Introduction
This document contains tips for configuring IPsec on Microsoft Windows Vista and Windows Server 2008 systems to operate with HP-UX IPSec versions A.02.01 and later. For information on configuring IPsec on Microsoft Windows XP and Windows 2003 systems to operate with HP-UX IPSec, see in Configuring Microsoft Windows IP Security to Operate with HP-UX IPSec.
The intended audience for this document is a network security administrator who is familiar with Microsoft Windows Vista or Windows Server 2008, the HP-UX IPSec product, and the IP Security protocol suite.
Related Documentation
The following documents are available from the HP Technical Documentation website at http://docs.hp.com:
For information on configuring IPsec on Microsoft Windows XP and Windows 2003 systems to operate with HP-UX IPSec, see Configuring Microsoft Windows IP Security to Operate with HP-UX IPSec.
For general information about configuring HP-UX IPSec, see the HP-UX IPSec A.02.01 Administrator's Guide or the HP-UX IPSec A.03.00 Administrator's Guide.
For information about configuring HP-UX IPSec to use Microsoft Windows security certificates, see Using Microsoft Windows Certificates with HP-UX IPSec A.02.01and Using Microsoft Windows Certificates with HP-UX IPSec A.03.00.
Protocol implementation differences
HP-UX and Microsoft Windows both implement the IP Security protocol suite. However, there are features in the protocol suite that HP-UX implemented that Microsoft did not implement, and vice-versa. There are also differences in default parameter values.
IKE version
At the time this document was published, Microsoft Windows Vista and Windows Server 2008 supported only Internet Key Exchange (IKE) IKE version 1. HP-UX IPSec version A.03.00 supports IKE version 1 and IKE version 2. In this document, the term “IKE” refers to IKE version 1.
IKE authentication method
The Windows default IKE authentication method is Kerberos. RFC 2408 defines an optional Kerberos Token payload, but does not describe how to implement it. HP-UX IPSec does not support Kerberos for IKE authentication. You must configure the Microsoft connection security rule to use certificates or preshared keys for IKE authentication.
On HP-UX A.02.00 and A.02.01 systems, you specify the IKE authentication method using the – authentication option in the ipsec_config add ike command.
On HP-UX A.03.00 systems, you specify the IKE authentication method using the –local_methodand –remote_methodoptions in the ipsec_config add auth command.
IKE default algorithms
The Windows advanced firewall configures the IKE encryption and hash (integrity) algorithms as pairs in security methods. By default, the Windows configuration contains the following security methods:
AES-128 encryption and SHA-1 integrity
AES-128 encryption and MD5 integrity