System Administration Guide: IP Services

Introduction to IPsec

IPsec provides security mechanisms that include secure datagram authentication and encryption mechanisms within IP. When you invoke IPsec, it applies the security mechanisms to IP datagrams that you have enabled in the IPsec global policy file. Applications can invoke IPsec to apply security mechanisms to IP datagrams on a per-socket level.

Figure 19–1 shows how an IP addressed packet, as part of an IP datagram, proceeds when IPsec has been invoked on an outbound packet. As you can see from the flow diagram, authentication header (AH) and encapsulating security payload (ESP) entities can be applied to the packet. Subsequent sections describe how you apply these entities, as well as authentication and encryption algorithms.

Figure 19–1 IPsec Applied to Outbound Packet Process

Flow diagram shows that the outbound packet is first protected by ESP, and then by AH.  The packet then goes to a tunnel or a physical interface.

Figure 19–2 shows the IPsec inbound process.

Figure 19–2 IPsec Applied to Inbound Packet Process

Flow diagram shows that IPsec first processes the AH header, then the ESP header on inbound packets. A packet that is not protected enough is dropped.