HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

141

142

143

144

145

146

147

148

149

150

Figure 17 IKEv2 SA Negotiations

• Message 1: Initiator sends IKE SA proposals and Diffie-Hellman public value

In message 1, the node initiating the IKE exchange (the initiator) sends IKE SA proposals,

which contain IKE SA parameters, and its Diffie-Hellman public value.

• Message 2: Responder sends accepted IKE SA proposal and Diffie-Hellman public value

In message 2, the peer node (the responder) sends back its accepted IKE SA proposal and

its Diffie-Hellman public value.

The Diffie-Hellman exchange enables the IKE entities to each generate the same, shared secret

value that they use to generate encryption and authentication keys. The keys are used for the

IKE SA and the IPsec SAs. After the shared secret is generated, subsequent IKE messages in

the exchange are secure (encrypted). However, the IKE IDs are not authenticated until Messages

3 and 4 in the exchange.

• Message 3: Initiator sends IKE ID, authentication data, IPsec SA proposals, and IPsec traffic

IDs

In message 3, the initiator sends information to authenticate the IKE SA and to establish the

initial IPsec SA pair.

The initiator sends its IKE ID type and value (HP-UX IPSec uses IP addresses as ID values by

default).

If the IKE authentication method is RSA signatures, the initiator sends the certificate for the

local system, a digital signature calculated using its private key, and a request for the peer's

certificate. If the IKE authentication method is preshared keys, the initiator sends a hash value

calculated using the preshared key.

The initiator also includes information for establishing the initial IPsec SA pair: IPsec SA

proposals, and IPsec traffic selectors. The traffic selectors specify the endpoints for the IPsec

SA by IP address, protocol, and port number.

The IPsec SA proposals include the transformation(s) used (ESP and/or AH). The initiator also

sends the SPI to identify the initiator's inbound IPsec SA (for packets to the initiator from the

responder).

• Message 4: Responder sends IKE ID, authentication data, accepted IPsec SA proposal, and

IPsec traffic IDs

In message 4, the responder sends it IKE ID information and authentication data. If the IKE

authentication method is RSA signatures, the responder sends its certificate.

The responder also sends its accepted IPsec SA proposal and its selected IPsec traffic IDs. The

responder can narrow the traffic selectors for the IPsec SA pair by sending back selectors that

are a subset of or more specific than the selectors sent by the initiator.

The message also includes the SPI for the responder's inbound IPsec SA (for packets to the

responder from the initiator).

The IKE SA can be used to negotiate additional IPsec SA pairs.

150 Product Specifications