Manualshelf

HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
51525354555657585960
HP-UX IPSec Overview
IPsec Protocol Suite
Chapter 1 51
IKE Preshared Key Authentication With preshared key
authentication, you must manually configure the same, shared on both
systems—a preshared key.
The two parties establish a shared key (the preshared key) prior to the
Diffie-Hellman exchange using an out-of-band key exchange, or a key
exchange that does not use normal computer communication channels,
such as a face-to-face meeting or telephone call where the two parties
agree on a key. The preshared key is used only for the primary
authentication. The two negotiating entities then generate dynamic
shared keys for the IKE SAs and IPsec SAs.
Preshared keys do not require a Certificate Authority or Public Key
Infrastructure.
IKE Digital Signature Authentication Digital signatures are based
on security certificates, and are managed using a Public Key
Infrastructure (PKI). To use certificates with HP-UX IPSec the PKI
must support the following certificate file formats and access methods:
Certificate Requests: The CA must support Certificate Signing
Requests (CSRs) in Public Key Cryptography Standards (PKCS)
Certification Request Syntax #10 format (commonly referred to as
PKCS#10) and encoded using Privacy-Enhanced Mail (PEM) base64
encoding. This CSR format is typically used for “copy and paste”
certificate requests.
Certificates: The CA must provide X.509 Version 3 certificates
encoded using base64 encoding (sometimes referred to as base64
PEM format).
Certificate Revocation Lists: The CA must provide X.509 Version 1 or
X.509 Version 2 Certificate Revocation Lists formatted using
Distinguished Encoding Rules (DER).
For more information on using certificate-based authentication for IKE,
see Chapter 5, “Using Certificates with HP-UX IPSec,” on page 151.
Re-using Negotiations
For efficiency, you can specify that IKE can re-use an IKE Phase One SA
to negotiate multiple IKE Phase Two (IPsec/QM) negotiations.
Conversely, you can specify that each Phase One SA can be used for only
one Phase Two negotiation. The IKE daemon will create a new IKE SA
for each IPsec SA negotiation. This can provide a feature known as