HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
uses/establishes an IKE SA to establish the IPsec SA), except the IKE entities also include proxy
address information during IPsec SA negotiation. The proxy address information identifies the
end-to-end entities and allows a tunnel endpoint to determine the identity of the end system or
subnet for which the other tunnel endpoint is establishing the tunnel.
ICMPv4 Message Processing
IP uses ICMP messages to transmit error and control information, such as in the following situations:
• IP may periodically send ICMP Echo messages to gateways to determine if the gateway is up
(“Gateway Probes”). If no response is received, the gateway is marked “Dead” in the IP
routing table.
This feature is controlled by the IP kernel parameter ip_ire_gw_probe. By default, this
feature is enabled on all HP-UX systems. Refer to the ndd(1M) manpage for information on
checking or changing this parameter value.
• IP may use ICMP Echo messages with the “Don’t Fragment” flag and ICMP Destination
Unreachable messages with the “Fragmentation Needed” flag to set the Path Maximum
Transmission Unit (Path MTU).
This feature is controlled by the IP kernel parameter ip_pmtu_strategy. Refer to the ndd(1M)
manpage for information on checking or changing this parameter value.
• IP may send ICMP Redirect messages to redirect traffic to a different gateway.
The transmission of ICMP Redirect messages is controlled by the IP kernel parameter
ip_send_redirects. By default, this feature is enabled on all HP-UX systems. see the
ndd(1M) manpage for information on checking or changing this parameter value.
• IP may send ICMP Source Quench messages to request the source system to decrease its
transmission rate.
The transmission of ICMP Source Quench messages is controlled by the IP kernel parameter
ip_send_source_quench. By default, this feature is enabled on all HP-UX systems. see the
ndd(1M) manpage for information on checking or changing this parameter value.
Discarding or requiring ICMPv4 (ICMP for IPv4) messages to be encrypted or authenticated may
cause connectivity problems. Normal network operation may require IP to exchange ICMP messages
between end-to-end hosts and between an end host and an IP gateway (including router devices).
IP may need to exchange ICMP packets with gateway nodes even though no user (end-to-end)
services are being used to the gateways.
Be careful when configuring the default IPsec policy or IPsec policies that affect entire subnets,
because you might inadvertently cause ICMP messages to be discarded. You might also inadvertently
require ICMP messages being transmitted or received from a gateway or router to be secured with
IPsec; if a gateway or router does not secure ICMP messages, HP-UX IPSec will discard them.
Syntax
If you specify ICMP for the protocol argument in a host policy, you can specify ICMPv4 message
type values for the packet filter using the -dst_icmp_type and -src_icmp_type arguments.
The syntax for these arguments in an ipsec_config add host command is as follows:
-dst_icmp_type type_number[,type_number]...|ALL
-src_icmp_type type_number[,type_number]...|ALL
Where type_number is the integer ICMPv4 message type (0 - 255).
Example
ipsec_config add host no_traceroute -protocol ICMP -src_icmp_type 30
-action DISCARD
ICMPv6 Message Processing
You can configure specific ICMPv6 message types for host policy packet filters using the
-src_icmpv6_type and -dst_icmpv6_type arguments.
HP-UX IPSec Operation 163