HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

151

152

153

154

155

156

157

158

159

160

• Uses the packet source address to search the IKEv1 policies in priority order for a policy with

a matching remote value.

• Uses the values in the selected IKEv1 policy to evaluate the IKE SA proposals sent by the

initiator as described in “IKE and IPsec SA Proposals” (page 161).

• Uses the initiator's Diffie-Hellman public value and its Diffie-Hellman private value (from the

group specified by the group value in its IKEv1 policy) to calculate a shared secret value.

This shared secret value is used as keying material.

Responder Sends Message 2

The responder sends message 2 in the AM exchange. This message includes the following

information from the configuration:

• ltype and lid values from the authentication record.

• The selected IKEv1 proposal.

• The responder's Diffie-Hellman public value from the group specified by the group value in

the IKEv1 policy.

• If the local_method value in the authentication record is PSK, the message includes a hash

value calculated from the preshared key.

If the local_method value is RSASIG, the message includes a digital signature calculated

using the certificate private key. If the initiator included a certificate request in message 1, the

message also includes the local certificate.

Initiator Receives Message 2

When the initiator receives message 2, the IKE daemon:

• Verifies that the ID payload sent by the responder matches the rtype and rid values in the

authentication record.

• If the IKE authentication method is RSASIG (the remote_method is RSASIG), the daemon

verifies that the ID payload matches the appropriate field (subjectName or

subjectAlternativeName) in the responder's certificate.

• Uses the responder's Diffie-Hellman public value and its Diffie-Hellman private value to calculate

a shared secret value. This value matches the value calculated on the responder.

• Verifies the authentication data. If the remote_method value in the authentication record is

PSK, it verifies the hash value using the preshared key. If the value is RSASIG, it verifies the

digital signature using the public key from the responder's certificate.

Initiator Sends Message 3

The initiator sends message 3 in the AM exchange. This message includes a hash value generated

using a key derived from the shared Diffie-Hellman value.

IKEv1 Negotiations for IPsec SAs

After the IKE SA is established, the IKE daemon uses the secure channel to establish IPsec SAs with

its peer. On pair of IPsec SAs is established: an inbound SA for packets to the local system from

the remote system, and an outbound SA for packets to the remote system from the local system.

For the IPsec SAs to be successfully established, both systems must agree on the type of transform

(AH, ESP), including the authentication or encryption algorithm used. They must also negotiate SA

lifetimes.

The negotiations for the IPsec SAs also referred to phase II negotiations or a Quick Mode (QM)

exchange.

HP-UX IPSec Operation 157