HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

151

152

153

154

155

156

157

158

159

160

Responder Receives Message 3

The responder uses the initiator's Diffie-Hellman public value and its Diffie-Hellman private value

(from the group specified by the group value in its IKEv1 policy) to calculate a shared secret value.

This shared secret value is used as keying material.

Responder Sends Message 4

The responder sends message 4 in the MM exchange, which includes its Diffie-Hellman public

value. If the remote_method value is RSASIG, the message includes a request for the peer's

certificate.

Initiator Receives Message 4

The initiator uses the responder's Diffie-Hellman public value and its Diffie-Hellman private value

to calculate a shared secret value. This value matches the value calculated on the responder.

Initiator Sends Message 5

The initiator sends message 5 in the MM negotiation. This message includes information from the

following configuration values:

• ltype and lid values from the authentication record, sent as the IKE ID payload. If no local

ID type and value are configured, the IKE daemon uses the IP address of the interface used

to send the packet as the local ID value and the address type (IPV4 or IPV6) as the ID type.

• If the local_method value in the authentication record is PSK, the message includes a hash

value calculated from the preshared key.

If the local_method value is RSASIG, the message includes a digital signature calculated

using the certificate private key. If the responder included a certificate request in message 4,

the message also includes the local certificate.

Responder Receives Message 5

When the IKE daemon on the responder receives message 5, it:

• Verifies that the remote ID (rtype and rid) values in the authentication record match the ID

payload received.

• If the remote_method value in the authentication record is RSASIG, the IKE daemon verifies

that the contents of the ID payload matches the appropriate field (subjectName or

subjectAlternativeName) in the initiator's certificate.

• Verifies the authentication data according to the remote_method value. If the

remote_method value in the authentication record is PSK, it verifies the hash value using

the preshared key. If the value is RSASIG, it verifies the hash value using the public key from

the initiator's certificate.

Responder Sends Message 6

The responder sends message 6 in the MM negotiation. This message includes information from

the following configuration values:

• ltype and lid from the authentication record, sent as the IKE ID payload.

• If the local_method value in the authentication record is PSK, the message includes a hash

value calculated from the preshared key.

If the local_method value is RSASIG, the message includes a digital signature calculated

using the certificate private key. If the initiator included a certificate request in message 3, the

message also includes the local certificate.

HP-UX IPSec Operation 155