Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
161162163164165166167168169170
Product Restrictions
HP-UX IPSec product restrictions are described below:
HP-UX IPSec systems cannot act as IP or IPsec gateways.
The action for the host policy in an end-to-end tunnel topology must be PASS.
HP-UX IPSec does not support security for broadcast addresses, including network broadcast,
subnet broadcast, multicast, and anycast addresses.
You cannot selectively encrypt or authenticate services that use dynamic ports, such as NFS
(Network File System) mountd , NFS lockd , and NIS (Network Information Service).
NOTE: On HP-UX 11.31 systems and HP-UX 11i v2 systems with NFS patch PHNE_34550
(or a patch that supersedes it), you can configure auxilliary NFS daemons (lockd, mountd,
and statd) to use fixed port numbers. Refer to the NFS product documentation for more
information.
If an HP-UX IPSec system crashes and the system had previously established IKE SA(s) with
peer IPsec system(s), the peer IPsec system(s) will not be able to use any existing IKE and
IPsec SAs to initiate communication with the rebooted IPsec system.
When the peer IPsec system tries to use a previously established SA with the rebooted
system, the IKE daemon on the rebooted system initiates a new IKE SA negotiation with
the peer system to replace the previous SA. The IKE daemon also sends an INITIAL
CONTACT message to the peer to notify the peer that this is the first SA being established
with the rebooted system. This message is typically interpreted by the peer as a indication
that the remote system has rebooted, and the peer deletes any IKE SAs previously established
with the remote system.
HP-UX IPSec does not support the named SPD entry feature specified in RFC 4301.
IKE Limitations
IKE limitations and constraints are described below:
For IKE exchanges, a single transaction request will timeout after 31 seconds (five
retransmissions using an exponential timer, starting at one second), which terminates the
negotiation.
Timeouts usually occur during heavy network traffic congestion. It is the responsibility of
the application to retry the connection after a connection establishment failure.
IKE ignores port numbers for the end-to-end source or destination descriptors in tunnel
policies. The IKE daemon sends port number 0 (match any) for traffic selectors (IKEv2) or
client IDs (IKEv1).
HP-UX IPSec does not support the use of ID_DER_ASN1_GN (ASN.1 X.500 GeneralName)
for IKE IDs.
166 Product Specifications