HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

171

172

173

174

175

176

177

178

179

180

high-level description of how HP-UX IPSec establishes IKE and IPsec SAs and uses configuration

data in IKE negotiations.

Determining the IKE Version

To determine the IKE version, the IKE daemon searches the authentication records in priority

order for a record with a remote value that matches the remote system’s IP address. The IKE

daemon uses the kmp (key management protocol) value in the authentication record to determine

the IKE version and searches its list of established IKE SAs to determine if it already has an IKE

SA with the remote system. If the kmp parameter value specifies multiple versions (IKEV1,IKEV2

or IKEV2,IKEV1), the IKE daemon searches both versions of IKE SAs in the order specified.

If the IKE daemon must establish a new IKE SA, it uses only the first version specified in the kmp

value for negotiations. (If negotiations fail using the first specified version, IKE returns an error

and does not attempt to use the second version.)

Before attempting to initiate IKE SA negotiations, the daemon also verifies that the AUTOCONF

flag is not set in the authentication record. (The IKE daemon cannot initiate IKE SA negotiations

if the AUTOCONF flag is set.)

IKEv1 Negotiations

If the IKE version is IKEv1, the daemon searches the IKEv1 policies in priority order for a policy

with a remote value that matches the remote system’s IP address.

IKEv1 SA negotiations differ according to the exchange mode. The IKE daemon determines if

exchange mode is Main Mode or Aggressive Mode from the exchange value in the authentication

record.

IKEv1 Main Mode Negotiations

The following sections describe IKE daemon processing for IKEv1 Main Mode negotiations.

Initiator Sends Message 1

The initiator sends message 1 in the MM exchange with IKE SA proposals based on the following

values in the IKEv1 policy:

• encryption

• hash

• lifetime

• pfs

If there are multiple values configured for these parameters, the IKE daemon sends multiple

proposals as described in “IKE and IPsec SA Proposals” (page 183).

Responder Receives Message 1

When the IKE daemon on the responder receives message 1, it:

• Uses the packet source address (the initiator address) to search the authentication records

in priority order for a policy with a matching remote value.

• Verifies that the kmp value in the authentication record includes IKEV1.

• Verifies that the exchange value in the authentication record is MM.

• Uses the packet source address (the initiator address) to search the IKEv1 records in priority

order for a policy with a matching remote value.

• Uses the values in the selected IKEv1 policy to evaluate the IKE SA proposals sent by the

initiator as described in “IKE and IPsec SA Proposals” (page 183).

Responder Sends Message 2

The responder sends its selected IKE SA proposal in message 2 of the negotiation.

176 Product Specifications