Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Installing and Administering IPSec/9000 > Chapter 1 Installing and Configuring IPSec/9000

Step 8: Configuring a Certificate ID
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

IPSec/9000 uses the certificate ID information to verify the identity that the remote system sends as part of the ISAKMP negotiation. IPSec/9000 then matches the information in the remote system's certificate.

IPSec/9000 uses the remote system's IP address, as indicated in the ISAKMP negotiation IP packet, to select the certificate ID entry. It then checks that the ID type and value matches what the remote system sends in an ISAKMP ID payload. It also checks that the value matches the corresponding information in the remote system's certificate.

IPSec/9000 systems always send IDs that are the IP addresses on which IPSec is running.

You do not need to configure certificate IDs if all certificate-based IPSec communication on your network is between IPSec/9000 systems, and each system has only one IP address.

You must configure certificate IDs in the following cases:

  • If your IPSec/9000 system establishes ISAKMP Security Associations (SAs) with multi-homed systems, but the IP address on which IPSec is running is not the same as the IP address in the SubjectAltName field in the certificate, you must configure a certificate ID for this IP address.

    In most cases, the remote system will use the same certificate for all of its IP addresses. In these cases, the ID Type and Value you configure will be the same for all the certificate IDs for that system.

  • If your IPSec/9000 system establishes ISAKMP SAs with a remote system that sends an ISAKMP ID payload other than an IPv4 address (ID_IPV4_ADDR), you must configure a certificate ID with the appropriate ID Type and Value. The other ISAKMP ID types IPSec/9000 accepts are:

    • Fully Qualified Domain Name (ID_FQDN)

    • User Fully Qualified Domain Name (ID_USER_FDN)

    • X.509 Distinguished Name (DN, ID_DER_ASN1_DN)

      NOTE: Microsoft's version of IPSec sends the DN as its default ID for certificates.

Follow these steps to configure a certificate ID:

  1. On the Certificate ID tab, click Create.

  2. The Create a Certificate ID screen appears. Enter the IP address of the system associated with the certificate. This can be either the local host IP address, or the IP address of a remote host if you are configuring an ID for a remote host certificate.

  3. Choose the ID type you want to use to validate the certificate from the ID Type dropdown list.

    For more information about the different ID types, go to the online help, or see the Configuration Reference section at the end of this chapter.

  4. The Value fields for the ID type you chose appear. Enter the value or values for the ID.

    For more information on the Value fields, go to the online help or see the Configuration Reference section at the end of this chapter.

  5. Click OK. The new certificate ID information appears on the Certificate ID tab.

Go on to Step 9: Configuring Bootup Options



Step 7D: Configuring a Preshared Key
  		 


Step 9: Configuring Boot-up Options  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2001 Hewlett-Packard Development Company, L.P.