IPsec is a technology widely known. Created for IPv6 and backported to IPv4, it adds a security layer into the IP stack. Prior to IPsec we needed to encrypt data before sending it down the stack and then decrypt it on the other side once it came back out using technologies like SSH or SSL/TLS. IPsec simplifies this by transparently handling encrypt/decrypt as well as header authentication.
But for all its intended simplicity and transparency it is to the administrator anything but. If you google around you find piles of email on various lists of those who tried to get IPsec working and gave up in frustration and instead used OpenVPN, on both Linux and Solaris.
Part of the reason IPsec is so complex to manage is the number of technologies that all must work together properly in order to get something functional. This includes acronyms like AH, ESP, IKE, DH, RSA, SA, SAD, etc. In many respects its similar to the frustration encountered the first time you approach LDAP and are overwhelmed with OU=, CN=, DN=, etc. Just like LDAP, with a little practice you get it sorted out and start making ground. We’ll start high level and zoom in… please please, read this before just copying examples! (I know you won’t, but it’ll save you time.)
IPsec is fundamentally similar to a firewall, in that you specify IPsec Policies that determines how datagrams are handled. If a policy matches a datagram its handled… if no policy matches it acts like normal.
Thats where the firewall analogy stops, like a firewall the policy says what to do and when to do it…. but we need to know something else for encrypting or decrypting data, we also need to know how to do it. The information that explains the how is known as a Security Association (SA). This is maintained in a special database named, unremarkably, the Security Association Database (SAD or SADB, depending on who you ask, same thing though).
It’s the SA that actually contains the keys used for encrypting, decrypting and authenticating IPsec datagrams. So a packets goes through the stack, a policy says “If the datagram source is 1.2.3.4 and the destination is 5.6.7.8 use IPsec.” Now that the stack knows to use IPsec to encrypt, it goes looking in the SADB for an SA that contains the keys. There is a lot of duplication here because they are independent things, so you specify the authentication algorithm, encryption algorithm, source and destination addresses in both the IPsec policy and the SA. Its strange at first. 
Now, just as IPsec is supposed to make life simple and transparent, so is IKE (Internet Key Exchange). An IKE daemon runs on both sides of a connection and negotiates SA’s for you. This provides a variety of benefits, but simplicity isn’t exactly one of them because you still need to configure IKE rules which are similar to SA’s. In other words, you can’t just create an IPsec policy, and then enable IKE and be done.
Before we get into the examples, lets looks at the various files and commands involved:
Files:
* IPsec:
o /etc/inet/ipsecinit.conf: IPsec Policy Definitions
o /etc/inet/secret/ipseckeys: IPsec SA Definitions
* IKE:
o /etc/inet/ike/config: IKE Global Configuation and Rules
o /etc/inet/secret/ike.preshared: File containing Preshared Key Definitions
o /etc/inet/secret/ike.privatekeys/: Directory containing IKE Private Keys
o /etc/inet/ike/publickeys/: Directory containing IKE Public Keys
o /etc/inet/ike/crls/: Directory containing IKE Certificates
Commands:
* IPsec:
o ipsecconf: Load or Display IPsec Policy Configuration
o ipsekkey: Manually manipulate IPsec Security Association Database (SADB)
o ipsecalgs: Display available IPsec ESP/AH Algorithms
* IKE:
o in.iked: IKE Daemon
o ikeadm: Manipulate IKE parameters and state (flush, add, get, set, ...)
o ikecert: Manipulate IKE's on-filesystem public-key certificate databases
The simplest configuration would be to “pre-share” keys, meaning create a key and manually put it on both systems. In my next blog entry we’ll step through actually creating an IPsec policy, creating keys, creating Security Associations, and testing an IPsec connection.
00842. [url=http://blogs.ign.com/larrylevasseur/2007/10/02/67857/][b]High Risk Personal Loan Lenders[/b][/url]
great introduction, very knowledgeable
looking forward to reading the next entry
Do you think its cool to get this on your car : [url=http://www.partsprovider.net]HID Conversion Kits[/url] or [url=http://www.partsprovider.net]Car DVD[/url]
HID Kits
i am trying to designcreate a [url=http://sletoh.freehostia.com/map.html] internet the project resourse [/url] database that will allow guests to book a room and pay for their stay just like in a normal booking or an on-line booking,can someone think of the entities i should use for that? this is just for self exercise..thanks
Hello! I m here!
condom video commercials strap on dildo porn masturbation video dildo
ramses brand condom http://changemakers.net/en-us/user/condom do all condoms contain spermisides
ultram online description chemistry ingredients tramadol tramadol pharmacy ramipril tramadol
tramadol generic names http://changemakers.net/en-us/user/tramadol tramadol hydrochloride tablets
Your Web Site is really wonderful and I bookmarked it. Thank your for the hard work you must have put in to create this wonderful facility. Keep up the excellent work!
dilantin dosage viagra basic dosage caculation samples http://changemakers.net/en-us/user/buy-viagra dosage calculation worksheets
http://forum.literotica.com/showpost.php?p=29013603&postcount=3 rel=”nofollow”> adult online
increasing the dosage of allegra and side effects order viagra mustard seed dosage http://www.videocodezone.com/users/order-viagra mobilis dosage
Keep up the good work.
levitra news levitra forum buy cia cialis cialis cialis generic levitra tadalafil http://levitra-vardenafil.info
cost compare vaiagra cialis levitra buy levitra levitra chat line
symposia levitra levitra success levitra 2b online 2b uk http://levitra-vardenafil.info free info mail viagra viagra i
levitra commercial girl levitra cialis versus levitra versus viagar http://pipills.com lyrics viagra in the water
Identity theft has brought great tensions to the corporate world causing many companieslosses each year. Everyone is scared of their personal information not leaked out tosome strangers. Not only offices but individuals at home should also purchase onefor safety.
