HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

161

162

163

164

165

166

167

168

169

170

HP-UX IPSec Operation

To troubleshoot HP-UX IPSec, it is useful to understand a few key points about its operation.

This section contains high-level descriptions of the message flow HP-UX IPSec uses when

establishing Security Associations (SAs) and how HP-UX IPSec processes packets.

HP-UX IPSec Message Flow for Establishing SAs

Before HP-UX IPSec can authenticate or encrypt an IP packet using an IPsec transformation—an

Authentication Header (AH) or Encapsulating Security Payload (ESP)—it must establish SAs

with the remote system. You can think of the SAs as security sessions, where the two systems

agree on the type of authentication and encryption, the encryption keys and other parameters.

There are two types of SAs:

• IKE SAs

The purpose of the IKE SA is to provide a “master” encrypted and authenticated security

channel that the systems can use to safely exchange address and ID information when

negotiating IPsec SAs.

The messages used to negotiate an IKE SA are referred to as a phase I negotiation.

• IPsec SAs or Child SAs

An IPsec SA is a security association used to exchange IPsec ESP or AH packets. The IPsec

SA operating parameters include the IPsec protocol used (ESP or AH), the mode (transport

or tunnel), the cryptographic algorithms (such as AES and SHA-1), the cryptographic keys,

the SA lifetime, and the endpoints (IP addresses, protocol and port numbers).

IPsec SAs also referred to as a child SAs because they are negotiated from IKE SAs.

An IPsec SA is unidirectional, so IPsec SAs are negotiated in pairs: one SA for inbound

packets from the remote endpoint and one SA for outbound packets to the remote endpoint.

Each IPsec SA is identified by an integer referred to as the Security Parameters Index (SPI).

The messages used to negotiate an IPsec SA pair are referred to as a phase II negotiation.

The messages used to establish SAs differ according to the IKE protocol version. The following

sections provide a high-level description of the messages HP-UX IPSec uses, including the main

fields determined by the product configuration. For full descriptions of the messages, refer to

the appropriate RFCs listed in “IPsec RFCs” (page 165).

IKE Roles

In IKE negotiations, the IKE entity or daemon that initiates the negotiation is referred to as the

initiator. The IKE entity that responds to the negotiation request is referred to as the responder.

An IKE entity can have one role in an IKE SA negotiation and a different role in an IPsec SA

negotiation. For example, after an IKE entity is the responder in an IKE SA negotiation, that

entity can use the IKE SA to initiate negotiations for an IPsec SA pair.

IKEv1 IKE SAs

For IKEv1, the peers establish an IKE SA (phase I negotiation) using either a Main Mode (MM)

exchange or Aggressive Mode (AM exchange). After the IKE SA is established, the IKE peers

use the IKE SA for a phase II negotiation with a Quick Mode (QM) exchange that establishes an

IPsec SA pair.

HP-UX IPSec Operation 169