HP-UX IPSec version A.02.01 Administrator's Guide
HP-UX IPSec and HP-UX IPFilter
Using HP-UX IPSec with HP-UX IPFilter
Appendix E 275
Using HP-UX IPSec with HP-UX IPFilter
HP-UX IPSec and HP-UX IPFilter can coexist on the same system. You
can configure HP-UX IPSec and HP-UX IPFilter so that there is some
overlap in the configurations. However, you must be sure the
overlapping configurations do not block each other.
HP-UX IPFilter is located below HP-UX IPSec in the networking stack.
HP-UX IPFilter processes inbound IP packets before HP-UX IPSec and
processes outbound packets after HP-UX IPSec.
IPsec Packets
To use HP-UX IPFilter and HP-UX IPSec together, you must configure
HP-UX IPFilter so it does not discard the following IPsec packets:
• UDP port 500 (IKE)
• IP protocol number 50 (ESP)
• IP protocol number 51 (AH)
Upper Layer Information
If HP-UX IPSec secures a packet (the packet has an AH or ESP header),
HP-UX IPFilter cannot filter the packet based on upper layer
information, such as TCP port numbers and connection states, and ICMP
message types. The only upper-layer protocol information that HP-UX
IPFilter processes is the IP protocol number (50 or 51).
IPsec Tunnels and End to Gateway Topologies
IPFilter can coexist with IPsec tunnels. In topologies where a tunnel
endpoint is not an end-to-end endpoint (such as host-to-gateway
topologies and other gateway topologies), you must configure IPFilter to
allow IPsec traffic to and from the gateway instead of the end node. The
IPFilter rules for the UDP/500 and protocol 50/51 traffic must be passed
to and from the gateway IP address rather than the end node IP address.