Manualshelf

HP-UX IPSec version A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
41424344454647484950
HP-UX IPSec Overview
Internet Key Exchange (IKE)
Chapter 1 41
Digital Signatures
IKE Preshared Key Authentication
With preshared key authentication, you must manually configure the
same, shared symmetric key on both systems, a preshared key. The
preshared key is used only for the primary authentication. The two
negotiating entities then generate dynamic shared keys for the IKE SAs
and IPSec/QM SAs.
Preshared keys do not require a Certificate Authority or Public Key
Infrastructure.
Digital Signatures
Digital signatures are based on security certificates, and are managed
using a Public Key Infrastructure (PKI). HP-UX IPSec supports the
following security certificates from the following products:
VeriSign Managed PKI (formerly VeriSign OnSite for VPNs)
Baltimore UniCERT 3.5
For more information on using certificate-based authentication for IKE,
see Chapter 4, “Using Certificates with HP-UX IPSec,on page 113.
Re-using Negotiations
For efficiency, you can specify that a single ISAKMP Phase One
(ISAKMP/MM) SA can be used to negotiate multiple ISAKMP Phase
Two (IPSec/QM) negotiations.
Conversely, you can specify that each Phase One SA can be used for only
one ISAKMP Phase Two negotiation. The IKE daemon will create a new
ISAKMP SA for each IPSec SA negotiation. This can provide a feature
known as Perfect Forward Secrecy (PFS) with key and identity
protection. With PFS, the compromise (exposure) of one key exposes only
the data protected by that key.
IKE Automatic Re-keying
The IKE protocol also allows HP-UX IPSec to dynamically negotiate new
IPSec keys rather than exposing the same key for long periods. You can
configure key lifetimes based on time or number of bytes sent.