Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
31323334353637383940
Internet Key Exchange (IKE)
Before IPsec sends authenticated or encrypted IP data, both the sender and receiver must agree
on the protocols, encryption algorithms and keys to use. HP-UX IPSec uses the Internet Key
Exchange (IKE) protocol to negotiate the encryption and authentication methods, generate shared
encryption keys, and establish secure communication channels, or Security Associations (SAs).
The IKE protocol also provides primary authentication, which verifies the identity of the remote
system before negotiating the encryption algorithm and keys.
There are two versions of the IKE protocol:
IKE version 1 (IKEv1), defined in RFCs 2407, 2408, and 2409
IKE version 2 (IKEv2), defined in RFC 4306
In this document, the term IKE refers to both IKEv1 and IKEv2; the term IKEv1 refers to
information that applies exclusively to IKE version 1, and the term IKEv2 refers to information
to applies exclusively to IKE version 2.
The HP-UX IPSec IKE daemon can send and receive IKEv1 and IKEv2 packets on the same UDP
port. However, IKEv1 cannot interoperate with IKEv2 (IKEv1 packets cannot be used for IKEv2
negotiations and vice-versa). When you configure HP-UX IPSec, you specify the IKE protocol
version to use when initiating IKE negotiations with a given destination. When the IKE daemon
responds to IKE negotiations, it uses information in the header to determine the IKE protocol
version and verifies the version with the configured rules. See “Determining the IKE Version”
(page 176) for more information.
Security Associations
A Security Association (SA) is a secure communication channel. You can think of the SAs as
security sessions, where the two systems agree on the type of authentication and encryption, the
encryption keys and other parameters. There are two types of SAs:
IKE SAs
The purpose of the IKE SA is to provide a “master” encrypted and authenticated security
channel that the systems can use to safely exchange address and ID information when
negotiating IPsec SAs.
To establish an IKE SA, the IKE peers exchange messages to generate a Diffie-Hellman
shared value that is used as the base for shared keys, as described in “Generating Shared
Keys: Diffie-Hellman” (page 39). The IKE peers also authenticate the identity of each other.
The negotiations used to establish IKE SAs are sometimes referred to as phase 1 negotiations.
IPsec SAs or Child SAs
Using the secure communication channel provided by the IKE SA, IKE negotiates IPsec SAs
or child SAs. An IPsec SA is a security association used to exchange IPsec ESP or AH packets.
The IPsec SA operating parameters include the IPsec protocol used (ESP or AH), the mode
(transport or tunnel), the cryptographic algorithms (such as AES and SHA-1), the
cryptographic keys, the SA lifetime, and the endpoints (IP addresses, protocol and port
numbers).
An IPsec SA is unidirectional, so IPsec SAs are negotiated in pairs: one SA for inbound
packets from the remote endpoint and one SA for outbound packets to the remote endpoint.
The negotiations used to establish IPsec SAs are sometimes referred to as phase 2 negotiations.
IKEv1 Phases and Exchange Modes
The IKEv1 protocol defines two categories for IKE negotiations:
38 HP-UX IPSec Overview