IPSec cheat sheet

IPSec cheat sheet

IPSec is partly tricky, but worse than that, existing documentation is very messy.

How IPSec works with KAME tools

	 setkey                racoon  <-------(IKE)-------> somebody
	   |                    ^  |      (5)
	   |                    |  |(6)
	   |(1)           +-----+  +---+
	   |           (4)|            |
	   v              |            v
	+-----+  (2)      |    (3)  +-----+
	| SPD |<----- kernel ------>| SAD |
	+-----+         |           +-----+
                        |(7)
                        v

(Very) Basic concepts

This sums up some of the technical details about IPSec. Starters should read a more detailed documentation.

Protocols

Protocol	#	Common name	Utility
AH	IP Type 51	Authentication header	Integrity
ESP	IP Type 50	Encapsulated Security Payload	Integrity & Confidentiality
IKE	UDP port 500	Internet Key Exchange	SA setup, key exchange
NAT-T	UDP port 4500	NAT Traversal IPSec	Endpoint communication behind NATs

IPSec modes

Mode	Wrapping scope	Intended usage	Overhead
Transport	IP packet payload	Peer to peer integrity/encryption enforcement	AH/ESP size
Tunnel	Whole IP packet	VPN	AH/ESP + IP/Stage 2 header

Glossary

PSK	Preshared Keys
SA	Security Association
SAD	Security Association Database
SP	Security Policy
SPD	Security Policy Database

Linux Kernel modules

aes_generic
esp4
esp6
sha1_generic
sha256_generic
xfrm4_mode_transport
xfrm6_mode_transport
xfrm_user

Table of Contents

IPSec cheat sheet

How IPSec works with KAME tools

(Very) Basic concepts

Protocols

IPSec modes

Glossary

Linux Kernel modules