HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

161

162

163

164

165

166

167

168

169

170

IKEv2 test results with all combination of algorithms with Strongswan

• Test 1 : IKEv2 with DH group2 and Phase 2 transform : ESP_AES256_HMAC_SHA2_512

HMAC-SHA2–512HMAC-SHA2–384HMAC-SHA2–256HMAC-SHA 1ENC/AUTH

3DES

AES 128–CBC

AES 192–CBC

AES 256–CBC

• Test 2 : IKEv2 with DH group24 and Phase 2 transform : ESP_AES256_HMAC_SHA2_512

HMAC-SHA2–512HMAC-SHA2–384HMAC-SHA2–256HMAC-SHA 1ENC/AUTH

3DES

AES 128–CBC

AES 192–CBC

AES 256–CBC

IMPORTANT: The following Authentication algorithms in IKEv2 with Strongswan will not work.

This is because Strongswan doesn’t provide the flexibility of configuring PRF of user’s choice. It

automatically picks the auth algorithms provided as the PRF function. HPUX-IPSec provides the

flexibility for the user to choose a selected PRF function, but doesn’t support the following as the

PRF algorithms.

• HMAC-MD5

• AES96-XCBC-MAC ( 96-bit key)

For Strongswan the IKEv2 auth algorithm and PRF will be the same. Hence users will not be able

to configure HMAC-MD5 and AESX-CBC(96 bit key) as the authentication algorithms for IKEv2

between HPUX-IPSec and Strongswan as HPUX-IPSec does not support it.

Version and Functionalities

HP tested HP-UX IPSec with Linux IPsec functionality provided by ipsec-tools version 0.7, which is

included with Linux kernel versions 2.6 and later.

The following functionalities were tested:

• IKEv1 using preshared key authentication for end-to-end transport mode IPsec SAs for all ports

and protocols

• IKEv1 using preshared key authentication for end-to-end tunnel mode IPsec SAs for all ports

and protocols

Configuration Example

The following configuration data is for an IKEv1 topology using preshared key authentication for

end-to-end transport mode IPsec SAs.

The Linux 2.6 system IP address is 10.0.0.26. The HP-UX system IP address is 10.0.0.11.

For added security, this example uses SHA1 as the IKEv1 hash algorithm. The HP-UX default IKEv1

hash algorithm is MD5. You must explicitly configure SHA1 as the IKEv1 hash algorithm on the

HP-UX system.

168 Interoperability