Configuring Microsoft Windows IP Security to Operate with HP-UX IPSec
If the HP-UX system initiates IPsec SA negotiations, the HP-UX IKE daemon proposes the
preferred lifetime values to the remote system. The remote system may process these values in
any manner according to the IPsec protocol suite.
If the remote system initiates IPsec SA negotiations and sends proposed lifetime value that is as
secure or more secure than the HP-UX preferred value (it is shorter than or equal to the HP-UX
preferred value), the HP-UX IKE daemon accepts the lifetime value proposed by the remote
system if it is within the ranges specified by the IPsec protocol suite.
If the remote system initiates IPsec SA negotiations and a proposed lifetime value is less secure
(shorter than) the HP-UX preferred value, HP-UX sends an IKE NOTIFY message with its
preferred value. If this value is acceptable to the remote system, the SA negotiation succeeds and
the value sent in the NOTIFY message is used.
Windows IPsec SA Lifetime Values
By default, the Windows configuration does not specify any IPsec SA lifetime values and does
not propose any during IPsec SA negotiations. This is equivalent to proposing the lifetime values
28,800 seconds (eight hours) and 0 (infinite) data units.
In testing with HP-UX, HP also configured specific IPsec SA lifetime values on the Windows
system and observed behavior equivalent to HP-UX behavior. When the Windows system
initiated the IPsec SA negotiation, it sent the configured lifetime values in the proposal. When
the remote system initiated the IPsec SA negotiation, the Windows system accepted the proposed
lifetime value if it was more secure than its configured value, and sent a notification message
when its configured lifetime value was more secure than the value proposed by the remote
system.
44