HP-UX IPSec version A.02.00 Administrator's Guide
HP-UX IPSec Overview
Internet Key Exchange (IKE)
Chapter 1 39
Using the secure communication channel provided by the
ISAKMP/MM SA, negotiate one or more SAs for IPSec transforms
(AH or ESP). A Phase Two negotiation typically negotiates two SAs
for an IPSec transform: one for inbound and one for outbound traffic.
Figure 1-9 SA Establishment
Generating Shared Keys: Diffie-Hellman
SAs use a symmetric key to encrypt communication. This symmetric key
is based on a shared value generated using the Diffie-Hellman
algorithm.
With Diffie-Hellman key generation, each party generates two numbers,
one public and one private. These values are based on a selected,
well-known numeric base, or “Diffie-Hellman group.” The two parties
exchange public values (this exchange may occur via an insecure
channel). Each party then uses its private value and the other party’s
ISAKMP phase 1
ISAKMP
SA
ISAKMP
SA
IPSec/QM SAs
IPSec/QM SAs
Outbound
Outbound
Inbound
Inbound
ISAKMP phase 2
NodeA
NodeB
IPSec
IPSec
IP traffic
( secured by IPSec AH/ESP )