Manualshelf

HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
231232233234235236237238239240
Product Specifications
Product Restrictions
Appendix A 5
Product Restrictions
HP-UX IPSec product restrictions are described below:
HP-UX IPSec systems cannot act as IP or IPsec gateways unless the
local system is an HP-UX Mobile IPv6 Home Agent forwarding
Mobile IPv6 packets to Mobile Node clients.
You cannot use an end-to-end or transport transform in a end-to-end
tunnel (host-to-host tunnel) topology. The action for the host policy in
an end-to-end tunnel topology must be PASS.
HP-UX IPSec does not support security for multiple destination
addresses (i.e. broadcast, subnet broadcast, multicast, and anycast
addresses).
You cannot selectively encrypt or authenticate services that use
dynamic ports, such as NFS (Network File System) mountd, NFS
lockd, and NIS (Network Information Service).
HP-UX IPSec supports Perfect Forward Secrecy (PFS) for keys and
identities (the IKE daemon can be configured to create a new IKE SA
for each IPSec Phase 2 negotiation (negotiation for an IPsec SA pair).
HP-UX IPSec does not support PFS for keys only (the IKE daemon
would use the IKE SA for multiple IPsec Phase 2 negotiations and
perform a Diffie-Hellman key exchange for each IPsec Phase 2
negotiation.
If an HP-UX IPSec system crashes and the system had previously
established IKE SA(s) with peer IPsec system(s), the peer IPsec
system(s) will not be able to use any existing IKE and IPsec SAs to
initiate communication with the rebooted IPsec system.
When the peer IPsec system tries to use a previously established SA
with the rebooted system, the IKE daemon on the rebooted system
will initiate a new SA negotiation with the peer system to replace the
previous SA. The IKE daemon also sends an INITIAL-CONTACT
NOTIFY message to the peer to notify the peer that this is the first
SA being established with the rebooted system. This message is
typically interpreted by the peer as a indication that the remote
system has rebooted, and the peer will delete any SAs previously
established with the remote system.