HP-UX IPSec version A.02.01 Administrator's Guide
Migrating from Previous Versions of HP-UX IPSec
Pre-Installation Migration Instructions
Appendix C 251
Pre-Installation Migration Instructions
Before installing HP-UX IPSec version A.02.01, verify that your
installation meets the following conditions:
• MD5 version compatibility: If you are using MD5 transforms, all
HP-UX IPSec systems must be version A.01.04 or higher. For more
information, refer to “MD5 Version Compatibility” on page 251.
• Migrating from HP-UX IPSec versions prior to A.01.003 (such as
A.01.01 or A.01.02): You must follow the procedure listed in
“Migrating from Versions Prior to A.01.03” on page 252.
MD5 Version Compatibility
HP-UX IPSec versions A.01.04 and higher fix a defect in the HP-UX
IPSec MD5 algorithm. If you are using an earlier version of HP-UX
IPSec (A.01.03 or earlier) to communicate with IPsec version A.01.04,
A.01.05, A.01.06, or A.01.07 and using a transform with MD5, the
authentication will intermittently fail and HP-UX IPSec will drop the
packet and report an error.
If you are currently using HP-UX IPSec with any of the following
transforms, you must simultaneously upgrade all your systems to
HP-UX IPSec version A.01.04 or higher.
• AH-MD5 transforms
• ESP transforms that are authenticated using MD5:
— ESP-DES-HMAC-MD5
— ESP-3DES-HMAC-MD5
— ESP-AES128-HMAC-MD5
• Nested AH and ESP transforms that use MD5
If MD5 authentication fails between HP-UX IPSec version A.01.04 or
higher and an earlier version of HP-UX IPSec, you will see entries
similar to the following in the HP-UX IPSec log file:
Msg: 31 From: SECPOLICYD Lvl: ALERT Date: Friday Oct 19 16:12:30 2001
Event: Integrity Check Value failure - SPI: 1C97D8 IP addr: 15.13.136.52:15.1
3.136.171 proto: 51.