Internet Protocol Security (IPsec) provides network layer security protocols used for authentication , encryption, payload compression, and key exchange. IPsec provides Host-to-Host encrypted connections or Network-to-Network packet tunneling.
Network traffic between two end-points is encrypted and decrypted by authenticated hosts at the end-points, using a shared private key. The shared private key forms a Security Association that can be automatically changed by Security Policies based on traffic volume, expiry time, or other criteria.
IPsec will work for both IPv4 and IPv6.
DSR IPsec uses the Encapsulating Security Payload (ESP) protocol for encryption and authentication.
The ESP protocol uses encryption algorithms to encrypt either the packet payload or the entire packet, depending on whether IPsec is configured to use transport mode or tunnel mode. When IPsec is in transport mode, the packet payload is encrypted and the IP header is not encrypted. When IPsec is in tunnel mode the packet payload and the original IP header are both encrypted and a new IP header is added.
ESP also provides authentication of the encrypted packets to prevent attacks by ensuring the packet is from the correct source.
Many encryption algorithms use an initialization vector (IV) to encrypt. The IV is used to make each message unique. This makes it more difficult for cryptanalysis attempts to decrypt the ESP.
The supported ESP encryption and authentication algorithms are described in IPsec IKE and ESP elements.
The encryption algorithms and authentication transformations that are supported for IKE are described in IPsec IKE and ESP elements.
racoon - an open source implementation of IKE that is used to exchange keys and set up the IPsec connections. There are two versions of racoon: racoon (which uses only IKEv1) and racoon2 (which can use IKEv1 or IKEv2). Newer implementations of IPsec use racoon2.
IPsec uses IPcomp to compress packets after encryption, to help with efficient handling of large packets.
When an IPsec connection is configured, Security Polices are created using the IPsec connection configuration files. IPsec uses Security Policies to define whether a packet should be encrypted or not. The Security Policies help determine whether an IPsec procedure is needed for a connection. The Security Polices do not change over time.
After the Security Policies exist and initial network connectivity has been made, the Internet Key Exchange (IKE) process occurs.
IPsec uses Security Associations to determine which type of encryption algorithm and authentication transportation should be used when creating an IPsec packet, and to apply the correct decryption algorithm when a packet is received. Because security associations change with time, a lifetime parameter is used to force the security associations to expire so that IPsec must renegotiate them.
An IPsec connection can be set up on a virtual IP, which can be used for HA. However, when a switchover occurs and the VIP is added on the new box a SIGHUP is sent to the iked daemon on the newly active box, so that the VIP is under iked management. Also, the switchover will not occur until the security associations have expired and the renegotiation can begin.
Adding an IPsec connection also configures it. An existing IPsec connection can edited or deleted, and an IPsec connection can be started (enabled) and stopped (disabled) without having to fully delete the connection.
IPsec setup needs to be performed on each MP that can control the connection.
This chapter provides procedures for adding, editing, deleting, enabling, and disabling an IPsec connection.