HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

151

152

153

154

155

156

157

158

159

160

that the SPI matches the entry for the five-tuple. If so, HP-UX IPSec uses the information in the

SA entry to decrypt or authenticate the packet.

If no matching SA entry exists, HP-UX IPSec checks if there is an authentication record that

applies to the remote system. If there is not, this is an error and possible intrusion attempt.

HP-UX IPSec sends an audit message to the audit daemon. HP-UX IPSec discards the packet.

If no matching SA entry exists but the local system has an authentication record that applies

to the remote system, HP-UX IPSec assumes that a valid IPsec SA previously existed, but the

SPI entry no longer exists because the local system has re-booted. The local system attempts

to establish a new IKE SA with the remote system, and sends an INITIAL-CONTACT notify

message. The INITIAL-CONTACT notify message notifies the remote system that the local

system has restarted IPsec. In most implementations, the remote system deletes its information

for all SAs established with the local node and attempt to re-establish a new SAs. If the remote

system does not delete the SAs, an administrator on the remote system must manually delete

the SAs.

• Clear Text Packet

If the inbound packet has no AH or ESP header (it is a normal IP packet in clear text), HP-UX

IPSec must determine whether the packet should be dropped or passed in clear text. HP-UX

IPSec checks the kernel policy engine cache for an existing decision on the action for the

packet based on the five-tuple. If the action is to apply an AH or ESP transform, HP-UX IPSec

discards the packet. This is because the remote system should have established IPsec SAs

before sending the packet.

If no cache entry exists, HP-UX IPSec queries the policy manager daemon for the appropriate

action according to the host IPsec policy with the filter that best matches the packet (or the

default policy, if no filters match). If the action is to apply an AH or ESP transform, HP-UX

IPSec checks if the FALLBACK_TO_CLEAR flag is set. If the flag is set, HP-UX IPSec allows the

packet to pass and adds an entry to the kernel policy engine cache.

If the FALLBACK_TO_CLEAR flag is not set, HP-UX IPSec discards the packet.

Processing Inbound Tunnel Packets

If HP-UX IPSec is processing an inbound packet, it searches the kernel SA database for inbound

packets for an entry with the same SPI and source IP address. If one exists, it uses the information

in the SA to decrypt or authenticate the packet. If this is a tunnel SA, HP-UX IPSec decapsulates

the packet (removes the outer IP header) and processes the IP header for the inner packet. HP-UX

IPSec also verifies that the SA SPI for the tunnel policy referenced in the host policy matches the

SPI in the outer (tunnel) packet.

If HP-UX IPSec is processing an inbound packet, it searches the kernel SA database for inbound

packets for an entry with the same SPI and source IP address. If one exists, it uses the information

in the SA to decrypt or authenticate the packet. If this is a tunnel SA, HP-UX IPSec decapsulates

the packet (removes the outer IP header) and processes the IP header for the inner packet. If the

destination address in the inner packet is a local address, HP-UX IPSec searches its host IPsec

policies to determine the next action. If it is not a local address, HP-UX IPSec searches its gateway

IPsec policies to determine the next action. If the SA uses manual keys, HP-UX IPSec also verifies

that the SA SPI for the tunnel policy referenced in the host or gateway policy matches the SPI in

the outer (tunnel) packet.

Establishing IKE and IPsec SAs

An IKE SA must be established before IKE can negotiate an IPsec SA pair. The methods used to

establish the IKE and IPsec SAs differs according to the IKE version. This section provides an a

high-level description of how HP-UX IPSec establishes IKE and IPsec SAs and uses configuration

data in IKE negotiations.

Determining the IKE Version

To determine the IKE version, the IKE daemon searches the authentication records in priority order

for a record with a remote value that matches the remote system’s IP address. The IKE daemon

uses the kmp (key management protocol) value in the authentication record to determine the IKE

HP-UX IPSec Operation 153