HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
If the IKE authentication method is RSA signatures, the initiator includes a request for the
responder's certificate.
• Message 4: Responder sends its Diffie-Hellman public value
The responder sends its Diffie-Hellman public value. The initiator and responder each generate
the same, shared secret value that they use to generate encryption and authentication keys.
The keys are used for the IKE SA and for the IPsec SAs. Subsequent IKE messages in the
exchange are secure (encrypted). However, the IKE IDs are not authenticated until Messages
5 and 6 in the exchange.
If the IKE authentication method is RSA signatures, the responder includes a request for the
peer's certificate.
• Message 5: Initiator sends IKE ID and authentication data
In messages 5 and 6, each system authenticates the other system's identity, using preshared
keys or security certificates (RSA signatures). The systems also send and verify IKE ID types
and ID values (HP-UX IPSec uses IP addresses as ID values by default).
The initiator sends its ID type and value and authentication data to the responder.
The authentication data depends on the IKE authentication method. If the authentication method
is RSA signatures, the initiator sends a digital signature calculated using its private key (the
initiator also sends its certificate). If the authentication method is preshared keys, the responder
sends a hash value calculated using the preshared key.
• Messages 6: Responder sends IKE ID and authentication data
The responder sends its ID type and value and authentication data to the initiator. If the IKE
authentication method is RSA signatures, the responder also sends its certificate.
IKEv1 Aggressive Mode
In an Aggressive Mode (AM) exchange, the IKE entities use three messages to establish the IKE
SA:
Figure 15 IKEv1 Aggressive Mode
• Message 1: Initiator sends IKE SA proposals, Diffie-Hellman public value, IKE ID, and
authentication data
The initiator sends IKE SA parameters, Diffie-Hellman public value, IKE ID, and authentication
data. If the IKE authentication method is RSA signatures, the initiator includes a request for
the remote system's certificate and the certificate for the local system. The initiator also sends
authentication data—either a hash value calculated using the preshared key or a digital
signature calculated using its certificate private key.
• Message 2: Responder sends accepted IKE SA proposal, Diffie-Hellman public value, IKE ID,
and authentication data
The responder sends its selected IKE SA proposal, Diffe-Hellman public value, IKE ID, and
authentication data. If the IKE authentication method is RSA signatures, the responder also
148 Product Specifications