HP-UX IPFilter Version 15.01 Administrator's Guide

13 HP-UX IPFilter and IPSec
This chapter describes how HP-UX IPFilter and HP-UX IPSec work together. It contains the
following sections:
“IPFilter and IPSec Basics” (page 111)
“IPSec UDP Negotiation” (page 111)
“When Traffic Appears to Be Blocked” (page 112)
Allowing Protocol 50 and Protocol 51 Traffic” (page 113)
“IPSec Gateways” (page 114)
IPFilter and IPSec Basics
IPSec and IPFilter will not panic or corrupt each other. However, there are situations in which
one product might block traffic for the other. The following figure shows the positions of IPFilter
and IPSec in the network stack:
Figure 13-1 IPFilter and IPSec
IPSec
IPFilter
IPFilter, which is below IPSec in the networking stack, filters network packets before they reach
IPSec. You can have both IPFilter and IPSec configured and running on a system without them
negatively affecting each other.
Figure 13-2 Scenario One
B <---------------> A <-----------------> C
(IPSec)
(IPFilter) (IPSec)
In Scenario One, you have IPFilter and IPSec on system A with IPFilter blocking packets from
system B and IPSec encrypting packets from system C. When a packet arrives at system A, IPFilter
checks to see if it is from system B, and, if so, blocks the packet. If not, the packet continues up
the stack to IPSec. IPSec checks to see if it is from system C. If so, the packet arrives encrypted.
No overlap is in the configurations of IPFilter and IPSec in this network topology, so there are
no conflicts in Scenario One.
CAUTION: HP-UX IPSec does not support NAT traversal. If you are using HP-UX IPFilter with
HP-UX IPSec, do not use NAT functionality. However, it is possible that IPFilter and NAT can
be used in network configurations containing other vendors’ IPSec products that do support
NAT traversal.
IPSec UDP Negotiation
You can configure IPSec and IPFilter so that there is some overlap in the configurations. However,
you must be sure the overlapping configurations do not block each other.
IPFilter and IPSec Basics 111