Manualshelf

HP-UX IPFilter Version A.03.05.14 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
141142143144145146147148149150
HP-UX IPFilter and IPSec
IPSec UDP Negotiation
Chapter 9 131
IPSec UDP Negotiation
You can configure IPSec and IPFilter so that there is some overlap in the
configurations. However, you must be sure the overlapping
configurations do not block each other.
IPSec negotiates between two machines on a connection using the UDP
protocol from port 500 and port 4500 if IPSec NAT traversal is used.
If the IPFilter configuration is so broad that it is blocking all UDP traffic,
then IPSec cannot complete negotiations. When an IPSec negotiation is
not completed, the encrypted packets are not received. If this happens,
you will see an IPSec error on the initiating side of “MM negotiation
timeout.
To let IPSec complete negotiations, configure IPFilter to let the IPSec
negotiation packets through.
Figure 9-3 Scenario Two
In Scenario Two, IPFilter is configured to block UDP traffic on
machine A, you want all TCP traffic to pass through, and, from
machine B on the network, you want all TCP traffic encrypted.
Machine A has IP address 10.10.10.10 and machine B has IP address
15.15.15.15.
As the TCP traffic with machine B must be encrypted, you configure
IPSec on both machines using IPSec Manager. To do so, use the IP
addresses to specify that the TCP traffic is to be encrypted.
IPSec <---------------> TCP <-----------------> IPSec
A
B
10.10.10.10
15.15.15.15
IPFilter
-----UDP-----