HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

141

142

143

144

145

146

147

148

149

150

Product Restrictions

HP-UX IPSec product restrictions are described below:

• HP-UX IPSec systems cannot act as IP or IPsec gateways.

• HP-UX IPSec systems cannot act as IP or IPsec gateways unless the local system is an HP-UX

Mobile IPv6 Home Agent forwarding Mobile IPv6 packets to Mobile Node clients.

• The action for the host policy in an end-to-end tunnel topology must be PASS.

• HP-UX IPSec does not support security for broadcast addresses, including network broadcast,

subnet broadcast, multicast, and anycast addresses.

• You cannot selectively encrypt or authenticate services that use dynamic ports, such as NFS

(Network File System) mountd , NFS lockd , and NIS (Network Information Service).

NOTE: On HP-UX 11.31 systems and HP-UX 11i v2 systems with NFS patch PHNE_34550

(or a patch that supersedes it), you can configure auxilliary NFS daemons (lockd, mountd,

and statd) to use fixed port numbers. Refer to the NFS product documentation for more

information.

• If an HP-UX IPSec system crashes and the system had previously established IKE SA(s) with

peer IPsec system(s), the peer IPsec system(s) will not be able to use any existing IKE and IPsec

SAs to initiate communication with the rebooted IPsec system.

When the peer IPsec system tries to use a previously established SA with the rebooted system,

the IKE daemon on the rebooted system initiates a new IKE SA negotiation with the peer system

to replace the previous SA. The IKE daemon also sends an INITIAL CONTACT message to

the peer to notify the peer that this is the first SA being established with the rebooted system.

This message is typically interpreted by the peer as a indication that the remote system has

rebooted, and the peer deletes any IKE SAs previously established with the remote system.

• HP-UX IPSec does not support the named SPD entry feature specified in RFC 4301.

IKE Limitations

IKE limitations and constraints are described below:

• For IKE exchanges, a single transaction request will timeout after 31 seconds (five

retransmissions using an exponential timer, starting at one second), which terminates the

negotiation.

Timeouts usually occur during heavy network traffic congestion. It is the responsibility of the

application to retry the connection after a connection establishment failure.

• IKE ignores port numbers for the end-to-end source or destination descriptors in tunnel policies.

The IKE daemon sends port number 0 (match any) for traffic selectors (IKEv2) or client IDs

(IKEv1).

• HP-UX IPSec does not support the use of ID_DER_ASN1_GN (ASN.1 X.500 GeneralName)

for IKE IDs.

HP-UX IPSec Transforms

Comparative Key Lengths

Table 17 lists the key lengths of AH and ESP algorithms. In general, the longer the key length, the

more secure the encryption algorithm will be. AES encryption provides the most secure encryption,

but should be used with some form of authentication, such as the ESP-AES128-HMAC-SHA1

authenticated ESP transform.

Product Restrictions 143