HP-UX IPFilter Version A.03.05.14 Administrator's Guide
HP-UX IPFilter and IPSec
Allowing Protocol 50 and Protocol 51 Traffic
Chapter 9 135
If the IPFilter configuration is so broad that it blocks protocol 50 or
protocol 51 traffic, then IPSec traffic will not get through.
Figure 9-7 Scenario Four
In Scenario Four, IPSec is configured to encrypt TCP traffic between the
two machines and IPFilter is configured to block non-TCP traffic.
IPFilter rules are also configured to let UDP/500 traffic pass on
machine B.
# IPSec hole with machine B
pass in quick proto UDP from 15.15.15.15 port 500 to
10.10.10.10 port = 500
pass out quick proto UDP from 10.10.10.10 port 500 to
15.15.15.15 port = 500
# Let in encrypted IPSec traffic
pass in quick proto 50 from 15.15.15.15 to 10.10.10.10
pass out quick proto 50 from 10.10.10.10 to 15.15.15.15
# Allow TCP traffic to/from anywhere
pass in quick proto TCP
pass out quick proto TCP
# Block all other traffic to/from anywhere
block in from any to any
block out from any to any
NOTE If IPSec is configured to use AH rather than ESP, you must configure
IPFilter to let protocol 51 traffic pass. If IPSec uses nested AH and ESP,
IPFilter can be configured to let only protocol 51 (ah) traffic pass.
IPSec <---------------> TCP <-----------------> IPSec
A
B
10.10.10.10
15.15.15.15
IPFilter
-----block !TCP-----