====== IPSec cheat sheet ======

IPSec is partly tricky, but worse than that, existing documentation is __very__ messy.

  * [[docs:ipsec:modes|IPSec Exchange modes]]
  * [[docs:ipsec:policy|IPSec policy]]
  * [[docs:ipsec:racoon_psk|Racoon setup with PSKs]]
  * [[docs:ipsec:racoon_x509|Racoon setup with X.509 Certificates]]
  * [[docs:ipsec:racoon_roadwarrior|Racoon setup for roadwarriors]]

==== How IPSec works with KAME tools ====

<code>	 setkey                racoon  <-------(IKE)-------> somebody
	   |                    ^  |      (5)
	   |                    |  |(6)
	   |(1)           +-----+  +---+
	   |           (4)|            |
	   v              |            v
	+-----+  (2)      |    (3)  +-----+
	| SPD |<----- kernel ------>| SAD |
	+-----+         |           +-----+
                        |(7)
                        v
</code>

==== (Very) Basic concepts ====

This sums up some of the technical details about IPSec. Starters should read a more detailed documentation.

=== Protocols ===

^ Protocol ^ # ^ Common name ^ Utility ^
| AH  | IP Type 51 | Authentication header | Integrity |
| ESP | IP Type 50 | Encapsulated Security Payload | Integrity & Confidentiality |
| IKE | UDP port 500 | Internet Key Exchange | SA setup, key exchange |
| NAT-T | UDP port 4500 | NAT Traversal IPSec | Endpoint communication behind NATs |

=== IPSec modes ===

^ Mode ^ Wrapping scope ^ Intended usage ^ Overhead ^
| Transport | IP packet payload | Peer to peer integrity/encryption enforcement | AH/ESP size |
| Tunnel | Whole IP packet | VPN | AH/ESP + IP/Stage 2 header |

=== Glossary ===

| PSK | Preshared Keys |
| SA  | Security Association |
| SAD | Security Association Database |
| SP  | Security Policy      |
| SPD | Security Policy Database |

==== Linux Kernel modules ====

<code>aes_generic
esp4
esp6
sha1_generic
sha256_generic
xfrm4_mode_transport
xfrm6_mode_transport
xfrm_user</code>