Manualshelf

HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
919293949596979899100
Figure 5 Packet with unencrypted TCP data
Figure 6 Packet with IPSec-encrypted TCP data
IPFilter never sees the TCP packets between system A and system B with a protocol number of 6.
These packets are encrypted (or wrapped) in a packet that has a protocol number of 50. If you
configure IPFilter to block packets with protocol number 6, it lets protocol number 50 pass through.
IPSec takes apart the packet and decrypt the TCP data.
If the IPFilter configuration is so broad that it blocks protocol 50 or protocol 51 traffic, then IPSec
traffic will not get through.
Figure 7 Scenario four
In Scenario four, IPSec is configured to encrypt TCP traffic between the two systems and IPFilter is
configured to block non-TCP traffic. IPFilter rules are also configured to let UDP/500 traffic pass
on system B.
# Allow IKE to/from system B
pass in quick proto UDP from 15.15.15.15 port 500 to 10.10.10.10 port = 500
pass out quick proto UDP from 10.10.10.10 port 500 to 15.15.15.15 port = 500
# Let in encrypted IPSec traffic
pass in quick proto 50 from 15.15.15.15 to 10.10.10.10
pass out quick proto 50 from 10.10.10.10 to 15.15.15.15
# Allow TCP traffic to/from anywhere
pass in quick proto TCP
pass out quick proto TCP
# Block all other traffic to/from anywhere
block in from any to any
block out from any to any
NOTE: If IPSec is configured to use AH rather than ESP, you must configure IPFilter to let protocol
51 traffic pass. If IPSec uses nested AH and ESP, IPFilter can be configured to let only protocol 51
(ah) traffic pass.
IPSec gateways
You can configure IPSec to encrypt and authenticate traffic to a gateway between two end hosts.
A configuration that encrypts IPSec packets to a gateway is called an IPSec tunnel.
IPFilter can coexist with IPSec tunnels without conflict. However, you must configure IPFilter to allow
IPSec traffic with the gateway instead of the end node. The IPFilter rules for the UDP/500 and
protocol 50/51 traffic must be passed to and from the gateway IP address rather than the end
node IP address.
92 HP-UX IPFilter and IPSec