HP-UX IPSec version A.02.01 Administrator's Guide
Interoperability
Microsoft
Appendix B244
IPsec rules on Microsoft system. Configure one rule with the HP-UX
system address as the destination endpoint and configure a second
rule with the Microsoft system address as the destination endpoint.
Set the mirror flag to no for both rules.
Do not configure any other rules in the same policy with the HP-UX
system address as the destination. This prevents the Microsoft
system from applying the tunnel transform over a transport
transform. In end-to-end tunnel topologies, HP-UX IPSec does not
support transport transforms over a tunnel transform.
• When using RSA signatures for IKE authentication, Microsoft
systems use X.500 Distinguished Name as the ID type.
Windows 2000 SP1 and SP2 Problem
Windows 2000 base systems and Windows 2000 systems with Service
Pack 1 (SP1) or Service Pack 2 (SP2) do not properly process IPSec ESP
packets that are fragmented across IP packets. The Windows 2000
system drops these packets. The symptoms vary according to how the
applications handle the dropped packets.
This problem is caused by a defect in the Windows 2000 SP1/ SP2
software and is fixed in Windows 2000 Service Pack 3 (SP3).
The above problem typically occurs with ESP-encrypted UDP or ICMP
packets that are fragmented by IP. HP-UX 11i v1 systems minimize IP
fragmentation of ESP-encrypted TCP packets. You may still experience
problems with ESP-encrypted TCP packets sent from an HP-UX system
to a Windows 2000 system if an intermediary IP gateway fragments the
ESP packet.