Manualshelf

HP-UX IPSec version A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
191192193194195196197198199200
HP-UX IPSec and IPFilter
IPSec UDP Negotiation
Chapter 6 193
IPSec UDP Negotiation
You can configure IPSec and IPFilter so that there is some overlap in the
configurations. However, you must be sure the overlapping
configurations do not block each other.
IPSec negotiates between two machines on a connection using the UDP
protocol from port 500 to port 500.
If the IPFilter configuration is so broad that it is blocking all UDP traffic,
then IPSec cannot complete negotiations. When an IPSec negotiation is
not completed, the encrypted packets are not received. If this happens,
you will see an IPSec error on the initiating side of “MM negotiation
timeout.
To let IPSec complete negotiations, configure IPFilter to let the IPSec
negotiation packets through.
Figure 6-3 IPFilter Scenario Two
In Scenario Two, IPFilter is configured to block UDP traffic on machine
A, you want all TCP traffic to pass through, and, from machine B on the
network, you want all TCP traffic encrypted. Machine A has IP address
10.10.10.10 and machine B has IP address 15.15.15.15.
Since the TCP traffic with machine B must by encrypted, you configure
host IPSec policies on both systems using ipsec_config, the HP-UX
IPSec configuration program. Specify the appropriate source and
destination IP addresses, and specify that HP-UX IPSec encrypts all
TCP protocol packets.
IPSec <---------------> TCP <-----------------> IPSec
A
B
10.10.10.10
15.15.15.15
IPFilter
-----UDP-----