HP UX IPSec Software Filter Selection, IKE Parameter Selection, IKE SA Key (Master Key) Lifetime Values

The filter matches packets with the following addresses:

Source address: 10.1.1.1

Destination address: 10.2.2.2

If the filter is mirrored, it also matches packets with the following addresses:

Source address: 10.2.2.2

Destination address: 10.1.1.1

The mirror setting only affects Windows IP Security behavior before IPsec SAs are established. If the Windows IP Security module receives a packet via an existing SA, it does not verify that the packet address fields match the address filter used when the SA was established.

By comparison, HP-UX IPSec host and tunnel policies are always mirrored. (Gateway policies are the only HP-UX IPSec policies that are not mirrored.)

Filter Selection

Windows does not allow you to specify the search or priority order for the filters in a rule or for the order of rules in a policy. The Windows IP Security module automatically creates an internal filter list and orders the filters from most specific to least specific.

HP-UX IPSec allows you to specify a priority value for IPsec and IKE policies. HP-UX IPSec searches the policies in priority order within each type of policy. Lower priority values have higher priority (priority value 1 is the highest priority).

If you do not specify a priority value when creating a policy on HP-UX, ipsec_config automatically assigns a priority value so that the new policy is the last policy searched before the default policy within its policy type. The output of the ipsec_config show command includes the priority values for configured policies.

IKE Parameter Selection

On HP-UX systems, only one IKE SA proposal is used for each peer. You can configure multiple IKE policies, but only one IKE policy is selected per peer, and each IKE policy specifies only one IKE SA. During IKE negotiations, IKE searches policies in priority order and selects the first policy with a matching remote address. IKE then uses the IKE SA parameters to send an IKE SA proposal, or to evaluate the IKE SA proposal(s) it receives.

On Windows systems, you can configure a set of multiple IKE SA proposals, but only one set per IP Security policy, and only one IP Security policy can be in use (assigned) on the system.

IKE SA Key (Master Key) Lifetime Values

IKE SA key lifetimes (referred to as Master key lifetimes on Windows systems) specify the maximum lifetimes for IKE SA keys and are specified by units of time (seconds). In addition, users can specify the maximum number of IPsec SA negotiations that can be completed per IKE SA (“Maximum Quick Modes” (page 43)).

HP-UX IKE SA Lifetime Values

The HP-UX IPSec default preferred lifetime value for IKE SAs is 28,800 seconds (eight hours).

If the HP-UX system initiates IKE SA negotiations, the HP-UX IKE daemon proposes the preferred lifetime value to the remote system. The remote system may process this value in any manner according to the IPsec protocol suite.

If the remote system initiates IKE SA negotiations and sends a proposed value that is longer than (less secure than) the HP-UX preferred value, HP-UX sends an IKE NOTIFY message with its preferred value, and this value is used for the SA.

If the remote system initiates IKE SA negotiations and sends a proposed lifetime that is the same or more secure (shorter than) the HP-UX preferred value, the HP-UX IKE daemon accepts the