HP-UX IPSec version A.02.00 Administrator's Guide

Troubleshooting HP-UX IPSec

IPSec Operation

Chapter 5 147

IPSec Operation

To troubleshoot HP-UX IPSec, it is useful to understand a few key points

about its operation. This section contains high-level descriptions of how

IPSec establishes Security Associations (SAs) and how IPSec processes

packets.

Establishing Security Associations (SAs)

Figure 5-1 Security Associations

Before IPSec can authenticate or encrypt an IP packet using an IPSec

transformation—an Authentication Header (AH) or Encapsulating

Security Payload (ESP)—IPSec must establish SAs with the remote

system. You can think of the SAs as security sessions, where the two

systems agree on the type of authentication and encryption, the

encryption keys and other parameters. The procedure for establishing

SAs is described below:

1. Authenticate Identities

Each system authenticates the other system's identity, using

preshared keys or security certificates (RSA signatures). Each

system also verifies ID types and ID values (HP-UX IPSec uses IP

Authenticate Each Peer’s Identity

Establish IPSec/QM SAs

Establish ISAKMP/MM SA

System A

System B