HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

181

182

183

184

185

186

187

188

189

190

IKEv2 Negotiations

If the IKE version is IKEv2, the negotiation for the initial IPsec SA pair is combined with the

negotiation for the IKEv2 SA in messages 3 and 4.

Initiator Sends Message 1

The IKE daemon on the initiator selects an IKEv2 policy by searching the IKEv2 policies in priority

order and selecting the first policy with a remote address (remote parameter in the policy) that

matches the address of the remote system.

The IKE daemon sends message 1 in the negotiation. This message includes the following

information from the configuration:

• IKEv2 SA proposals based on the following values in the IKEv2 policy:

— encryption

— hash

— lifetime

— prf

If there are multiple values configured for these parameters, the IKE daemon sends multiple

proposals.

• Diffie-Hellman public value from the group specified by the group parameter in the IKEv2

policy.

If the IKEv2 policy specifies multiple Diffie-Hellman group numbers (-group argument),

the IKE daemon attempts to use the first group number in the list.

Responder Receives Message 1

When the IKE daemon on the responder receives message 1, it:

• Uses the packet source address (the initiator address) to select an IKEv2 policy with a

matching -remote value.

• Uses the parameters in the selected IKEv2 policy to evaluate the IKEv2 SA proposals as

described in “IKE and IPsec SA Proposals” (page 183).

• Verifies that the Diffie-Hellman group used by the initiator is specified in the group

parameter of the selected IKEv2 policy. If it is, the daemon uses the initiator's Diffie-Hellman

public value and its Diffie-Hellman private value to calculate a shared secret value. This

shared secret value is used as keying material.

If the group used by the initiator is not specified in the responder's IKEv2 policy, the IKE

daemon sends a notification message to the initiator.

Responder Sends Message 2

The responder sends message 2 to the initiator. This message includes:

• The selected IKEv2 SA proposal.

• The responder's Diffie-Hellman public value from the group specified by the group

parameter in the IKEv2 policy.

Initiator Receives Message 2

The initiator uses the responder's Diffie-Hellman public value and its Diffie-Hellman private

value to calculate a shared secret value. This value matches the value calculated on the responder.

Initiator Sends Message 3

The initiator sends message 3 in the IKEv2 negotiation. This message includes information from

the following configuration parameters:

• ltype and lid values from the authentication record, sent as the IKE Identification-Initiator

(IDi). If no local ID type and value are configured, the IKE daemon uses the IP address of

HP-UX IPSec Operation 181