Manualshelf

Using Microsoft Certificates with HP-UX IPSec A.02.01

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
21222324252627282930
ipsec_config add host foo1 -source 10.2.2.2 \
-destination 10.1.1.1 \
-action ESP_3DES_HMAC_SHA1
See ipsec_config_add(1M) for more information.
IKE Policy
The IKE policy must specify RSA signatures as the authentication method. The administrator
configures the following IKE policy:
ipsec_config add ike foo1 -remote 10.1.1.1 -auth rsasig
If you have multiple peers in the same subnet and all the peers use certificates, you can specify
a remote subnet address and use one IKE policy for all the peers:
ipsec_config add ike foo1 -remote 10.1.0.0/16 -auth rsasig
Authentication Records
You must configure authentication records if you are using certificates and any of the following
conditions are true:
The IKE peer is a Windows system or other system that does not use IP addresses as IKE
IDs. You must configure an authentication record for the IKE peer.
The IKE peer is multihomed. You must configure authentication records to match the IP
addresses on the IKE peer.
The local system is multihomed. You must configure authentication records to match the
IP addresses on the local system.
If the IKE peer is an HP-UX system or other system that uses IP addresses for IKE IDs and the
systems are not multihomed, you do not have to configure authentication records. In this
procedure, the IKE peer is a Windows system, so we must configure an authentication record.
Configuring Authentication Records for Windows IKE Peers
Windows systems always use X.500 Distinguished Names (DNs) in IKE ID payloads and the
DN from the certificate subjectName field to verify IKE identities when using certificates for IKE
authentication. By comparison, HP-UX IPSec systems use IPv4 addresses by default for IKE ID
payloads, but can be configured to use DNs. In the following example, the IKE peer is a Windows
system, so the administrator configures an authentication record with DNs for the local and
remote ID values:
ipsec_config add auth foo1 -remote 10.1.1.1 \
-ltype x500-dn -lid "cn=foo2,o=hp,ou=foo,c=us" \
-rtype x500-dn -rid "cn=foo1,o=hp,ou=foo,c=us"
Configuring One Authentication Record for Multiple Peers
A version of HP-UX IPSec is available that enables you to specify a remote subnet address and
a subset of the DN that applies to multiple peers. In most cases, this would be the DN without
the commonName (CN) attribute. If you have multiple peers in the same subnet with certificates
issued by the same CA, you can use this feature to configure one authentication record for all
the peers in the remote subnet. For example:
ipsec_config add auth foo1 -remote 10.1.0.0/16 \
-ltype x500-dn -lid "cn=foo2,o=hp,ou=foo,c=us" \
-rtype x500-dn -rid "o=hp,ou=foo,c=us"
Contact your HP support representative for more information.
Additional Options
For information on configuring alternate ID types and configuring authentication records for
multihomed IKE peers, see the HP-UX IPSec Administrator's Guide and ipsec_config_add(1M).
Configuring a Certificate for an HP-UX Client 21