Cluster I/O Protocols (CIP) Configuration and Management Manual (H06.16+, J06.05+)

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series

101

102

103

104

105

106

107

108

109

110

NOTE: There are independent remote entries for each provider when the MULTIPROV option is

ON for a particular CLIM.

Description

Climconfig

Command

Add remote entry into racoon.conf configuration fileremote –add

Delete proposals for remote IP address from racoon.conf configuration fileremote –delete

Display proposals and other configurations for the remote IP address from the racoon.conf

configuration file

remote –info

Controlling the Virtual Private Network (VPN)

You activate and deactivate the virtual private network (VPN) connections by using the following

commands:

DescriptionCommand

Load configured security policies into the security policy databasesp –start

Display status of virtual private network (VPN) connectionvpn –status

Unload security policies from security policy databasesp –stop

Unload security associations from security association databasesa –stop

Using IPSec

Tasks for configuring and managing IPSec are:

• Configuring, controlling, and monitoring manual IPSec connections

• Configuring, controlling, and monitoring automatic IPSec connections by using pre-shared

key or X.509 security certificates

• Configuring all IPSec related attributes such as SP, SA, remote, and psk on a set of CLIMs

• Adding a static route on the IPSec-enabled CLIM so the host routing decisions favor NonStop

host system application traffic to be forwarded to this CLIM

• Restarting the racoon daemon if you add a new SA or remote attribute using the -restart

option. (Restart of racoon causes all active SAs in the kernel's SAD to be flushed (whether

these were automatically established by racoon, or were manually added SAs by climconfig).

This results in disruption of existing application data traffic over the established IPSec

connections.)

• If a SP is modified (delete followed by add), a new IPSec connection is re-established

Here is a sample script for using CLIMCMD on a CLIM with MULTIPROV OFF on the NonStop host

system to issue IPSec climconfig commands to do sp, remote and sa with X.509 security certificates:

CLIMCMD 16.107.170.193 climconfig sp -add

-s 1.2.3.6 -d 1.2.3.4 -u any -dir in -policy ipsec

-protocol esp -mode transport -level require -load

CLIMCMD 16.107.170.193 climconfig sp -add

-s 1.2.3.4 -d 1.2.3.6 -u any -dir out -policy ipsec

-protocol esp -mode transport -level require -load

CLIMCMD 16.107.170.193 climconfig remote -add

-ip 1.2.3.6 -M base -idtype asn1dn

-pubcert host1_cert.pem

-privkey host1_key.pem -E 3des -H md5 -A rsasig

-D modp768 -restart

CLIMCMD 16.107.170.193 climconfig sa -add

Configuring IPSec (IP CIP) 107