HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

151

152

153

154

155

156

157

158

159

160

version and searches its list of established IKE SAs to determine if it already has an IKE SA with

the remote system. If the kmp parameter value specifies multiple versions (IKEV1,IKEV2 or

IKEV2,IKEV1), the IKE daemon searches both versions of IKE SAs in the order specified.

If the IKE daemon must establish a new IKE SA, it uses only the first version specified in the kmp

value for negotiations. (If negotiations fail using the first specified version, IKE returns an error and

does not attempt to use the second version.)

Before attempting to initiate IKE SA negotiations, the daemon also verifies that the AUTOCONF flag

is not set in the authentication record. (The IKE daemon cannot initiate IKE SA negotiations if the

AUTOCONF flag is set.)

IKEv1 Negotiations

If the IKE version is IKEv1, the daemon searches the IKEv1 policies in priority order for a policy

with a remote value that matches the remote system’s IP address.

IKEv1 SA negotiations differ according to the exchange mode. The IKE daemon determines if

exchange mode is Main Mode or Aggressive Mode from the exchange value in the authentication

record.

IKEv1 Main Mode Negotiations

The following sections describe IKE daemon processing for IKEv1 Main Mode negotiations.

Initiator Sends Message 1

The initiator sends message 1 in the MM exchange with IKE SA proposals based on the following

values in the IKEv1 policy:

• encryption

• hash

• lifetime

• pfs

If there are multiple values configured for these parameters, the IKE daemon sends multiple proposals

as described in “IKE and IPsec SA Proposals” (page 161).

Responder Receives Message 1

When the IKE daemon on the responder receives message 1, it:

• Uses the packet source address (the initiator address) to search the authentication records in

priority order for a policy with a matching remote value.

• Verifies that the kmp value in the authentication record includes IKEV1.

• Verifies that the exchange value in the authentication record is MM.

• Uses the packet source address (the initiator address) to search the IKEv1 records in priority

order for a policy with a matching remote value.

• Uses the values in the selected IKEv1 policy to evaluate the IKE SA proposals sent by the

initiator as described in “IKE and IPsec SA Proposals” (page 161).

Responder Sends Message 2

The responder sends its selected IKE SA proposal in message 2 of the negotiation.

Initiator Sends Message 3

The initiator sends message 3 in the MM exchange, which includes its Diffie-Hellman public value

from the group specified by the group value in the IKEv1 policy. If the remote_method value

is RSASIG, the message includes a request for the peer's certificate.

154 Product Specifications