Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
141142143144145146147148149150
sends its certificate. Portions of the message are encrypted using a key based on the
Diffie-Hellman shared secret.
Message 3: Initiator sends Diffie-Hellman secured message
The initiator sends a message with portions encrypted using a key based on the Diffie-Hellman
shared secret.
IPsec SAs Negotiated Using IKEv1 Quick Mode
After an IKEv1 SA is established, the two systems have a secure channel for negotiating IPsec SAs.
The IPsec SAs determine the HP-UX IPSec transformation(s) used (ESP and/or AH), the encryption
keys for ESP/ESP and other parameters. IPsec SAs are negotiated in pairs: an outbound SA for
packets from the local system to the remote system and an inbound SA for packets from the remote
system to the local system.
The IKE SA can be used to negotiate multiple pairs of IPsec SAs until the IKE lifetime expires.
Three messages are required to establish an IPsec SA pair in an IKEv1 Quick Mode exchange:
Figure 16 IKEv1 Quick Mode
Message 1: Initiator sends IPsec SA proposals, SPI, and traffic IDs
In message 1, the initiator sends IPsec SA proposals, the SPI, and traffic selectors (client IDs).
The IPsec SA proposals include the transformation(s) used (ESP and/or AH). The SPI identifies
the initiator's inbound IPsec SA (for packets to the initiator from the responder).
The traffic selectors specify the endpoints for the IPsec SA by IP address, protocol, and port
number.
Message 2: Responder sends accepted IPsec SA proposal, SPI, and traffic IDs
In message 2, the responder sends back the accepted IPsec SA proposal and the SPI for the
responder's inbound IPsec SA (for packets to the responder from the initiator).
Message 3: Initiator sends hash message to prove liveness
In Message 3, the initiator contains a hash of data sent by the responder in message 2. This
proves that the first message is “live” and not a previous message captured by an attacker
and replayed.
Some implementations send an optional fourth message from the responder (a NOTIFY message);
HP-UX IPsec accepts this message but does not send it unless requested by the initiator.
IKEv2 IKE and IPsec SA Message Flow
IKEv2 uses four messages to establish an IKE SA and an initial IPsec SA pair (data used to negotiate
the initial IPsec SA pair is included with the messages used to complete the IKE SA negotiation):
HP-UX IPSec Operation 149