HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

151

152

153

154

155

156

157

158

159

160

IKEv2 Negotiations

If the IKE version is IKEv2, the negotiation for the initial IPsec SA pair is combined with the

negotiation for the IKEv2 SA in messages 3 and 4.

Initiator Sends Message 1

The IKE daemon on the initiator selects an IKEv2 policy by searching the IKEv2 policies in priority

order and selecting the first policy with a remote address (remote parameter in the policy) that

matches the address of the remote system.

The IKE daemon sends message 1 in the negotiation. This message includes the following information

from the configuration:

• IKEv2 SA proposals based on the following values in the IKEv2 policy:

encryption◦

◦ hash

◦ lifetime

◦ prf

If there are multiple values configured for these parameters, the IKE daemon sends multiple

proposals.

• Diffie-Hellman public value from the group specified by the group parameter in the IKEv2

policy.

If the IKEv2 policy specifies multiple Diffie-Hellman group numbers (-group argument), the

IKE daemon attempts to use the first group number in the list.

Responder Receives Message 1

When the IKE daemon on the responder receives message 1, it:

• Uses the packet source address (the initiator address) to select an IKEv2 policy with a matching

-remote value.

• Uses the parameters in the selected IKEv2 policy to evaluate the IKEv2 SA proposals as

described in “IKE and IPsec SA Proposals” (page 161).

• Verifies that the Diffie-Hellman group used by the initiator is specified in the group parameter

of the selected IKEv2 policy. If it is, the daemon uses the initiator's Diffie-Hellman public value

and its Diffie-Hellman private value to calculate a shared secret value. This shared secret value

is used as keying material.

If the group used by the initiator is not specified in the responder's IKEv2 policy, the IKE

daemon sends a notification message to the initiator.

Responder Sends Message 2

The responder sends message 2 to the initiator. This message includes:

• The selected IKEv2 SA proposal.

• The responder's Diffie-Hellman public value from the group specified by the group parameter

in the IKEv2 policy.

Initiator Receives Message 2

The initiator uses the responder's Diffie-Hellman public value and its Diffie-Hellman private value

to calculate a shared secret value. This value matches the value calculated on the responder.

HP-UX IPSec Operation 159