HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

141

142

143

144

145

146

147

148

149

150

The messages used to negotiate an IKE SA are referred to as a phase I negotiation.

• IPsec SAs or Child SAs

An IPsec SA is a security association used to exchange IPsec ESP or AH packets. The IPsec

SA operating parameters include the IPsec protocol used (ESP or AH), the mode (transport or

tunnel), the cryptographic algorithms (such as AES and SHA-1 or AES and SHA-2), the

cryptographic keys, the SA lifetime, and the endpoints (IP addresses, protocol and port

numbers).

IPsec SAs also referred to as a child SAs because they are negotiated from IKE SAs.

An IPsec SA is unidirectional, so IPsec SAs are negotiated in pairs: one SA for inbound packets

from the remote endpoint and one SA for outbound packets to the remote endpoint. Each

IPsec SA is identified by an integer referred to as the Security Parameters Index (SPI).

The messages used to negotiate an IPsec SA pair are referred to as a phase II negotiation.

The messages used to establish SAs differ according to the IKE protocol version. The following

sections provide a high-level description of the messages HP-UX IPSec uses, including the main

fields determined by the product configuration. For full descriptions of the messages, refer to the

appropriate RFCs listed in “IPsec RFCs” (page 141).

IKE Roles

In IKE negotiations, the IKE entity or daemon that initiates the negotiation is referred to as the

initiator. The IKE entity that responds to the negotiation request is referred to as the responder.

An IKE entity can have one role in an IKE SA negotiation and a different role in an IPsec SA

negotiation. For example, after an IKE entity is the responder in an IKE SA negotiation, that entity

can use the IKE SA to initiate negotiations for an IPsec SA pair.

IKEv1 IKE SAs

For IKEv1, the peers establish an IKE SA (phase I negotiation) using either a Main Mode (MM)

exchange or Aggressive Mode (AM exchange). After the IKE SA is established, the IKE peers use

the IKE SA for a phase II negotiation with a Quick Mode (QM) exchange that establishes an IPsec

SA pair.

IKEv1 Main Mode

In a MM exchange, the IKE entities use six messages to establish the IKE SA:

Figure 14 IKEv1 Main Mode

• Message 1: Initiator sends IKE SA proposals

The node initiating the IKE exchange (the IKE initiator) sends IKE SA proposals, which contain

IKE SA parameters including authentication and encryption algorithms, Oakley (Diffie-Hellman)

group number, and lifetimes.

• Message 2: Responder sends accepted IKE SA proposal

In message 2, the peer node (the IKE responder) sends the IKE SA proposal it accepts.

• Message 3 : Initiator sends its Diffie-Hellman public value

The initiator sends its Diffie-Hellman public value.

HP-UX IPSec Operation 147