The above problem typically occurs with ESP-encrypted UDP or ICMP packets that are fragmented by IP. HP-UX 11i systems minimize IP fragmentation of ESP-encrypted TCP packets. You may still experience problems with ESP-encrypted TCP packets sent from an HP-UX system to a Windows 2000 system if an intermediate IP gateway fragments the ESP packet.
Protocol Implementation DifferencesHP-UX and Microsoft Windows both implement the IP Security protocol suite. However, there are features in the protocol suite that HP-UX implemented which Microsoft did not implement, and vice-versa.
The following features are implemented by HP-UX IPSec version A.02.01 but not by Microsoft Windows XP:
•Advanced Encryption Standard (AES): HP-UX IPSec supports ESP encryption using the
following protocols: AES, Triple Data Encryption Standard (3DES), and Data Encryption Standard (DES). Windows XP and Windows 2000 support 3DES and DES, but do not support AES.
•Aggressive Mode (AM): HP-UX supports AM exchanges to establish IKE Security Associations (SAs). AM is an optional feature and is not supported on Windows.
The following features are implemented by Microsoft Windows XP, but not by HP-UX IPSec version A.02.01:
•Kerberos: Windows supports Internet Key Exchange (IKE) authentication using Kerberos. RFC 2408 defines an optional Kerberos Token payload, but does not describe how to implement it. This feature is not supported on HP-UX.
•Perfect Forward Secrecy (PFS) for keys only: HP-UX IPSec supports PFS for keys in conjunction with PFS for all identities, but does not support PFS for keys only. Windows supports PFS for keys only (“session key PFS”) and PFS for keys in conjuctions with PFS for all identities (“master key PFS”). See “Perfect Forward Secrecy (PFS)” (page 43) for more information.