HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

111

112

113

114

115

116

117

118

119

120

14.4 Allowing Protocol 50 and Protocol 51 Traffic

IPSec uses Encapsulating Security Payload (ESP) to provide data confidentiality and

Authentication Header (AH) to provide data integrity at the IP layer. Depending on a user’s

IPSec traffic policy configuration, IPSec inserts ESP, AH, or both as protocol headers into an IP

datagram that immediately follows an IP header. The protocol field of that IP header will be 50

(ESP) or 51 (AH) to indicate the next protocol.

Figure 14-5 Packet with Unencrypted TCP Data

TCP header

Data

IP header protocol # = 6

Figure 14-6 Packet with IPSec-Encrypted TCP Data

ESP header

Encrypted

IP header protocol # = 50

IPFilter never sees the TCP packets between system A and system B with a protocol number of

6. These packets are encrypted (or wrapped) in a packet that has a protocol number of 50. If you

configure IPFilter to block packets with protocol number 6, it lets protocol number 50 pass

through. IPSec takes apart the packet and decrypt the TCP data.

If the IPFilter configuration is so broad that it blocks protocol 50 or protocol 51 traffic, then IPSec

traffic will not get through.

Figure 14-7 Scenario Four

IPSec <---------------> TCP <-----------------> IPSec

10.10.10.10

15.15.15.15

IPFilter

-----block !TCP-----

In Scenario Four, IPSec is configured to encrypt TCP traffic between the two systems and IPFilter

is configured to block non-TCP traffic. IPFilter rules are also configured to let UDP/500 traffic

pass on system B.

# Allow IKE to/from system B

pass in quick proto UDP from 15.15.15.15 port 500 to 10.10.10.10 port = 500

pass out quick proto UDP from 10.10.10.10 port 500 to 15.15.15.15 port = 500

# Let in encrypted IPSec traffic

pass in quick proto 50 from 15.15.15.15 to 10.10.10.10

pass out quick proto 50 from 10.10.10.10 to 15.15.15.15

# Allow TCP traffic to/from anywhere

pass in quick proto TCP

pass out quick proto TCP

# Block all other traffic to/from anywhere

block in from any to any

block out from any to any

14.4 Allowing Protocol 50 and Protocol 51 Traffic 119