Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX IPSec version A.02.00 Administrator's Guide: HP-UX 11i version 1 and HP-UX 11i version 2 > Chapter 3 Configuring HP-UX IPSec

Step 4: Configuring Preshared Keys Using Authentication Records
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

Complete this step only if you configured PSK (preshared keys) as an IKE authentication method in “Step 3: Configuring IKE Policies”. If you configured RSASIG (RSA signatures) as the IKE authentication method in all IKE policies, skip this step, and go to Chapter 4 “Using Certificates with HP-UX IPSec ”.

HP-UX IPSec stores preshared keys in authentication records. You configure authentication records using the ipsec_config add auth command.

Remote Multi-homed Systems

If a remote system is multi-homed (the remote systems has multiple IP addresses), you must configure an authentication record for each IP address on the remote system. Specify the same preshared key in each authentication record for the remote system.

Configuring IKE ID Information with Preshared Keys

Authentication records can also include IKE ID information. You do not have to configure IKE ID information if your topology meets the following requirements:

  • you are using preshared keys

  • the remote system is an HP-UX IPSec system, or a system that uses IP addresses as IKE IDs

If your topology does not meet the above requirements, you must configure IKE ID information. Refer to the ipsec_config(1M) manpage for more information on configuring IKE ID information. Chapter 4 “Using Certificates with HP-UX IPSec ”, “Configuring Authentication Records with IKE IDs” also contains information on configuring IKE ID information.

As part of the ISAKMP/MM SA negotiation, the IKE peers exchange and verify ID types and ID values. During an ISAKMP/MM negotiation, HP-UX IPSec uses the remote system address to search for an authentication record. For preshared key authentication, the authentication record contains the preshared key value and can also contain the following IKE ID information:

  • local ID type

  • local ID value

  • remote ID type

  • remote ID value

If the authentication record matching the remote address includes local ID information, HP-UX IPSec sends the configured local ID information in an ISAKMP ID payload. If the matching authentication record has no local ID information, HP-UX IPSec sends the IP address of the interface it is using for the IKE negotiation as the local ID value, and sends the appropriate address type (IPv4 or IPv6) as the local ID type.

If the matching authentication record has remote ID information, HP-UX IPSec uses it to verify what the remote system sends in the ISAKMP ID payload. If the matching authentication record has no remote ID information for the remote system, HP-UX IPSec verifies that the source IP address from the inbound packet matches the ID value sent by the remote system, and uses the appropriate IP address type as the ID type.

ipsec_config add auth Syntax

You can use the following ipsec_config add auth syntax to configure preshared keys in most installations:

ipsec_config add auth auth_name
-remote ip_addr[/prefix] [-preshared preshared_key]

HP recommends that you use an ipsec_config batch file to configure HP-UX IPSec. To specify an add auth operation for an ipsec_config batch file, use the above syntax without the ipsec_config command name:

add auth auth_name
-remote ip_addr[/prefix] [-preshared preshared_key]

The full ipsec_config add auth syntax specification also allows you to specify the following arguments:

  • nocommit (verify the syntax but do not commit the information to the database)

  • profile (alternate profile file)

  • ltype and lid (local ID type and value)

  • rtype and rid (remote ID type and value)

Refer to the ipsec_config(1M) manpage for full syntax information.

auth_name

The auth_name user-defined name for the authentication record. This name must be unique for each record and is case-sensitive.

Acceptable Values: 1 - 63 characters. Each character must be an ASCII alphanumeric character, hyphen (-), or underscore (_).

ip_addr[/prefix]

The ip_addr and prefix are the IP address and network prefix length that specifies the remote system or subnet for this record. Each ip_addr and prefix combination (the significant bits of ip_addr, as specified by prefix) must be unique.If the remote system's IP address matches multiple IP address and prefix combinations, HP-UX IPSec uses the authentication record with the most specific address (longest prefix length).

Where:

ip_addr

The ip_addr is the remote IP address.

Acceptable Values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal notation. The IP address type (IPv4 or IPv6) must be the same for the source and destination address. HP-UX IPSec does not support unspecified IPv6 addresses. However, you can use the double-colon (::) notation within a specified IPv6 address to denote a number of zeros (0) within an address. The address cannot be a broadcast, subnet broadcast, multicast, or anycast address.

Default: None.

prefix

The prefix is the prefix length, or the number of leading bits that must match when comparing the remote IP address with ip_addr.

For IPv4 addresses, a prefix length of 32 bits indicates that all the bits in both addresses must match. This prefix length is equivalent to an address mask of 255.255.255.255. Use a value less than 32 to specify a subnet address filter.

For IPv6 addresses, a prefix length of 128 bits indicates that all the bits in both addresses must match. Use a value less than 128 to specify a subnet address filter.

WARNING! Specifying a subnet address filter and a preshared key allows you to configure a single preshared key for an entire subnet. However, HP strongly recommends that you configure an individual authentication record for each remote system with a unique preshared key.

Range: 0 - 32 for an IPv4 address; 0 - 128 for an IPv6 address. If you are using manual keys, prefix must be 32 if ip_addr is an IPv4 address or 128 if ip_addr is an IPv6 address.

Default: 32 if ip_addr is a non-zero IPv4 address, 128 if ip_addr is a non-zero IPv6 address, or 0 (match any address) if ip_addr is an all-zeros address (0.0.0.0 or 0::0).

preshared_key

The preshared_key is the preshared key used for IKE authentication. This must match the preshared key configured on the remote system.

Acceptable Values: A text string, containing 1 - 128 ASCII characters. White spaces are not allowed. You must quote shell special characters if you are using the command-line interface; do not quote them if you are using a batch file.

Default: None.

Authentication Record Configuration Examples

The following batch file entry configures an authentication record for preshared key authentication for a remote system that has the address 10.2.2.2:

add auth -remote 10.2.2.2 -preshared my_hostA_hostB_key

The following batch file entries configure authentication records with preshared key authentication for a remote multihomed HP-UX IPSec system, with addresses 10.8.8.8 and 11.8.8.8.

add auth -remote 10.8.8.8 -preshared my_hostA_hostX_key
add auth -remote 11.8.8.8 -preshared my_hostA_hostX_key



Step 3: Configuring IKE Policies
  		 


Step 5: Configuring Certificates  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2004 Hewlett-Packard Development Company, L.P.