IPSec types its uses?
Problem with IPSec and NAT?
The IPSec Authentication Header (AH) . AH runs the entire IP packet, including invariant header fields such as source and destination IP address, through a message digest algorithm to produce a keyed hash. This hash is used by the recipient to authenticate the packet. If any field in the original IP packet is modified, authentication will fail and the recipient will discard the packet. AH is intended to prevent unauthorized modification, source spoofing, and man-in-the-middle attacks. But NAT, by definition, modifies IP packets. Therefore, AH + NAT simply cannot work.
When TCP or UDP are involved--as they are in transport mode ESP--there is a catch-22. Because NAT modifies the TCP packet, NAT must also recalculate the checksum used to verify integrity. If NAT updates the TCP checksum, ESP authentication will fail. If NAT does not update the checksum (for example, payload encrypted), TCP verification will fail.
If the transport endpoint is under your control, you might be able to turn off checksum verification. In other words, ESP can pass through NAT in tunnel mode, or in transport mode with TCP checksums dis- abled or ignored by the receiver.
Key Exchange mechanism?
IPSEC transport mode and tunnel mode does IP header encrypted??
Diff in IKE1and IKE 2
http://www.netbsd.org/docs/network/ipsec/
Good information
http://unixwiz.net/techtips/iguide-ipsec.html
http://www.kame.net/newsletter/20001119/
Commands
setkey -D : to see SAD entries d--dump
setkey -PD : Dumps all SPD entries, See Policy Database
setkey - F : flush SAD entries
setkey - FP : flush SPD Policy entries
# IPsec with IKE, with pre-shared secret
Racoon.conf
path pre_shared_key "/usr/local/v6/etc/psk.txt" ;
No comments:
Post a Comment