HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

181

182

183

184

185

186

187

188

189

190

E HP-UX IPSec and HP-UX IPFilter

This appendix describes configuration requirements when using HP-UX IPSec and HP-UX IPFilter

on the same system. This appendix contains the following section:

• “Using HP-UX IPSec with HP-UX IPFilter” (page 189)

Using HP-UX IPSec with HP-UX IPFilter

HP-UX IPSec and HP-UX IPFilter can coexist on the same system. You can configure HP-UX IPSec

and HP-UX IPFilter so that there is some overlap in the configurations. However, you must be sure

the overlapping configurations do not block each other. HP-UX IPFilter is located below HP-UX

IPSec in the networking stack. HP-UX IPFilter processes inbound IP packets before HP-UX IPSec and

processes outbound packets after HP-UX IPSec.

IPsec Packets

To use HP-UX IPFilter and HP-UX IPSec together, you must configure HP-UX IPFilter so it does not

discard the following IPsec packets:

• UDP port 500 (IKE)

• IP protocol number 50 (ESP)

• IP protocol number 51 (AH)

Upper Layer Information

If HP-UX IPSec secures a packet (the packet has an AH or ESP header), HP-UX IPFilter cannot filter

the packet based on upper layer information, such as TCP port numbers and connection states,

and ICMP message types. The only upper-layer protocol information that HP-UX IPFilter can process

is the IP protocol number (50 or 51).

IPsec Tunnels and End to Gateway Topologies

IPFilter can coexist with IPsec tunnels. In topologies where a tunnel endpoint is not an end-to-end

endpoint (such as host-to-gateway topologies and other gateway topologies), you must configure

IPFilter to allow IPsec traffic to and from the gateway instead of the end node. The IPFilter rules for

the UDP/500 and protocol 50/51 traffic must be passed to and from the gateway IP address

rather than the end node IP address.

Example

On hostA, the local IP address is 10.10.10.10, and you want to allow IPsec ESP packets to and

from hostB (IP address 15.15.15.15). On hostA, the IPFilter configuration contains the following

entries:

# Allow IKE packets to and from hostB

pass in quick proto UDP from 15.15.15.15 port 500 to 10.10.10.10 port = 500

pass out quick proto UDP from 10.10.10.10 port 500 to 15.15.15.15 port = 500

# Allow IPsec ESP traffic from hostB

pass in quick proto 50 from 15.15.15.15 to 10.10.10.10

pass out quick proto 50 from 10.10.10.10 to 15.15.15.15

NOTE: You must configure IPFilter to pass both inbound and outbound traffic (in and out )

for UDP port 500.

IPFilter searches and selects rules according to their order in the filter file. Place the filter rules for

IPsec packets in the appropriate location for your configuration.

Using HP-UX IPSec with HP-UX IPFilter 189