HP-UX IPSec Version A.03.00 Administrator's Guide

ESP-AES128-HMAC-MD5

ESP using Advanced Encryption Standard encryption with a 128-bit key (AES128) and

HMAC-MD5 to generate an ICV.

ESP-AES128-HMAC-SHA1

Authenticated ESP using AES128 encryption and HMAC-SHA1 to generate an ICV.

ESP-NULL-HMAC-MD5

ESP header and trailer, but nothing is encrypted. ESP generates an ICV using HMAC-MD5.

ESP-NULL-HMAC-SHA1

ESP header and trailer, but nothing is encrypted. ESP generates an ICV using HMAC-SHA1.

Transform Lifetimes

The transform lifetimes configured are the preferred lifetimes. The actual lifetimes used depends

on the IKE version, and lifetime values on the remote system.

If HP-UX IPSec is the responder in an IKEv1 negotiation and the peer sends a proposed value

that is longer than (less secure than) the HP-UX preferred value, HP-UX sends an IKE NOTIFY

message with its preferred value, and this value is used for the SA. If the remote system initiates

IKE SA negotiations and sends a proposed lifetime that is the same or more secure (shorter than)

the HP-UX preferred value, the HP-UX IKE daemon accepts the proposed value sent by the

remote system if it is within the range specified by the IPsec protocol suite.

For IKEv2, lifetime values are not negotiated. If an IKE entity detects an expired SA, it sends a

re-keying message to the peer when needed.

168 Product Specifications