Configuring Microsoft Windows IP Security to Operate with HP-UX IPSec

The above problem typically occurs with ESP-encrypted UDP or ICMP packets that are fragmented

by IP. HP-UX 11i systems minimize IP fragmentation of ESP-encrypted TCP packets. You may

still experience problems with ESP-encrypted TCP packets sent from an HP-UX system to a

Windows 2000 system if an intermediate IP gateway fragments the ESP packet.

Protocol Implementation Differences

HP-UX and Microsoft Windows both implement the IP Security protocol suite. However, there

are features in the protocol suite that HP-UX implemented which Microsoft did not implement,

and vice-versa.

The following features are implemented by HP-UX IPSec version A.02.01 but not by Microsoft

Windows XP:

• Advanced Encryption Standard (AES): HP-UX IPSec supports ESP encryption using the

following protocols: AES, Triple Data Encryption Standard (3DES), and Data Encryption

Standard (DES). Windows XP and Windows 2000 support 3DES and DES, but do not support

AES.

• Aggressive Mode (AM): HP-UX supports AM exchanges to establish IKE Security

Associations (SAs). AM is an optional feature and is not supported on Windows.

The following features are implemented by Microsoft Windows XP, but not by HP-UX IPSec

version A.02.01:

• Kerberos: Windows supports Internet Key Exchange (IKE) authentication using Kerberos.

RFC 2408 defines an optional Kerberos Token payload, but does not describe how to

implement it. This feature is not supported on HP-UX.

• Perfect Forward Secrecy (PFS) for keys only: HP-UX IPSec supports PFS for keys in

conjunction with PFS for all identities, but does not support PFS for keys only. Windows

supports PFS for keys only (“session key PFS”) and PFS for keys in conjuctions with PFS for

all identities (“master key PFS”). See “Perfect Forward Secrecy (PFS)” (page 43) for more

information.