HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

171

172

173

174

175

176

177

178

179

180

The IPsec SA proposals include the transformation(s) used (ESP and/or AH). The initiator

also sends the SPI to identify the initiator's inbound IPsec SA (for packets to the initiator

from the responder).

• Message 4: Responder sends IKE ID, authentication data, accepted IPsec SA proposal,

and IPsec traffic IDs

In message 4, the responder sends it IKE ID information and authentication data. If the IKE

authentication method is RSA signatures, the responder sends its certificate.

The responder also sends its accepted IPsec SA proposal and its selected IPsec traffic IDs.

The responder can narrow the traffic selectors for the IPsec SA pair by sending back selectors

that are a subset of or more specific than the selectors sent by the initiator.

The message also includes the SPI for the responder's inbound IPsec SA (for packets to the

responder from the initiator).

The IKE SA can be used to negotiate additional IPsec SA pairs.

Components

The main HP-UX IPSec components are as follows:

• Routines in the IP streams module

These routines query the other product components to determine the action (pass, discard,

or secure) for each IP packet if HP-UX IPSec is enabled.

• IKE daemon, ikmpd

The IKE daemon establishes IKE and IPsec SAs and processes all IKE messages. The IKE

daemon also maintains a list of established IKE SAs, indexed by the remote system's IP

address.

• Configuration database, /var/adm/ipsec/config.db

The configuration database contains all information configured using the ipsec_config

utility. This includes all the host and tunnel IPsec policies, the IKE policies, authentication

records, the bypass list, and startup parameters. The contents of the database are read once

by the policy daemon and by the IKE daemon when HP-UX IPSec and the daemons start.

After HP-UX IPSec starts, the policy daemon and IKE daemon get updated data as needed

when the user updates the configuration.

• Policy daemon, secpolicyd

The policy daemon maintains a list of active host and tunnel policies. To create the list of

active host IPsec policies, the policy daemon expands configured host IPsec policies with

wildcard and subnet specifications for the active IP interfaces (configured UP or DOWN,

plumbed) on the local system. The policy daemon also creates active host IPsec policies by

expanding remote IP address specifications and any other wildcard field values as needed.

• Kernel policy engine cache

The cache records the most recent decisions that the kernel policy engine has made for the

traffic that has passed in and out of the system. The kernel policy engine cache contains

decisions for packets that have been sent or received by the system (including broadcast

packets) by five-tuple (source IP address, destination IP address, protocol, source port,

destination port) and the action taken. The cache creates records for all packets, even if no

IPsec negotiation is needed (even if the action is to pass the packet in clear text or to discard

the packet).

• Kernel SA engine

The kernel SA engine keeps a database of IPSec SAs, indexed by SPI and remote IP address.

This database contains the IPSec SA parameters, including the cryptography keys.

HP-UX IPSec Operation 173