docs:ipsec
This is an old revision of the document!
Table of Contents
IPSec cheat sheet
IPSec is partly tricky, but worse than that, existing documentation is very messy.
How IPSec works with KAME tools
setkey racoon <-------(IKE)-------> somebody
| ^ | (5)
| | |(6)
|(1) +-----+ +---+
| (4)| |
v | v
+-----+ (2) | (3) +-----+
| SPD |<----- kernel ------>| SAD |
+-----+ | +-----+
|(7)
v
(Very) Basic concepts
This sums up some of the technical details about IPSec. Starters should read a more detailed documentation.
Protocols
| Protocol | # | Common name | Utility |
|---|---|---|---|
| AH | IP Type 51 | Authentication header | Integrity |
| ESP | IP Type 50 | Encapsulated Security Payload | Integrity & Confidentiality |
| IKE | UDP port 500 | Internet Key Exchange | SA setup, key exchange |
| NAT-T | UDP port 4500 | NAT Traversal IPSec | Endpoint communication behind NATs |
IPSec modes
| Mode | Wrapping scope | Intended usage | Overhead |
|---|---|---|---|
| Transport | IP packet payload | Peer to peer integrity/encryption enforcement | AH/ESP size |
| Tunnel | Whole IP packet | VPN | AH/ESP + IP/Stage 2 header |
Glossary
| PSK | Preshared Keys |
| SA | Security Association |
| SAD | Security Association Database |
| SP | Security Policy |
| SPD | Security Policy Database |
docs/ipsec.1380300375.txt.gz · Last modified: 2013/09/27 18:46 by root