HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

171

172

173

174

175

176

177

178

179

180

Initiator Sends Message 1

The initiator sends message 1 in the QM exchange that includes information from the following

configuration parameters:

• action from the host policy as the IPsec SA proposal. If the action value contains multiple

transforms, IKE sends multiple IPsec SA proposals.

• source (address and port number) and protocol parameters from the host policy as the

IPsec initiator traffic selector (initiator client ID).

• destination (address and port number) and protocol parameters from the host policy

as the IPsec responder traffic selector (responder client ID).

If the host policy contains multiple values for the source or destination parameters, the IKE

daemon selects the first values that match the five-tuple for the packet. The traffic selectors can

contain wildcard values (0), but not address or port number ranges. The IKE daemon replaces

any address or port number ranges with the exact address or port number of the packet. For

more information, see “IPsec SA Packet Descriptors” (page 183).

Message 1 also includes the SPI for the inbound IPsec SA on the initiator (for packets to the

initiator). The initiator adds entries to its kernel SA database for the IPsec SA pair. The entry for

the responder's inbound SA does not include the SPI.

Responder Receives Message 1

When the IKE daemon on the responder receives message 1, it:

• Uses the received IPsec traffic selectors (client IDs) to search for an IPsec host policy according

to the source, destination, and protocol values in the host policies. The daemon

searches the policies in priority order and selects the first policy that contains a source,

destination, and protocol value that matches the traffic selectors.

• Uses the action value in the selected IPsec host policy to evaluate the IPsec proposals as

described in “IKE and IPsec SA Proposals” (page 183).

The responder also obtains an SPI for the inbound IPsec SA on the responder (for packets to the

responder) and adds the IPsec SAs to its kernel SA database. Each SA entry includes the

appropriate SPI. The SPI is also sent in the AH or ESP header so that the destination system can

process inbound packets with the correct SA parameters including encryption and authentication

keys.

Responder Sends Message 2

The responder sends message 2 in the QM exchange. This message includes information from

the following configuration parameters:

• The selected transform from the action in the host policy, sent as the accepted IPsec SA

proposal.

• The source, destination, and protocol parameters from the host policy that match

the IPsec traffic selectors sent by the initiator.

Message 2 also includes the SPI for the inbound IPsec SA on the responder.

Initiator Receives Message 2

When the initiator receives message 2, it updates the entry in the kernel SA database with the

SPI for the responder's inbound SA.

Initiator Sends Message 3

The initiator sends message 3 in the QM negotiation which includes a hash of data sent by the

responder in message 2.

Responder Receives Message 3

When the responder receives message 3, it adds the IPsec SA pair to its kernel SA database.

180 Product Specifications