HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

151

152

153

154

155

156

157

158

159

160

Components

The main HP-UX IPSec components are as follows:

• Routines in the IP streams module

These routines query the other product components to determine the action (pass, discard, or

secure) for each IP packet if HP-UX IPSec is enabled.

• IKE daemon, ikmpd

The IKE daemon establishes IKE and IPsec SAs and processes all IKE messages. The IKE

daemon also maintains a list of established IKE SAs, indexed by the remote system's IP address.

• Configuration database, /var/adm/ipsec/config.db

The configuration database contains all information configured using the ipsec_config

utility. This includes all the host and tunnel IPsec policies, the IKE policies, authentication

records, the bypass list, and startup parameters. The contents of the database are read once

by the policy daemon and by the IKE daemon when HP-UX IPSec and the daemons start. After

HP-UX IPSec starts, the policy daemon and IKE daemon get updated data as needed when

the user updates the configuration.

• Policy daemon, secpolicyd

The policy daemon maintains a list of active host and tunnel policies. To create the list of active

host IPsec policies, the policy daemon expands configured host IPsec policies with wildcard

and subnet specifications for the active IP interfaces (configured UP or DOWN, plumbed) on

the local system. The policy daemon also creates active host IPsec policies by expanding

remote IP address specifications and any other wildcard field values as needed.

• Kernel policy engine cache

The cache records the most recent decisions that the kernel policy engine has made for the

traffic that has passed in and out of the system. The kernel policy engine cache contains

decisions for packets that have been sent or received by the system (including broadcast

packets) by five-tuple (source IP address, destination IP address, protocol, source port,

destination port) and the action taken. The cache creates records for all packets, even if no

IPsec negotiation is needed (even if the action is to pass the packet in clear text or to discard

the packet).

• Kernel SA engine

The kernel SA engine keeps a database of IPSec SAs, indexed by SPI and remote IP address.

This database contains the IPSec SA parameters, including the cryptography keys.

• Audit daemon, secauditd

The audit daemon receives audit messages from the other modules and logs them in an audit

file.

• User utilities

The ipsec_config, ipsec_admin, ipsec_report, and ipsec_policy utilities enable

the user to modify the configuration, start and stop HP-UX IPSec, report status, and test policies.

Outbound Data Processing

The following sections describe outbound data processing.

Query the Kernel Policy Engine

HP-UX IPSec first checks the kernel policy engine cache for an existing decision on the action to

take for the packet (secure, drop, or pass in clear text) based on following fields in the IP packet,

often referred to as a five-tuple:

• source IP address

• destination IP address

HP-UX IPSec Operation 151