HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
IKEv1
When HP-UX IPSec is the initiator, the IKE daemon sends the source IP address, port number, and
protocol for the client-initiator (IDci). It also sends the destination IP address, port number, and
protocol for the client-responder (IDcr). The IKEv1 protocol specification supports the use of wildcard
values (0), but does not support address or port number ranges for transport negotiations, or
multiple client ID values.
IKEv2
If the host policy is shareable (the EXCLUSIVE flag is not set), the IKE daemon uses all packet
filters in the selected host policy when negotiating the IPsec SA. When HP-UX IPSec is the initiator,
the IKE daemon sends the exact source IP address, port number and protocol in the Traffic
Selector-Initiator (TSi) payload. It also sends the exact destination IP address, port number and
protocol in the Traffic Selector-Responder (TSr) payload. The TSi and TSr payloads also include
selectors for each source and destination argument in the host policy; these arguments are combined
with the protocol argument.
If the host policy is not shareable (the EXCLUSIVE flag is set), and HP-UX IPSec is the initiator in
the IPsec negotiation, the IKE daemon sends one TSi and one TSr with the exact addresses, ports,
and protocol that match the packet.
Tunnel Policies
The behavior for tunnel policies in IPsec SA negotiations using IKEv1 and IKEv2 is described in
the sections that follow.
IKEv1
When initiating an inbound tunnel IPsec SA negotiation using IKEv1, IKE uses the source address
values as the proxy source IDs, and uses the destination address identifiers as the proxy destination
IDs.
When initiating an outbound IKEv1 tunnel IPsec SA negotiation, IKE uses the destination address
values as the proxy source IDs and the source address identifiers as the proxy destination IDs.
The proxy address IDs can include address or port number ranges. At least one proxy ID value
must exactly match a proxy ID value on the remote system.
IKEv2
When initiating a tunnel IPsec SA negotiation using IKEv2, the IKE daemon sends all source traffic
selectors in the Traffic Selector-Initiator (TSi) payload and all destination traffic selectors in the
Traffic Selector-Responder (TSr) payload.
When responding to an IKEv2 tunnel IPsec SA negotiation, IKE compares the TSi it receives with
its destination traffic selectors and the TSr it receives with its source traffic selectors. The IKE
responder sends back traffic selector payloads with the matching selectors, which can be subsets
of the initiator's selectors.
Establishing Tunnel Security Associations
If HP-UX IPSec is processing an outbound packet and the selected host IPsec policy specifies a
tunnel IPsec policy, HP-UX IPSec checks if it has an existing tunnel SA with the tunnel endpoint. If
not, it must establish a tunnel SA before it establishes the end-to-end (transport) SA. The procedure
for establishing a tunnel SA is similar to establishing a transport SA (HP-UX IPSec uses/establishes
an IKE SA to establish the IPsec SA), except the IKE entities also include information (IP address,
protocol, and port numbers) for the transport endpoints (IKEv2 refers to this data as client traffic
selectors; IKEv1 refers to this data as proxy IDs) during the IPsec SA negotiation. The transport
endpoint information enables a tunnel endpoint to determine the identity of the end system or
subnet for which the other tunnel endpoint is establishing the tunnel.
If HP-UX IPSec is processing an outbound packet and the selected host or gateway IPsec policy
specifies a tunnel IPsec policy, HP-UX IPSec checks if it has an existing tunnel SA with the tunnel
endpoint. If not, it must establish a tunnel SA before it establishes the end-to-end (transport) SA.
The procedure for establishing a tunnel SA is similar to establishing a transport SA (HP-UX IPSec
162 Product Specifications