HP-UX IPSec Version A.03.00 Administrator's Guide
The policy manager daemon also checks if the host policy specifies the name of a tunnel policy.
If no tunnel policy is specified, the policy manager daemon adds an entry for the five-tuple to
the kernel policy engine cache and the packet passes in clear text.
If the matching host policy specifies the name of a tunnel policy, the policy manager daemon
verifies that the packet five-tuple matches any of the source and any of the destination
values in the tunnel policy. The policy manager daemon checks if the packet can use an existing
tunnel SA. If not, HP-UX IPSec establishes new IPsec SAs as described in “Establishing IKE and
IPsec SAs” (page 175).
Inbound Data Processing
• AH or ESP Packet
If the inbound packet has an Authentication Header (AH) and/or an Encapsulating Security
Payload (ESP), HP-UX IPSec checks the kernel SA database for an inbound entry with the
same SPI and source IP address. If one exists, HP-UX IPSec uses the packet five-tuple to
query the kernel policy engine (and the policy daemon, if there is no entry in the cache) and
verifies that the SPI matches the entry for the five-tuple. If so, HP-UX IPSec uses the
information in the SA entry to decrypt or authenticate the packet.
If no matching SA entry exists, HP-UX IPSec checks if there is an authentication record that
applies to the remote system. If there is not, this is an error and possible intrusion attempt.
HP-UX IPSec sends an audit message to the audit daemon. HP-UX IPSec discards the packet.
If no matching SA entry exists but the local system has an authentication record that applies
to the remote system, HP-UX IPSec assumes that a valid IPsec SA previously existed, but
the SPI entry no longer exists because the local system has re-booted. The local system
attempts to establish a new IKE SA with the remote system, and sends an INITIAL-CONTACT
notify message. The INITIAL-CONTACT notify message notifies the remote system that
the local system has restarted IPsec. In most implementations, the remote system deletes its
information for all SAs established with the local node and attempt to re-establish a new
SAs. If the remote system does not delete the SAs, an administrator on the remote system
must manually delete the SAs.
• Clear Text Packet
If the inbound packet has no AH or ESP header (it is a normal IP packet in clear text), HP-UX
IPSec must determine whether the packet should be dropped or passed in clear text. HP-UX
IPSec checks the kernel policy engine cache for an existing decision on the action for the
packet based on the five-tuple. If the action is to apply an AH or ESP transform, HP-UX
IPSec discards the packet. This is because the remote system should have established IPsec
SAs before sending the packet.
If no cache entry exists, HP-UX IPSec queries the policy manager daemon for the appropriate
action according to the host IPsec policy with the filter that best matches the packet (or the
default policy, if no filters match). If the action is to apply an AH or ESP transform, HP-UX
IPSec checks if the FALLBACK_TO_CLEAR flag is set. If the flag is set, HP-UX IPSec allows
the packet to pass and adds an entry to the kernel policy engine cache.
If the FALLBACK_TO_CLEAR flag is not set, HP-UX IPSec discards the packet.
Processing Inbound Tunnel Packets
If HP-UX IPSec is processing an inbound packet, it searches the kernel SA database for inbound
packets for an entry with the same SPI and source IP address. If one exists, it uses the information
in the SA to decrypt or authenticate the packet. If this is a tunnel SA, HP-UX IPSec decapsulates
the packet (removes the outer IP header) and processes the IP header for the inner packet. HP-UX
IPSec also verifies that the SA SPI for the tunnel policy referenced in the host policy matches the
SPI in the outer (tunnel) packet.
Establishing IKE and IPsec SAs
An IKE SA must be established before IKE can negotiate an IPsec SA pair. The methods used to
establish the IKE and IPsec SAs differs according to the IKE version. This section provides an a
HP-UX IPSec Operation 175