Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
31323334353637383940
The HP-UX IPSec IKE daemon can send and receive IKEv1 and IKEv2 packets on the same UDP
port. However, IKEv1 cannot interoperate with IKEv2 (IKEv1 packets cannot be used for IKEv2
negotiations and vice-versa). When you configure HP-UX IPSec, you specify the IKE protocol version
to use when initiating IKE negotiations with a given destination. When the IKE daemon responds
to IKE negotiations, it uses information in the header to determine the IKE protocol version and
verifies the version with the configured rules. See “Determining the IKE Version” (page 153) for
more information.
Security associations
A Security Association (SA) is a secure communication channel. You can think of the SAs as
security sessions, where the two systems agree on the type of authentication and encryption, the
encryption keys and other parameters. There are two types of SAs:
IKE SAs
The purpose of the IKE SA is to provide a “master” encrypted and authenticated security
channel that the systems can use to safely exchange address and ID information when
negotiating IPsec SAs.
To establish an IKE SA, the IKE peers exchange messages to generate a Diffie-Hellman shared
value that is used as the base for shared keys, as described in “Generating shared keys:
Diffie-Hellman” (page 39). The IKE peers also authenticate the identity of each other.
The negotiations used to establish IKE SAs are sometimes referred to as phase 1 negotiations.
IPsec SAs or Child SAs
Using the secure communication channel provided by the IKE SA, IKE negotiates IPsec SAs
or child SAs. An IPsec SA is a security association used to exchange IPsec ESP or AH packets.
The IPsec SA operating parameters include the IPsec protocol used (ESP or AH), the mode
(transport or tunnel), the cryptographic algorithms (such as AES, SHA-1, and SHA-2), the
cryptographic keys, the SA lifetime, and the endpoints (IP addresses, protocol and port
numbers).
An IPsec SA is unidirectional, so IPsec SAs are negotiated in pairs: one SA for inbound packets
from the remote endpoint and one SA for outbound packets to the remote endpoint.
The negotiations used to establish IPsec SAs are sometimes referred to as phase 2 negotiations.
IKEv1 phases and exchange modes
The IKEv1 protocol defines two categories for IKE negotiations:
Phase 1
During Phase 1, the IKE peers establish the IKE SA.
Phase 2
During Phase 2, the IKE peers establish the IPsec SAs.
IKEv1 can use one of two methods, or exchange modes, to establish the IKE SA:
Main Mode
Aggressive Mode
In Main Mode negotiations, the IKE peers select IKE parameters (configured in IKE policies) based
on the remote system’s IP address in the IP packet header. The IKE peers exchange ID information
after they establish a secure, encrypted communication channel.
In Aggressive Mode negotiations, the IKE initiator sends ID information in the first packet. This
enables the IKE responder to select IKE parameters, such as the encryption information, based on
ID information instead of the IKE peer’s IP address extracted from the IP packet header. Aggressive
Mode is quicker and requires the peers to exchange fewer packets, but is less secure because the
peers exchange identity information in clear text.
38 HP-UX IPSec overview