Being in an evironmental friendly company. Working protection against the dangerous plague of identity theft is a paper shredder. A paper shredder will help us in disposing of sensitive documents that are no longer needed.
Working for government department where each and every word is confidential. Knowing that your shredded documents cannot be reassembled and that your confidential information is safe is worth every cent of the cost of a paper shredder
Hey pal, really awesome stuff from you people, made me do my chores with great ease. I am a home user and had some issues with my shredder but cleared everything after reading these amazing posts
nice post
amazing post , in my office business theft was the key issue , effective usage of shredders cured many problems , your post seems to be a great source of information .
Our office uses a paper shredder, which can even shred bottles, cd’s and hard drives. We purchase it from the following company http://www.shredderwarehouse.com
http://www.saleveling.com
http://www.power-leveling-game.com
Thank you very much!
Our watches are all beautifully decorated stainless steel or 18k gold designer replica watches,perfectly fitted to you wirst ,once you wear our watch you will never look back ,Now I will show you some thing wonderful: Rolex Replica Watches, Corum Replica Watches, Dewitt Replica Watches, Rolex Replica Watches, Ferrari Replica Watches…………
Nike outlet & Adidas outlet expand NBA All Star shoes online, we assure you top quality but low enough price. Complete in styles, and update new products everyday! Hot selling,free and fast shipping for you!http://www.nike-star-shoes.net/ NBA basketball shoes
http://www.coolinks.co.uk
http://www.linkslife.uk.com
I agree with you
Wow,great content and your blog template is so beautiful. Is this template free or not. If so, would you please share this template? if not, how much does it cost? Thanks a lot!
Adidas knows the shoes became famous in the shoe bazaar as a casual shoe because of the gazelle ongoing in the Adidas Porsche Design sneakers.However, within four decades,Cheap adidas shoes have reserved manufacturers in continual production of Adidas Rod Laver for more than four decades. Our Gucci outlet online store are offering Gucci new released collections and discount Gucci bags, Gucci handbags, Gucci wallets, Gucci purses, Gucci totes, shoes etc.
http://www.adidas-cheap.com/
http://www.outlet-gucci.com/
Cool. Talking about makes sense. Is recognized. Hope that it will often share such a good text. I will always be concerned about, because you can learn some knowledge, thank you for sharing, and i umbrellas very much !
love
[url= http://www.umbrellabuy.com/rain umbrellas[/url]
free and fast shipping
thank you for sharing the article.
The easy-to-use Video Converter for Mac lets you to enjoy your videos on all sorts of palyback including PSP, iPod, Mobile Phone, Zune, iPhone, Apple TV and MP4/MP3 player.
Free download supported. http://www.videoconverterformac.com
http://www.bootsfirst.com/
http://www.hairtoolpro.com/
Gucci is considered one of the most famous, prestigious, and easily recognizable fashion brands in the world.How can you find the perfect Gucci shoes you’re looking for? Here will immediately help you to achieve your dreams.It’s a fashionable Luxury casual shoes,a Perfectly gucci shoe.
we sell more collections of original men’s Gucci shoes and women’s gucci shoes,which from the Italian factory directly to your door with the best prices you will never find..take your time to look through our catalogue and find the best price in
I want to say very thank you for this great informations. now i understand about it. Thank you !
http://www.shoes-on-line.com : nike shox
this is a great post and thank you for sharing this nice experience,and hope you can give another posts as soon as possible.
http://www.shopinguggboot.com” href=”http://www.shopinguggboot.com” rel=”nofollow”>UGG boots
rel=”nofollow”
We all know when buying shoes the most important thing is feeling comfortable. SheepskinUGG Boots are made from 100% natural and has been worn by people long long ago. The natural qualities of the wools sheepskin keep your feet warm on those wintery days, allowing your feet to breathe by wicking away any moisture on those warmer days.Ugg boots sale also known as ugg sale are an Australian favourite and everyone at some stage in their life will own a pair of the most comfortable uggs for sale available.
Allugg boots on sale here are made from 100% Australian sheepskin and we deliver a 100% quality guarantee with all of our UGG boots cheap .We offer you great variety with our collection of styles, colours and sizes to suit everyone for any occasion that arises. Our http://www.onlineuggbootssale.com/ugg-boots-sale-catalog/ugg-classic-short-5825>Ugg boots sale online are selling all around the globe. Choose from a wide range of colours and styles including our UGG classic tall boots sale ,UGG bailey button boots sale ,ugg classic mini boots sale ,ugg nightfall boots sale , ugg classic cardy boots sale and so on.
[[http://www.onlineuggbootssale.com]]
i really appreciate what you’re doing here. very interesting site.
http://www.timberlandbootsale.co.uk
you have a very talented and skilled writting. i had a great time reading your comments.
http://www.timberlandboots4sale.co.uk
Timberland boots sale, to do. Many scientific. Timberland boots sale, to do. Many scientific. [url=http://www.timberlandboots4sale.co.uk][b]Timberland boots sale[/b][/url], to do. Many scientific. [url=http://www.timberlandboots4sale.co.uk]Timberland boots sale[/url], to do. Many scientific.