Manualshelf

Setup guide

ManualsBrandsD-Link ManualsComputer equipmentDWL-500 - 11Mb Wireless LAN PCI Network Card
181182183184185186187188189190
Wandy Router to Wandy Router
IPsec Between two Masquerading Wandy Routers
Wandy router to CISCO Router
Wandy Router and Linux FreeS/WAN
General Information
Specifications
Packages required: security
License required: level1
ip ipsec
Standards and Technologies: IPsec
Hardware usage: consumes a lot of CPU time (Intel Pentium MMX or AMD K6 suggested as a
minimal configuration)
Related Documents
Package Management
IP Addresses and ARP
Firewall Filters
Description
IPsec (IP Security) supports secure (encrypted) communications over IP networks.
Encryption
After packet is src-natted, but before putting it into interface queue, IPsec policy database is
consulted to find out if packet should be encrypted. Security Policy Database (SPD) is a list of rules
that have two parts:
Packet matching - packet source/destination, protocol and ports (for TCP and UDP) are
compared to values in policy rules, one after another
Action - if rule matches action specified in rule is performed:
• • accept - continue with packet as if there was no IPsec
drop - drop packet
encrypt - encrypt packet
Each SPD rule can be associated with several Security Associations (SA) that determine packet
encryption parameters (key, algorithm, SPI).
Note that packet can only be encrypted if there is usable SA for policy rule. By setting SPD rule
security "level" user can control what happens when there is no valid SA for policy rule:
use - if there is no valid SA, send packet unencrypted (like accept rule)
acquire - send packet unencrypted, but ask IKE daemon to establish new SA
require - drop packet, and ask IKE daemon to establish new SA.
Decryption
When encrypted packet is received for local host (after dst-nat and input filter), the appropriate SA