HP-UX IPSec version A.02.01 Administrator's Guide
HP-UX IPSec Overview
IPsec Protocol Suite
Chapter 148
ID information instead of the IKE peer’s IP address extracted from
the IP packet header. Aggressive Mode is quicker and requires the
peers to exchange fewer packets, but is less secure because the peers
exchange identity information in clear text.
The IKE protocol specification requires Main Mode support;
Aggressive Mode support is optional. Aggressive Mode is required
when IKE is used with autoconfiguration clients and Mobile IPv6
clients because these clients do not have fixed IP addresses.
Aggressive Mode enables IKE to select IKE parameters without
using the remote address in the IP packet header.
TIP Most IPsec implementations, including HP-UX IPSec, use Main
Mode by default.
The IKE Phase 1 negotiation is also referred to as a Main Mode
(MM) or an Aggressive Mode (AM) negotiation, depending on the
exchange type used.
2. IKE Phase 2 (Establish IPsec SAs)
Using the secure communication channel provided by the IKE SA,
IKE negotiates IPsec SAs. An IPsec SA is a security association
used to exchange IPsec ESP or AH packets. The IPsec SA operating
parameters include the IPsec protocol used (ESP or AH), the mode
(transport or tunnel), the cryptographic algorithms (such as AES and
SHA-1), the cryptographic keys, the SA lifetime, and the endpoints
(IP addresses, protocol and port numbers).
IPsec SAs are unidirectional, so each Phase Two negotiation
negotiates two IPsec SAs: one for inbound packets from the remote
endpoint and one for outbound packets to the remote endpoint.