify remote ID information in the above entry because
Black is not multihomed, and uses its IPv4 address as its ID.
Step 3: Configuring authentication records and preshared keys 85