docs:ipsec
Table of Contents
IPSec cheat sheet
IPSec is partly tricky, but worse than that, existing documentation is very messy.
How IPSec works with KAME tools
setkey racoon <-------(IKE)-------> somebody
| ^ | (5)
| | |(6)
|(1) +-----+ +---+
| (4)| |
v | v
+-----+ (2) | (3) +-----+
| SPD |<----- kernel ------>| SAD |
+-----+ | +-----+
|(7)
v
(Very) Basic concepts
This sums up some of the technical details about IPSec. Starters should read a more detailed documentation.
Protocols
| Protocol | # | Common name | Utility |
|---|---|---|---|
| AH | IP Type 51 | Authentication header | Integrity |
| ESP | IP Type 50 | Encapsulated Security Payload | Integrity & Confidentiality |
| IKE | UDP port 500 | Internet Key Exchange | SA setup, key exchange |
| NAT-T | UDP port 4500 | NAT Traversal IPSec | Endpoint communication behind NATs |
IPSec modes
| Mode | Wrapping scope | Intended usage | Overhead |
|---|---|---|---|
| Transport | IP packet payload | Peer to peer integrity/encryption enforcement | AH/ESP size |
| Tunnel | Whole IP packet | VPN | AH/ESP + IP/Stage 2 header |
Glossary
| PSK | Preshared Keys |
| SA | Security Association |
| SAD | Security Association Database |
| SP | Security Policy |
| SPD | Security Policy Database |
Linux Kernel modules
aes_generic esp4 esp6 sha1_generic sha256_generic xfrm4_mode_transport xfrm6_mode_transport xfrm_user
docs/ipsec.txt · Last modified: 2013/09/27 20:58 by root