HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

151

152

153

154

155

156

157

158

159

160

Initiator Sends Message 3

The initiator sends message 3 in the IKEv2 negotiation. This message includes information from

the following configuration parameters:

• ltype and lid values from the authentication record, sent as the IKE Identification-Initiator

(IDi). If no local ID type and value are configured, the IKE daemon uses the IP address of the

interface used to send the packet as the local ID value and the address type (IPV4 or IPV6)

as the ID type.

• If the local_method value in the authentication record is PSK, the message includes a hash

value calculated from the preshared key.

If the local_method value is RSASIG, the message includes the local certificate and a digital

signature calculated using the certificate private key.

• action from the host policy, sent as the IPsec SA proposals.

• source and protocol values from the host policy, sent as the IPsec initiator traffic selectors.

• destination and protocol values from the host policy, sent as the IPsec responder traffic

selectors.

If the host policy contains multiple source or destination values, the daemon combines them

with the protocol parameter and sends multiple initiator traffic selectors. For more information,

see “IPsec SA Packet Descriptors” (page 161).

Message 3 also includes the SPI for the inbound IPsec SA on the initiator (for packets to the initiator).

Responder Receives Message 3

When the IKE daemon on the responder receives message 3, it:

• Searches the authentication records in priority order and selects the first record with a remote

ID specification (rtype and rid) that matches the IDi received.

• Verifies that the kmp parameter value in the authentication record includes IKEV2.

• Verifies that the packet source IP address matches the remote address in the authentication

record.

• Verifies the authentication data. If the remote_method value in the authentication record is

PSK, it verifies the hash value using the preshared key. If the value is RSASIG, it verifies the

digital signature using the public key from the initiator's certificate.

• If the remote_method value in the authentication record is RSASIG, the IKE daemon also

verifies that the contents of the IDi matches the appropriate field (subjectName or

subjectAlternativeName) in the initiator's certificate.

• Uses the received IPsec traffic selectors to search for an IPsec host policy according to the

source, destination, and protocol values in the host policies as described in “IPsec

SA Packet Descriptors” (page 161).

• Uses the action value in the selected IPsec host policy to evaluate the IPsec proposals as

described in “IKE and IPsec SA Proposals” (page 161).

The responder also obtains an SPI for the inbound IPsec SA on the responder (for packets to the

responder) and adds the IPsec SAs to its kernel SA database. Each SA entry includes the appropriate

SPI. The SPI is also sent in the AH or ESP header so that the destination system can process inbound

packets with the correct SA parameters including encryption and authentication keys.

160 Product Specifications