Ipsec; Ipsec Installation; Ipsec Host-To-Host Configuration - Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE Manual

58

6.9. IPsec

Red Hat Enterprise Linux supports a protocol for connecting remote hosts and networks to each other
using a secure tunnel on a common carrier network such as the Internet. The protocol, called IPsec,
can be implemented using a host-to-host (one computer workstation to another) or network-to-network
(one LAN/WAN to another). The IPsec implementation in Red Hat Enterprise Linux uses Internet Key
Exchange (IKE), which is a protocol implemented by the IETF to be used for mutual authentication
and secure associations between connecting systems.
The Red Hat Enterprise Linux implementation of IPsec uses IKE for sharing keys between hosts
across the Internet. The

6.10. IPsec Installation

Implementing IPsec requires that the
(if using a host-to-host configuration) or routers (if using a network-to-network configuration). The
RPM package contains essential libraries, daemons, and configuration files to aid in setup of the IPsec
connection:
• /lib/libipsec.so
between the Linux kernel and the IPsec implementation used in Red Hat Enterprise Linux.
— manipulates the key management and security attributes of IPsec in the kernel.
•
/sbin/setkey
This executable is controlled by the
, refer to the
setkey
— the IKE key management daemon, used to manage and control security as-
• /sbin/racoon
sociations and key sharing between IPsec-connected systems. This daemon can be configured by
editing the
/etc/racoon/racoon.conf
(8) man page.
racoon
• /etc/racoon/racoon.conf
aspects of the IPsec connection, including authentication methods and encryption algorithms used
in the connection. For a complete listing of directives available, refer to the
page.
Configuring IPsec on Red Hat Enterprise Linux can be done via the Network Administration Tool or
by manually editing networking and IPsec configuration files. For more information about using the
Network Administration Tool, refer to the Red Hat Enterprise Linux System Administration Guide.
To connect two network-connected hosts via IPsec, refer to Section 6.11 IPsec Host-to-Host Con-
figuration. To connect one LAN/WAN to another via IPsec, refer to Section 6.12 IPsec Network-to-
Network configuration.
6.11. IPsec Host-to-Host Configuration
IPsec can be configured to connect one desktop or workstation to another by way of a host-to-host
connection. This type of connection uses the network to which each host is connected to create the
secure tunnel to each other. The requirements of a host-to-host connection are minimal, as is the
configuration of IPsec on each host. The hosts need only a dedicated connection to a carrier network
(such as the Internet) and Red Hat Enterprise Linux to create the IPsec connection.
The first step in creating a connection is to gather system and network information from each work-
station. For a host-to-host connection, you need the following information:
The IP address for both hosts
•
keying daemon handles the IKE key distribution and exchange.
racoon
ipsec-tools
— library that contains the PF_KEY trusted key management socket interface
racoon
(8) man page.
setkey
— the
racoon
Chapter 6. Virtual Private Networks
RPM package be installed on all IPsec hosts
key management daemon. For more information on
file. For more information about
daemon configuration file used to configure various
, refer to the
racoon
(5) man
racoon.conf