HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

181

182

183

184

185

186

187

188

189

190

If the host policy is not shareable (the EXCLUSIVE flag is set), and HP-UX IPSec is the initiator

in the IPsec negotiation, the IKE daemon sends one TSi and one TSr with the exact addresses,

ports, and protocol that match the packet.

Tunnel Policies

The behavior for tunnel policies in IPsec SA negotiations using IKEv1 and IKEv2 is described in

the sections that follow.

IKEv1

When initiating an inbound tunnel IPsec SA negotiation using IKEv1, IKE uses the source address

values as the proxy source IDs, and uses the destination address identifiers as the proxy

destination IDs.

When initiating an outbound IKEv1 tunnel IPsec SA negotiation, IKE uses the destination address

values as the proxy source IDs and the source address identifiers as the proxy destination IDs.

The proxy address IDs can include address or port number ranges. At least one proxy ID value

must exactly match a proxy ID value on the remote system.

IKEv2

When initiating a tunnel IPsec SA negotiation using IKEv2, the IKE daemon sends all source

traffic selectors in the Traffic Selector-Initiator (TSi) payload and all destination traffic selectors

in the Traffic Selector-Responder (TSr) payload.

When responding to an IKEv2 tunnel IPsec SA negotiation, IKE compares the TSi it receives with

its destination traffic selectors and the TSr it receives with its source traffic selectors. The IKE

responder sends back traffic selector payloads with the matching selectors, which can be subsets

of the initiator's selectors.

Establishing Tunnel Security Associations

If HP-UX IPSec is processing an outbound packet and the selected host IPsec policy specifies a

tunnel IPsec policy, HP-UX IPSec checks if it has an existing tunnel SA with the tunnel endpoint.

If not, it must establish a tunnel SA before it establishes the end-to-end (transport) SA. The

procedure for establishing a tunnel SA is similar to establishing a transport SA (HP-UX IPSec

uses/establishes an IKE SA to establish the IPsec SA), except the IKE entities also include

information (IP address, protocol, and port numbers) for the transport endpoints (IKEv2 refers

to this data as client traffic selectors; IKEv1 refers to this data as proxy IDs) during the IPsec SA

negotiation. The transport endpoint information enables a tunnel endpoint to determine the

identity of the end system or subnet for which the other tunnel endpoint is establishing the

tunnel.

ICMPv4 Message Processing

IP uses ICMP messages to transmit error and control information, such as in the following

situations:

• IP may periodically send ICMP Echo messages to gateways to determine if the gateway is

up (“Gateway Probes”). If no response is received, the gateway is marked “Dead” in the IP

routing table.

This feature is controlled by the IP kernel parameter ip_ire_gw_probe. By default, this

feature is enabled on all HP-UX systems. Refer to the ndd(1M) manpage for information on

checking or changing this parameter value.

• IP may use ICMP Echo messages with the “Don’t Fragment” flag and ICMP Destination

Unreachable messages with the “Fragmentation Needed” flag to set the Path Maximum

Transmission Unit (Path MTU).

This feature is controlled by the IP kernel parameter ip_pmtu_strategy. Refer to the

ndd(1M) manpage for information on checking or changing this parameter value.

184 Product Specifications