HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

171

172

173

174

175

176

177

178

179

180

• Audit daemon, secauditd

The audit daemon receives audit messages from the other modules and logs them in an

audit file.

• User utilities

The ipsec_config, ipsec_admin, ipsec_report, and ipsec_policy utilities enable

the user to modify the configuration, start and stop HP-UX IPSec, report status, and test

policies.

Outbound Data Processing

The following sections describe outbound data processing.

Query the Kernel Policy Engine

HP-UX IPSec first checks the kernel policy engine cache for an existing decision on the action to

take for the packet (secure, drop, or pass in clear text) based on following fields in the IP packet,

often referred to as a five-tuple:

• source IP address

• destination IP address

• protocol

• source TCP or UDP port number, if present

• destination TCP or UDP port number, if present

If a match is found, and the action is pass or discard, HP-UX IPSec passes or discards the packet.

If the action is secure (use an Authentication Header, AH or use an Encapsulating Security

Payload, ESP) and there is a reference to an existing IPsec SA that can be used, HP-UX IPSec

transmits the packet using the existing SA. If there is no existing IPSec SA, HP-UX IPSec establishes

the IPSec SA as described in “Establishing IKE and IPsec SAs” (page 175).

If there is no matching entry in the cache, HP-UX IPSec queries the policy manager daemon

(secpolicyd).

Query the Policy Manager Daemon for a Host Policy

If no match is found in the policy engine cache, the policy manager daemon is queried for the

policy and action (secure, drop, or pass in clear text). The policy manager daemon maintains a

list of active policies, and its policy entries contain expanded wildcard fields.

The Policy Manager sequentially searches the host IPsec policies in priority order for the first

policy with an IP packet filter that matches the packet. The packet filter is defined by the following

arguments in the ipsec_config add host command:

• source (local address and optional port number or service name)

• destination (remote address and optional port number or service name)

• protocol

If the host policy contains multiple source or destination arguments, the policy manager selects

the policy if any of the source and any of the destination fields match.

If no match is found, HP-UX IPSec uses the default host policy.

If the transform (action) specified in the matching host policy is to secure the IP packet using

AH or ESP, an IPsec SA pair might already exist for the policy. If the five-tuple is not an exact

match but the packet has the same IP address pair and the port and protocol are within the range

or a wildcard match for the policy, the packet can use the existing IPsec SA pair if the EXCLUSIVE

flag is not set in the policy. Otherwise, HP-UX IPSec establishes a new IPsec SA pair as described

in “Establishing IKE and IPsec SAs” (page 175).

The policy manager daemon adds an entry for the five-tuple to the kernel policy engine cache

with the appropriate action.

174 Product Specifications