HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

181

182

183

184

185

186

187

188

189

190

the interface used to send the packet as the local ID value and the address type (IPV4 or

IPV6) as the ID type.

• If the local_method value in the authentication record is PSK, the message includes a hash

value calculated from the preshared key.

If the local_method value is RSASIG, the message includes the local certificate and a

digital signature calculated using the certificate private key.

• action from the host policy, sent as the IPsec SA proposals.

• source and protocol values from the host policy, sent as the IPsec initiator traffic selectors.

• destination and protocol values from the host policy, sent as the IPsec responder traffic

selectors.

If the host policy contains multiple source or destination values, the daemon combines

them with the protocol parameter and sends multiple initiator traffic selectors. For more

information, see “IPsec SA Packet Descriptors” (page 183).

Message 3 also includes the SPI for the inbound IPsec SA on the initiator (for packets to the

initiator).

Responder Receives Message 3

When the IKE daemon on the responder receives message 3, it:

• Searches the authentication records in priority order and selects the first record with a remote

ID specification (rtype and rid) that matches the IDi received.

• Verifies that the kmp parameter value in the authentication record includes IKEV2.

• Verifies that the packet source IP address matches the remote address in the authentication

record.

• Verifies the authentication data. If the remote_method value in the authentication record

is PSK, it verifies the hash value using the preshared key. If the value is RSASIG, it verifies

the digital signature using the public key from the initiator's certificate.

• If the remote_method value in the authentication record is RSASIG, the IKE daemon also

verifies that the contents of the IDi matches the appropriate field (subjectName or

subjectAlternativeName) in the initiator's certificate.

• Uses the received IPsec traffic selectors to search for an IPsec host policy according to the

source, destination, and protocol values in the host policies as described in “IPsec

SA Packet Descriptors” (page 183).

• Uses the action value in the selected IPsec host policy to evaluate the IPsec proposals as

described in “IKE and IPsec SA Proposals” (page 183).

The responder also obtains an SPI for the inbound IPsec SA on the responder (for packets to the

responder) and adds the IPsec SAs to its kernel SA database. Each SA entry includes the

appropriate SPI. The SPI is also sent in the AH or ESP header so that the destination system can

process inbound packets with the correct SA parameters including encryption and authentication

keys.

Responder Sends Message 4

The responder sends message 4 in the IKEv2 negotiation. This message includes information

from the following configuration parameters:

• ltype and lid from the authentication record, sent as the IKE Identification-Responder

(IDr).

• If the local_method value in the authentication record is PSK, the message includes a hash

value calculated from the preshared key.

If the local_method value is RSASIG, the message includes the local certificate and a

digital signature calculated using the private key.

• The selected transform from the action in the host policy, sent as the accepted IPsec SA

proposal.

• source, destination, and protocol from the host policy, sent as the IPsec traffic

selectors.

182 Product Specifications