HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

151

152

153

154

155

156

157

158

159

160

Initiator Sends Message 1

The initiator sends message 1 in the QM exchange that includes information from the following

configuration parameters:

• action from the host policy as the IPsec SA proposal. If the action value contains multiple

transforms, IKE sends multiple IPsec SA proposals.

• source (address and port number) and protocol parameters from the host policy as the

IPsec initiator traffic selector (initiator client ID).

• destination (address and port number) and protocol parameters from the host policy

as the IPsec responder traffic selector (responder client ID).

If the host policy contains multiple values for the source or destination parameters, the IKE daemon

selects the first values that match the five-tuple for the packet. The traffic selectors can contain

wildcard values (0), but not address or port number ranges. The IKE daemon replaces any address

or port number ranges with the exact address or port number of the packet. For more information,

see “IPsec SA Packet Descriptors” (page 161).

Message 1 also includes the SPI for the inbound IPsec SA on the initiator (for packets to the initiator).

The initiator adds entries to its kernel SA database for the IPsec SA pair. The entry for the responder's

inbound SA does not include the SPI.

Responder Receives Message 1

When the IKE daemon on the responder receives message 1, it:

• Uses the received IPsec traffic selectors (client IDs) to search for an IPsec host policy according

to the source, destination, and protocol values in the host policies. The daemon

searches the policies in priority order and selects the first policy that contains a source,

destination, and protocol value that matches the traffic selectors.

• Uses the action value in the selected IPsec host policy to evaluate the IPsec proposals as

described in “IKE and IPsec SA Proposals” (page 161).

The responder also obtains an SPI for the inbound IPsec SA on the responder (for packets to the

responder) and adds the IPsec SAs to its kernel SA database. Each SA entry includes the appropriate

SPI. The SPI is also sent in the AH or ESP header so that the destination system can process inbound

packets with the correct SA parameters including encryption and authentication keys.

Responder Sends Message 2

The responder sends message 2 in the QM exchange. This message includes information from the

following configuration parameters:

• The selected transform from the action in the host policy, sent as the accepted IPsec SA

proposal.

• The source, destination, and protocol parameters from the host policy that match the

IPsec traffic selectors sent by the initiator.

Message 2 also includes the SPI for the inbound IPsec SA on the responder.

Initiator Receives Message 2

When the initiator receives message 2, it updates the entry in the kernel SA database with the SPI

for the responder's inbound SA.

Initiator Sends Message 3

The initiator sends message 3 in the QM negotiation which includes a hash of data sent by the

responder in message 2.

Responder Receives Message 3

When the responder receives message 3, it adds the IPsec SA pair to its kernel SA database.

158 Product Specifications