Cluster I/O Protocols (CIP) Configuration and Management Manual (H06.16+, J06.05+)

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series

351

352

353

354

355

356

357

358

359

360

–verify_identifier

To verify the peer's identifier, set this to on. In this case, if the value defined by -peer_idtype

is not the same as the peer's identifier in the ID payload, the negotiation will fail. The default

is off.

–pubcert certfile

Specifies the file name of a public certificate.

–privkey privkeyfile

Specifies the file name of a private key. If you omit the –pubcert or -privkey option, the

default behavior is to use the pre-shared key. The default path for pre-shared key is /etc/

racoon/psk.txt.

–dpd_delay seconds

Activates Dead Peer Detection (DPD) and specifies the time, in seconds, allowed between two

proof of liveliness requests. The default value is 0, which disables DPD monitoring but negotiates

DPD support.

–dpd_retry seconds

Sets the delay, in seconds, to wait for a proof of liveliness before considering it as failed and

send another request. The default value is 5. This is set only if dpd_delay is set.

–dpd_maxfail number

Sets the maximum number of liveliness proofs to request, without reply, before considering the

peer is dead. The default value is 5. This is set only if dpd_delay is set.

–A authentication_method

Specifies the authentication method used for the phase 1 negotiation. This parameter is required.

The method is one of the values: pre_shared_key, rsasig, or gssapi_krb.

–D dh_group

Defines the group used for the Diffie-Hellman exponentiations. This parameter is required.

group is one of the values: modp768, modp1024, modp1536, modp2048, modp3072,

modp4096, modp6144, or modp8192. You can also specify one of the numerals 1, 2, 5, 14,

15, 16, 17, or 18 as the DH group number. When you choose aggressive mode, you must

define the same DH group in each proposal.

–E encryption_algorithm

Specifies the encryption algorithm used for the phase 1 negotiation. This parameter is required.

The algorithm is one of the following: des, 3des, blowfish, cast128, or aes for Oakley.

Do not use this parameter for other transforms.

–H hash_algorithm

Specifies the hash algorithm used for the phase 1 negotiation. This parameter is required.

hash_algorithm is one of the values: md5, sha1, sha256, sha384, or sha512 for Oakley.

–gssid string

Specifies the GSS-API endpoint name, to be included as an attribute in the SA, if the gssapi_krb

authentication method is used. If gssid is not defined, the default value host/hostname' is

used, where hostname is the value returned by the hostname command.

–tag tag-id

The tag identifier that identifies the proposal of a remote configuration. Tag ids are numbered

from 1 to 10.

–restart

Causes the newest racoon.conf file to be loaded by restarting the racoon daemon. A warning

about the restart of the racoon daemon is issued to inform users that the SAs established in the

SAD will be disconnected.

353