HP-UX IPSec version A.02.00 Administrator's Guide
HP-UX IPSec and IPFilter
Allowing Protocol 50 and Protocol 51 Traffic
Chapter 6 197
If the IPFilter configuration is so broad that it blocks protocol 50 or
protocol 51 traffic, then IPSec traffic will not get through.
Figure 6-7 Scenario Four
In Scenario Four, IPSec is configured to encrypt TCP traffic between the
two machines and IPFilter is configured to block non-TCP traffic.
IPFilter rules are also configured to let UDP/500 traffic pass on machine
B.
# IPSec hole with machine B
pass in quick proto UDP from 15.15.15.15 port 500 to
10.10.10.10 port = 500
pass out quick proto UDP from 10.10.10.10 port 500 to
15.15.15.15 port = 500
# Let in encrypted IPSec traffic
pass in quick proto 50 from 15.15.15.15 to 10.10.10.10
pass out quick proto 50 from 10.10.10.10 to 15.15.15.15
# Allow TCP traffic to/from anywhere
pass in quick proto TCP
pass out quick proto TCP
# Block all other traffic to/from anywhere
block in from any to any
block out from any to any
NOTE If IPSec is configured to do authentication rather than encryption, you
must configure IPFilter to let protocol 51 traffic pass.
IPSec <---------------> TCP <-----------------> IPSec
A
B
10.10.10.10
15.15.15.15
IPFilter
-----block !TCP-----