HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

181

182

183

184

185

186

187

188

189

190

Message 4 also includes the SPI for the inbound IPsec SA on the responder.

Initiator Receives Message 4

When the initiator receives message 4, it:

• Verifies that the IDr matches the rtype and rid values in the authentication record.

• Verifies the authentication data. If the remote_method value in the authentication record

is PSK, it verifies the hash value using the preshared key. If the value is RSASIG, it verifies

the digital signature using the public key from the responder's certificate.

• If the remote_method value in the authentication record is RSASIG, it also verifies that

the contents of the IDr matches the appropriate field in the responder's certificate.

The initiator also updates its kernel SA database with the SPI for the responder's inbound IPsec

SA.

IKE and IPsec SA Proposals

If an IKE policy contains multiple values for a parameter value (such as the hash algorithm) or

an IPsec policy contains multiple transform values and HP-UX IPSec is the initiator, the IKE

daemon creates and sends multiple SA proposals, in descending preference order.

If HP-UX IPSec is the responder, the IKE daemon accepts the first proposal sent by the initiator

that matches any of the values configured in the appropriate IKE or IPsec policy.

IPsec SA Packet Descriptors

IPsec host and tunnel policies include values for packet filters: source addresses and ports,

destination addresses and ports, and protocol. An IPsec host or tunnel policy can include up to

20 instances each of source and destination arguments.

When searching for host or tunnel policies, HP-UX IPSec searches the policies in priority order

and uses the packet filters to find the first matching policy.

For an outbound packet, HP-UX IPSec compares the source values with the source fields in the

packet, and the destination values with the destination fields in the packet. For an inbound

packet, HP-UX IPSec compares the source values with the destination fields in the packet, and

the destination values with the source fields in the packet.

The IKE daemon also sends and evaluates the packet filters values when negotiating IPsec SAs.

IKEv2 refers to these values as traffic selectors. IKEv1 refers to these values as client IDs. The

values sent during negotiations varies according to the type of policy and the IKE version used,

as described in the sections that follow.

Host Policies

The behavior for host policies in IPsec SA negotiations using IKEv1 and IKEv2 is described in

the sections that follow.

IKEv1

When HP-UX IPSec is the initiator, the IKE daemon sends the source IP address, port number,

and protocol for the client-initiator (IDci). It also sends the destination IP address, port number,

and protocol for the client-responder (IDcr). The IKEv1 protocol specification supports the use

of wildcard values (0), but does not support address or port number ranges for transport

negotiations, or multiple client ID values.

IKEv2

If the host policy is shareable (the EXCLUSIVE flag is not set), the IKE daemon uses all packet

filters in the selected host policy when negotiating the IPsec SA. When HP-UX IPSec is the

initiator, the IKE daemon sends the exact source IP address, port number and protocol in the

Traffic Selector-Initiator (TSi) payload. It also sends the exact destination IP address, port number

and protocol in the Traffic Selector-Responder (TSr) payload. The TSi and TSr payloads also

include selectors for each source and destination argument in the host policy; these arguments

are combined with the protocol argument.

HP-UX IPSec Operation 183