HP-UX IPSec version A.02.00 Administrator's Guide

HP-UX IPSec and IPFilter

Allowing Protocol 50 and Protocol 51 Traffic

Chapter 6196

Allowing Protocol 50 and Protocol 51 Traffic

When IPSec encrypts packets, it creates a new packet with a protocol

number of 50. When it authenticates packets, it creates a new packet

with a protocol number of 51.

Figure 6-5 Packet with Encrypted TCP Data

Figure 6-6 Packet with IPSec-Encrypted TCP Data

IPFilter never sees the TCP packets between machine A and machine B

with a protocol number of 6. These packets are encrypted (or wrapped) in

a packet that has a protocol number of 50. If you configure IPFilter to

block packets with protocol number 6, it lets protocol number 50 pass

through. IPSec takes apart the packet and unencrypt the TCP data.

TCP header

Data

IP header Protocol # = 6

ESP header

Encrypted

IP header Protocol # = 50