HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

141

142

143

144

145

146

147

148

149

150

ESP_AES256_HMAC_SHA2_512

ESP using Advanced Encryption Standard encryption with a 256-bit key (AES256) and

HMAC-SHA2-512 to generate an ICV.

ESP_3DES_HMAC_SHA2_256

ESP using 3DES-CBC encryption and HMAC-SHA2-256 to generate an ICV.

ESP_3DES_HMAC_SHA2_384

ESP using 3DES-CBC encryption and HMAC-SHA2-384 to generate an ICV.

ESP_3DES_HMAC_SHA2_512

ESP using 3DES-CBC encryption and HMAC-SHA2-512 to generate an ICV.

ESP_NULL_HMAC_SHA2_256

ESP header and trailer, but nothing is encrypted. ESP generates an ICV using HMAC-SHA2-256.

ESP_NULL_HMAC_SHA2_384

ESP header and trailer, but nothing is encrypted. ESP generates an ICV using HMAC-SHA2-384.

ESP_NULL_HMAC_SHA2_512

ESP header and trailer, but nothing is encrypted. ESP generates an ICV using HMAC-SHA2-512.

Transform Lifetimes

The transform lifetimes configured are the preferred lifetimes. The actual lifetimes used depends

on the IKE version, and lifetime values on the remote system.

If HP-UX IPSec is the responder in an IKEv1 negotiation and the peer sends a proposed value that

is longer than (less secure than) the HP-UX preferred value, HP-UX sends an IKE NOTIFY message

with its preferred value, and this value is used for the SA. If the remote system initiates IKE SA

negotiations and sends a proposed lifetime that is the same or more secure (shorter than) the HP-UX

preferred value, the HP-UX IKE daemon accepts the proposed value sent by the remote system if

it is within the range specified by the IPsec protocol suite.

For IKEv2, lifetime values are not negotiated. If an IKE entity detects an expired SA, it sends a

re-keying message to the peer when needed.

HP-UX IPSec Operation

To troubleshoot HP-UX IPSec, it is useful to understand a few key points about its operation. This

section contains high-level descriptions of the message flow HP-UX IPSec uses when establishing

Security Associations (SAs) and how HP-UX IPSec processes packets.

HP-UX IPSec Message Flow for Establishing SAs

Before HP-UX IPSec can authenticate or encrypt an IP packet using an IPsec transformation—an

Authentication Header (AH) or Encapsulating Security Payload (ESP)—it must establish SAs with

the remote system. You can think of the SAs as security sessions, where the two systems agree on

the type of authentication and encryption, the encryption keys and other parameters. There are

two types of SAs:

• IKE SAs

The purpose of the IKE SA is to provide a “master” encrypted and authenticated security

channel that the systems can use to safely exchange address and ID information when

negotiating IPsec SAs.

146 Product Specifications