HP-UX IPSec version A.02.01 Administrator's Guide

Troubleshooting HP-UX IPSec

IPsec Operation

Chapter 7 191

IPsec Operation

To troubleshoot HP-UX IPSec, it is useful to understand a few key points

about its operation. This section contains high-level descriptions of how

IPsec establishes Security Associations (SAs) and how IPsec processes

packets.

Establishing Security Associations (SAs)

Figure 7-1 Security Associations

Before IPsec can authenticate or encrypt an IP packet using an IPsec

transformation—an Authentication Header (AH) or Encapsulating

Security Payload (ESP)—IPsec must establish SAs with the remote

system. You can think of the SAs as security sessions, where the two

systems agree on the type of authentication and encryption, the

encryption keys and other parameters. The procedure for establishing

SAs is described below:

1. Authenticate Identities

Each system authenticates the other system's identity, using

preshared keys or security certificates (RSA signatures). Each

system also verifies ID types and ID values (HP-UX IPSec uses IP

addresses as ID values by default). This is part of the establishment

of an IKE SA, as described in the next step.

Authenticate Each Peer’s Identity

Establish IPsec SAs

Establish IKE SA

System A

System B