HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
Figure 5 ESP tunnel mode
New IP Header
ESP Header IP Header Payload
encrypted
authenticated
ESP Trailer ESP Authentication
ESP
Tunnel
Mode
IPv6 ESP transport mode
In IPv6 ESP transport mode (shown in Figure 6), IPsec inserts the ESP header after the following
headers and extensions:
• the basic IPv6 header
• hop-by-hop options
• any destination options needed to interpret the ESP header
• routing extensions
• fragment extensions
The items listed below follow the ESP header and are encrypted and authenticated:
• any destination options needed only for the “final” destination and not needed to interpret
the ESP header
• the IP data or payload (e.g., TCP or UDP packet)
Figure 6 IPv6 ESP in transport mode
IP
Header
Extension
Headers (a)
ESP
Header
Payload
Destination
Options (b)
encrypted
authenticated
ESP
Trailer
ESP
Authentication
ESP
Transport
Mode
IPv6 ESP tunnel mode
In IPv6 ESP tunnel mode (shown in Figure 7), the packet layout is the same as IPv4 ESP tunnel
mode, except that the original and new (outer) IP headers may include header extensions.
Figure 7 IPv6 ESP in tunnel mode
New
IP Header
New
Extension
Headers
ESP
Header
Payload
IP
Header
Extension
Headers
encrypted
authenticated
ESP
Trailer
ESP
Authentication
ESP
Tunnel
Mode
ESP Encryption and authentication algorithms
HP-UX IPSec ESP supports the encryption algorithms listed in Table 2 (page 37) and the
authentication algorithms listed in Table 3 (page 37). For example, HP-UX IPSec can encrypt an
ESP packet using AES and authenticate it using SHA1.
36 HP-UX IPSec overview