Manualshelf

Configuring Microsoft Windows IP Security to Operate with HP-UX IPSec

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
39404142434445464748
proposed value sent by the remote system if it is within the range specified by the IPsec protocol
suite.
Windows IKE SA Lifetime Values
By default, Windows XP systems use the following values for preferred IKE key lifetime values:
480 minutes (eight hours)
0 (infinite) IPsec SA negotiations (sessions)
In testing with HP-UX IPSec, HP configured a shorter IKE SA lifetime value on the Windows
system. When the Windows system was the initiator, it sent the configured lifetime value to the
remote system. When the Windows system was the responder, it accepted the value sent by the
HP-UX system but did not send a notification message.
Maximum Quick Modes
HP-UX and Windows enable you to specify the maximum number of IPsec or Quick Mode (QM)
negotiations that IKE can complete per IKE SA. Each IPsec SA negotiation establishes two IPsec
SAs (one in each direction).
The default maximum QM values are as follows:
HP-UX: 100
Windows: 0 (infinite)
If the value for maximum QM is 1, Perfect Forward Secrecy (PFS) for both keys and identities is
implemented. See “Perfect Forward Secrecy (PFS)” (page 43) for more information.
Perfect Forward Secrecy (PFS)
With Perfect Forward Secrecy, the exposure of one key permits access only to data protected by
that key. RFC 2409, The Internet Key Exchange (IKE), defines two forms of PFS:
PFS for both the keys and the IKE identities. PFS is provided for keys in conjuction with PFS
for identities. IKE deletes the IKE SA after the IPsec negotiation completes. Each IKE SA is
used for only one IPsec negotiation.
The Windows interface refers to this type of PFS as master key PFS.
PFS for IPsec keys only. The IKE peers perform a key exchange (Diffie-Hellman exchange)
to create new keying material for each IPsec negotiation. The IKE SA is re-used until the
IKE SA lifetime expires.
The Windows interface refers to this type of PFS as session key PFS.
HP-UX IPSec supports PFS for both the keys and the IKE identities but does not support PFS for
IPsec keys only. To be compatible with HP-UX IPSec, do not configure session key PFS on
Windows systems.
Configuring PFS is computationally expensive. In most topologies, the strength of the
cryptographic algorithms is sufficient protection. HP recommends that you enable PFS only in
hostile environments.
IPsec SA Key (Session Key) Lifetime Values
IPsec SA key lifetimes (referred to as session key lifetimes on Windows systems) specify the
maximum lifetimes for IPsec SA keys and are specified by units of time (seconds) and by data
units transferred (kbytes).
HP-UX IPsec SA Lifetime Values
By default, HP-UX uses the following values for preferred lifetime values:
28,800 seconds (eight hours)
0 (infinite) data units
Comparing HP-UX and Windows IPsec Configuration Parameters 43