From Hackepedia
Jump to navigationJump to search


IPsec (outlined in RFC 2401) is a security enhancement to the IP and IPv6 protocols in Internet communication. Since IPsec is a combination of keyed-hash, symmetric cryptography as well as assymetric cryptography it's proper to make this a seperate section outlining all functions of the protocol here.

IPsec has three protocols Authenticated Header (AH), Encapsulating Security Payload (ESP), and IP Compression (IPComp). In a short explanation AH adds a message authentication check to the header ensuring integrity of the payload. ESP encrypts the payload following the IPsec header making it safer from sniffing, and also adds a message authentication check.

IPsec usually uses the IKE protocol to do symmetric key setup, and to provide authentication of end-points (vs authentication of individual packets).

OS Implementations

For GNU/Linux the popular implementation is openswan which is the result of the disbandment of freeswan.

FreeBSD IPsec requires you build it into your kernel, this will require:

options         IPSEC
options         IPSEC_ESP

in /usr/src/sys/i386/conf/$YOUR_FIREWALL and a kernel recompile.

OpenBSD has a built-in IPsec stack. It has a daemon called isakmpd which speaks the ISAKMP/Oakley aka. IKE Key management protocol is used for establishing security associations (private encryption keys) between peers.

Microsoft WinXP Pro apparently has ipsec built in as well.