Using Microsoft Certificates with HP-UX IPSec A.03.00

Configuring host policies

Configure the host policies as you normally would. For example, on host1, HP configured the

following host policy to encrypt packets exchanged with host2:

ipsec_config add host host2 –destination 10.0.0.22 –action

ESP_AES128_HMAC_SHA1

Configuring authentication records

Configure the authentication records with the appropriate authentication IDs. By default, Microsoft

Windows IPsec uses X.500 DNs as the IKE ID type. On host1, HP configured the following

authentication record to use with host2:

ipsec_config add auth host2 –remote 10.0.0.22 –ltype X500-DN –lid

cn=host1.hpipsec.hp.com –rtype X500-DN –rid cn=host2.hpipsec.hp.com

Configuring IKE policies

In this example HP used the default IKEv1 policy without modifications.

Verifying the configuration

To verify the configuration, start IPsec on the HP-UX system and the peer if needed. Initiate traffic that

matches the host policy. Use the ipsec_report –sa command to verify that the IKE and IPsec SAs

are established.

TIP: If you restart HP-UX IPSec and the audit level is set to informative or lower, you will see a log

message similar to the following if the local certificate is valid:

Msg: 4 From: IKMPD Lvl: INFORMATIVE Date: Tue Feb 24 22:40:32 2009

Event: Either certificate or preshared key can be used for

authentication.

Configuring a cron job to retrieve the CRL

HP-UX IPSec provides the script /var/adm/ipsec/util/crl.cron to retrieve the CRL from an

LDAP directory. You can configure a cron job to use this script to periodically retrieve the CRL from

the Active Directory server. For more information, see the HP-UX IPSec A.03.00 Administrator’s

Guide.