< Day Day Up > |
The packets you choose to encrypt are designated by the IPsec Security Policy Database (SPD). The method you use to encrypt them is determined by the IPsec Security Association Database (SAD). The SAD associates an encryption method and key with a particular connection or kind of connection. The connections to be encrypted are designated in the Security Policy Database.
Several IPsec tools are provided with which you can manage your IPsec connections (see Table 17-1). The libipsec tool lets you build a key library. With setkey, you can manage both the policy and association databases. The racoon tool configures the key exchange process to implement secure decryption key exchanges across connections. To see what your current security policies are in the SPD database, you can use setkey-DP. For security associations in SDP, you can use setkey-SP.
Note |
To enable IPsec in the kernel, be sure to enable the PF_KEY, AH, and ESP options in Cryptographic Options. |
Tools |
Description |
---|---|
libipsec |
Build PFkey |
setkey |
Manage policy (SPD) and association (SAD) databases |
racoon |
Configure and implement secure key exchanges using IPsec Key Exchange (IKE) |
setkey-SP |
Examine security associations in SAD database |
setkey-DP |
Examine security policies in SDP database |
IPtables netfiltering will stop many IPsec packets. To enable IPtables to pass IPsec packets, use the following IPtables commands. The number for the AH protocol is 51, and for the ESP protocol, it is 50. To allow IPsec packets, you should set policy rules such as the following.
iptables -A INPUT -p 50 -j ACCEPT iptables -A OUTPUT -p 51 -j ACCEPT
< Day Day Up > |
This HTML Help has been published using the chm2web software. |