HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

151

152

153

154

155

156

157

158

159

160

Initiator Receives Message 6

When the initiator receives message 6, it:

• Verifies that the ID payload from the responder matches the rtype and rid values in the

authentication record.

• If the remote_method value in the authentication record is RSASIG, the daemon verifies

that the contents of the ID payload matches the appropriate field (subjectName or

subjectAlternativeName) in the responder's certificate.

• Verifies that the hash type is appropriate for the remote_method value. If the

remote_method value in the authentication record is PSK, it verifies the hash value using

the preshared key. If the value is RSASIG, it verifies the hash value using the public key from

the responder's certificate.

IKEv1 Aggressive Mode Negotiations

The following sections describe IKE daemon processing for IKEv1 Main Mode negotiations.

Initiator Sends Message 1

The IKE daemon on the initiator sends message 1 in the AM exchange. This message includes the

following information from the configuration:

• ltype and lid values from the authentication record.

• IKE SA proposals based on the following values in the IKEv1 policy:

encryption◦

◦ hash

◦ lifetime

◦ pfs

If there are multiple values configured for these parameters, the IKE daemon sends multiple

proposals.

• Diffie-Hellman public value from the group specified by the group value in the IKEv1 policy.

• If the local_method value in the authentication record is PSK, the message includes a hash

value calculated from the preshared key.

If the local_method value is RSASIG, the message includes the local certificate and a digital

signature calculated using the certificate private key.

Responder Receives Message 1

When the responder receives message 1, the IKE daemon:

• Uses the ID payload sent by the initiator to search the authentication records in priority order

to find a record with rtype and rid values that match the ID payload.

• Verifies the packet source address (the initiator address) with the remote value in the

authentication record

• Verifies that the authentication record includes the IKEv1 protocol in the kmp value.

• Verifies that the exchange value in the authentication record is AM.

• If the remote_method value in the authentication record is RSASIG, the IKE daemon verifies

that the contents of the ID payload matches the appropriate field (subjectName or

subjectAlternativeName) in the initiator's certificate.

• Verifies the authentication data according to the remote_method value. If the

remote_method value in the authentication record is PSK, it verifies the hash value using

the preshared key. If the value is RSASIG, it verifies the digital signature using the public key

from the initiator's certificate.

156 Product Specifications