HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

151

152

153

154

155

156

157

158

159

160

• protocol

• source TCP or UDP port number, if present

• destination TCP or UDP port number, if present

If a match is found, and the action is pass or discard, HP-UX IPSec passes or discards the packet.

If the action is secure (use an Authentication Header, AH or use an Encapsulating Security Payload,

ESP) and there is a reference to an existing IPsec SA that can be used, HP-UX IPSec transmits the

packet using the existing SA. If there is no existing IPSec SA, HP-UX IPSec establishes the IPSec SA

as described in “Establishing IKE and IPsec SAs” (page 153).

If there is no matching entry in the cache, HP-UX IPSec queries the policy manager daemon

(secpolicyd).

Query the Policy Manager Daemon for a Host Policy

If no match is found in the policy engine cache, the policy manager daemon is queried for the

policy and action (secure, drop, or pass in clear text). The policy manager daemon maintains a

list of active policies, and its policy entries contain expanded wildcard fields.

The Policy Manager sequentially searches the host IPsec policies in priority order for the first policy

with an IP packet filter that matches the packet. The packet filter is defined by the following

arguments in the ipsec_config add host command:

• source (local address and optional port number or service name)

• destination (remote address and optional port number or service name)

• protocol

If the host policy contains multiple source or destination arguments, the policy manager selects the

policy if any of the source and any of the destination fields match.

If no match is found, HP-UX IPSec uses the default host policy.

On a gateway system (the local system is forwarding the outbound packet), the Policy Manager

sequentially searches the gateway IPsec policies in priority order. If no match is found, HP-UX IPSec

uses the default gateway IPsec policy.

If the transform (action) specified in the matching host policy is to secure the IP packet using AH

or ESP, an IPsec SA pair might already exist for the policy. If the five-tuple is not an exact match

but the packet has the same IP address pair and the port and protocol are within the range or a

wildcard match for the policy, the packet can use the existing IPsec SA pair if the EXCLUSIVE

flag is not set in the policy. Otherwise, HP-UX IPSec establishes a new IPsec SA pair as described

in “Establishing IKE and IPsec SAs” (page 153).

The policy manager daemon adds an entry for the five-tuple to the kernel policy engine cache with

the appropriate action.

The policy manager daemon also checks if the host policy specifies the name of a tunnel policy.

If no tunnel policy is specified, the policy manager daemon adds an entry for the five-tuple to the

kernel policy engine cache and the packet passes in clear text.

If the matching host policy specifies the name of a tunnel policy, the policy manager daemon

verifies that the packet five-tuple matches any of the source and any of the destination values

in the tunnel policy. The policy manager daemon checks if the packet can use an existing tunnel

SA. If not, HP-UX IPSec establishes new IPsec SAs as described in “Establishing IKE and IPsec SAs”

(page 153).

Inbound Data Processing

• AH or ESP Packet

If the inbound packet has an Authentication Header (AH) and/or an Encapsulating Security

Payload (ESP), HP-UX IPSec checks the kernel SA database for an inbound entry with the same

SPI and source IP address. If one exists, HP-UX IPSec uses the packet five-tuple to query the

kernel policy engine (and the policy daemon, if there is no entry in the cache) and verifies

152 Product Specifications