Luthienstar Networks Wiki

User Tools

Site Tools

Trace:
docs:ipsec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
docs:ipsec [2013/09/27 14:00] rootdocs:ipsec [2013/09/27 20:58] (current) root
Line 1: Line 1:
-====== Useful docs : IPSec ======+====== IPSec cheat sheet ======
  
-IPSec is tricky, but worse than that, existing documentation is very messy.+IPSec is partly tricky, but worse than that, existing documentation is __very__ messy.
  
   * [[docs:ipsec:modes|IPSec Exchange modes]]   * [[docs:ipsec:modes|IPSec Exchange modes]]
   * [[docs:ipsec:policy|IPSec policy]]   * [[docs:ipsec:policy|IPSec policy]]
 +  * [[docs:ipsec:racoon_psk|Racoon setup with PSKs]]
 +  * [[docs:ipsec:racoon_x509|Racoon setup with X.509 Certificates]]
 +  * [[docs:ipsec:racoon_roadwarrior|Racoon setup for roadwarriors]]
 +
 +==== How IPSec works with KAME tools ====
 +
 +<code> setkey                racoon  <-------(IKE)-------> somebody
 +                       ^  |      (5)
 +                       |  |(6)
 +    |(1)           +-----+  +---+
 +              (4)|            |
 +                 |            v
 + +-----+  (2)      |    (3)  +-----+
 + | SPD |<----- kernel ------>| SAD |
 + +-----+                   +-----+
 +                        |(7)
 +                        v
 +</code>
 +
 +==== (Very) Basic concepts ====
 +
 +This sums up some of the technical details about IPSec. Starters should read a more detailed documentation.
 +
 +=== Protocols ===
 +
 +^ Protocol ^ # ^ Common name ^ Utility ^
 +| AH  | IP Type 51 | Authentication header | Integrity |
 +| ESP | IP Type 50 | Encapsulated Security Payload | Integrity & Confidentiality |
 +| IKE | UDP port 500 | Internet Key Exchange | SA setup, key exchange |
 +| NAT-T | UDP port 4500 | NAT Traversal IPSec | Endpoint communication behind NATs |
 +
 +=== IPSec modes ===
 +
 +^ Mode ^ Wrapping scope ^ Intended usage ^ Overhead ^
 +| Transport | IP packet payload | Peer to peer integrity/encryption enforcement | AH/ESP size |
 +| Tunnel | Whole IP packet | VPN | AH/ESP + IP/Stage 2 header |
 +
 +=== Glossary ===
 +
 +| PSK | Preshared Keys |
 +| SA  | Security Association |
 +| SAD | Security Association Database |
 +| SP  | Security Policy      |
 +| SPD | Security Policy Database |
 +
 +==== Linux Kernel modules ====
 +
 +<code>aes_generic
 +esp4
 +esp6
 +sha1_generic
 +sha256_generic
 +xfrm4_mode_transport
 +xfrm6_mode_transport
 +xfrm_user</code>
  
docs/ipsec.1380283200.txt.gz · Last modified: 2013/09/27 14:00 by root
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki