HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
Responder Sends Message 4
The responder sends message 4 in the IKEv2 negotiation. This message includes information from
the following configuration parameters:
• ltype and lid from the authentication record, sent as the IKE Identification-Responder (IDr).
• If the local_method value in the authentication record is PSK, the message includes a hash
value calculated from the preshared key.
If the local_method value is RSASIG, the message includes the local certificate and a digital
signature calculated using the private key.
• The selected transform from the action in the host policy, sent as the accepted IPsec SA
proposal.
• source, destination, and protocol from the host policy, sent as the IPsec traffic selectors.
Message 4 also includes the SPI for the inbound IPsec SA on the responder.
Initiator Receives Message 4
When the initiator receives message 4, it:
• Verifies that the IDr matches the rtype and rid values in the authentication record.
• Verifies the authentication data. If the remote_method value in the authentication record is
PSK, it verifies the hash value using the preshared key. If the value is RSASIG, it verifies the
digital signature using the public key from the responder's certificate.
• If the remote_method value in the authentication record is RSASIG, it also verifies that the
contents of the IDr matches the appropriate field in the responder's certificate.
The initiator also updates its kernel SA database with the SPI for the responder's inbound IPsec
SA.
IKE and IPsec SA Proposals
If an IKE policy contains multiple values for a parameter value (such as the hash algorithm) or an
IPsec policy contains multiple transform values and HP-UX IPSec is the initiator, the IKE daemon
creates and sends multiple SA proposals, in descending preference order.
If HP-UX IPSec is the responder, the IKE daemon accepts the first proposal sent by the initiator that
matches any of the values configured in the appropriate IKE or IPsec policy.
IPsec SA Packet Descriptors
IPsec host and tunnel policies include values for packet filters: source addresses and ports, destination
addresses and ports, and protocol. An IPsec host or tunnel policy can include up to 20 instances
each of source and destination arguments.
When searching for host or tunnel policies, HP-UX IPSec searches the policies in priority order and
uses the packet filters to find the first matching policy.
For an outbound packet, HP-UX IPSec compares the source values with the source fields in the
packet, and the destination values with the destination fields in the packet. For an inbound packet,
HP-UX IPSec compares the source values with the destination fields in the packet, and the destination
values with the source fields in the packet.
The IKE daemon also sends and evaluates the packet filters values when negotiating IPsec SAs.
IKEv2 refers to these values as traffic selectors. IKEv1 refers to these values as client IDs. The values
sent during negotiations varies according to the type of policy and the IKE version used, as described
in the sections that follow.
Host Policies
The behavior for host policies in IPsec SA negotiations using IKEv1 and IKEv2 is described in the
sections that follow.
HP-UX IPSec Operation 161