Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
161162163164165166167168169170
IKEv1 Main Mode
In a MM exchange, the IKE entities use six messages to establish the IKE SA:
Figure A-1 IKEv1 Main Mode
Message 1: Initiator sends IKE SA proposals
The node initiating the IKE exchange (the IKE initiator) sends IKE SA proposals, which
contain IKE SA parameters including authentication and encryption algorithms, Oakley
(Diffie-Hellman) group number, and lifetimes.
Message 2: Responder sends accepted IKE SA proposal
In message 2, the peer node (the IKE responder) sends the IKE SA proposal it accepts.
Message 3 : Initiator sends its Diffie-Hellman public value
The initiator sends its Diffie-Hellman public value.
If the IKE authentication method is RSA signatures, the initiator includes a request for the
responder's certificate.
Message 4: Responder sends its Diffie-Hellman public value
The responder sends its Diffie-Hellman public value. The initiator and responder each
generate the same, shared secret value that they use to generate encryption and authentication
keys. The keys are used for the IKE SA and for the IPsec SAs. Subsequent IKE messages in
the exchange are secure (encrypted). However, the IKE IDs are not authenticated until
Messages 5 and 6 in the exchange.
If the IKE authentication method is RSA signatures, the responder includes a request for
the peer's certificate.
Message 5: Initiator sends IKE ID and authentication data
In messages 5 and 6, each system authenticates the other system's identity, using preshared
keys or security certificates (RSA signatures). The systems also send and verify IKE ID types
and ID values (HP-UX IPSec uses IP addresses as ID values by default).
The initiator sends its ID type and value and authentication data to the responder.
The authentication data depends on the IKE authentication method. If the authentication
method is RSA signatures, the initiator sends a digital signature calculated using its private
key (the initiator also sends its certificate). If the authentication method is preshared keys,
the responder sends a hash value calculated using the preshared key.
Messages 6: Responder sends IKE ID and authentication data
The responder sends its ID type and value and authentication data to the initiator. If the
IKE authentication method is RSA signatures, the responder also sends its certificate.
170 Product Specifications