Previous Section
 < Day Day Up > 
Next Section


IPsec Security Databases

The packets you choose to encrypt are designated by the IPsec Security Policy Database (SPD). The method you use to encrypt them is determined by the IPsec Security Association Database (SAD). The SAD associates an encryption method and key with a particular connection or kind of connection. The connections to be encrypted are designated in the Security Policy Database.

IPsec Tools

Several IPsec tools are provided with which you can manage your IPsec connections (see Table 17-1). The libipsec tool lets you build a key library. With setkey, you can manage both the policy and association databases. The racoon tool configures the key exchange process to implement secure decryption key exchanges across connections. To see what your current security policies are in the SPD database, you can use setkey-DP. For security associations in SDP, you can use setkey-SP.

Note 

To enable IPsec in the kernel, be sure to enable the PF_KEY, AH, and ESP options in Cryptographic Options.

Table 17-1: IPsec Tools

Tools

Description

libipsec

Build PFkey

setkey

Manage policy (SPD) and association (SAD) databases

racoon

Configure and implement secure key exchanges using IPsec Key Exchange (IKE)

setkey-SP

Examine security associations in SAD database

setkey-DP

Examine security policies in SDP database

IPsec and IP Tables

IPtables netfiltering will stop many IPsec packets. To enable IPtables to pass IPsec packets, use the following IPtables commands. The number for the AH protocol is 51, and for the ESP protocol, it is 50. To allow IPsec packets, you should set policy rules such as the following.

iptables -A INPUT -p 50 -j ACCEPT
iptables -A OUTPUT -p 51 -j ACCEPT


Previous Section
 < Day Day Up > 
Next Section
This HTML Help has been published using the chm2web software.