Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
171172173174175176177178179180
IKEv1 Aggressive Mode
In an Aggressive Mode (AM) exchange, the IKE entities use three messages to establish the IKE
SA:
Figure A-2 IKEv1 Aggressive Mode
Message 1: Initiator sends IKE SA proposals, Diffie-Hellman public value, IKE ID, and
authentication data
The initiator sends IKE SA parameters, Diffie-Hellman public value, IKE ID, and
authentication data. If the IKE authentication method is RSA signatures, the initiator includes
a request for the remote system's certificate and the certificate for the local system. The
initiator also sends authentication data—either a hash value calculated using the preshared
key or a digital signature calculated using its certificate private key.
Message 2: Responder sends accepted IKE SA proposal, Diffie-Hellman public value,
IKE ID, and authentication data
The responder sends its selected IKE SA proposal, Diffe-Hellman public value, IKE ID, and
authentication data. If the IKE authentication method is RSA signatures, the responder also
sends its certificate. Portions of the message are encrypted using a key based on the
Diffie-Hellman shared secret.
Message 3: Initiator sends Diffie-Hellman secured message
The initiator sends a message with portions encrypted using a key based on the
Diffie-Hellman shared secret.
IPsec SAs Negotiated Using IKEv1 Quick Mode
After an IKEv1 SA is established, the two systems have a secure channel for negotiating IPsec
SAs. The IPsec SAs determine the HP-UX IPSec transformation(s) used (ESP and/or AH), the
encryption keys for ESP/ESP and other parameters. IPsec SAs are negotiated in pairs: an outbound
SA for packets from the local system to the remote system and an inbound SA for packets from
the remote system to the local system.
The IKE SA can be used to negotiate multiple pairs of IPsec SAs until the IKE lifetime expires.
Three messages are required to establish an IPsec SA pair in an IKEv1 Quick Mode exchange:
Figure A-3 IKEv1 Quick Mode
Message 1: Initiator sends IPsec SA proposals, SPI, and traffic IDs
In message 1, the initiator sends IPsec SA proposals, the SPI, and traffic selectors (client IDs).
The IPsec SA proposals include the transformation(s) used (ESP and/or AH). The SPI identifies
the initiator's inbound IPsec SA (for packets to the initiator from the responder).
HP-UX IPSec Operation 171