HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

211

212

213

214

215

216

217

218

219

220

Using HP-UX IPSec with HP-UX IPFilter

HP-UX IPSec and HP-UX IPFilter can coexist on the same system. You can configure HP-UX

IPSec and HP-UX IPFilter so that there is some overlap in the configurations. However, you must

be sure the overlapping configurations do not block each other. HP-UX IPFilter is located below

HP-UX IPSec in the networking stack. HP-UX IPFilter processes inbound IP packets before HP-UX

IPSec and processes outbound packets after HP-UX IPSec.

IPsec Packets

To use HP-UX IPFilter and HP-UX IPSec together, you must configure HP-UX IPFilter so it does

not discard the following IPsec packets:

• UDP port 500 (IKE)

• IP protocol number 50 (ESP)

• IP protocol number 51 (AH)

Upper Layer Information

If HP-UX IPSec secures a packet (the packet has an AH or ESP header), HP-UX IPFilter cannot

filter the packet based on upper layer information, such as TCP port numbers and connection

states, and ICMP message types. The only upper-layer protocol information that HP-UX IPFilter

can process is the IP protocol number (50 or 51).

IPsec Tunnels and End to Gateway Topologies

IPFilter can coexist with IPsec tunnels. In topologies where a tunnel endpoint is not an end-to-end

endpoint (such as host-to-gateway topologies and other gateway topologies), you must configure

IPFilter to allow IPsec traffic to and from the gateway instead of the end node. The IPFilter rules

for the UDP/500 and protocol 50/51 traffic must be passed to and from the gateway IP address

rather than the end node IP address.

Example

On hostA, the local IP address is 10.10.10.10, and you want to allow IPsec ESP packets to and

from hostB (IP address 15.15.15.15). On hostA, the IPFilter configuration contains the following

entries:

# Allow IKE packets to and from hostB

pass in quick proto UDP from 15.15.15.15 port 500 to 10.10.10.10 port = 500

pass out quick proto UDP from 10.10.10.10 port 500 to 15.15.15.15 port = 500

# Allow IPsec ESP traffic from hostB

pass in quick proto 50 from 15.15.15.15 to 10.10.10.10

pass out quick proto 50 from 10.10.10.10 to 15.15.15.15

NOTE: You must configure IPFilter to pass both inbound and outbound traffic (in and out

) for UDP port 500.

IPFilter searches and selects rules according to their order in the filter file. Place the filter rules

for IPsec packets in the appropriate location for your configuration.

214 HP-UX IPSec and HP-UX IPFilter