Ipsec; Creating An Ipsec Connection; Ipsec Installation - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

43.7.3. IPsec

Red Hat Enterprise Linux supports IPsec for connecting remote hosts and networks to each other
using a secure tunnel on a common carrier network such as the Internet. IPsec can be implemented
using a host-to-host (one computer workstation to another) or network-to-network (one LAN/WAN to
another) configuration.
The IPsec implementation in Red Hat Enterprise Linux uses Internet Key Exchange (IKE), a protocol
implemented by the Internet Engineering Task Force (IETF), used for mutual authentication and
secure associations between connecting systems.

43.7.4. Creating an IPsec Connection

An IPsec connection is split into two logical phases. In phase 1, an IPsec node initializes the
connection with the remote node or network. The remote node or network checks the requesting
node's credentials and both parties negotiate the authentication method for the connection.
On Red Hat Enterprise Linux systems, an IPsec connection uses the pre-shared key method of IPsec
node authentication. In a pre-shared key IPsec connection, both hosts must use the same key in order
to move to Phase 2 of the IPsec connection.
Phase 2 of the IPsec connection is where the Security Association (SA) is created between IPsec
nodes. This phase establishes an SA database with configuration information, such as the encryption
method, secret session key exchange parameters, and more. This phase manages the actual IPsec
connection between remote nodes and networks.
The Red Hat Enterprise Linux implementation of IPsec uses IKE for sharing keys between hosts
across the Internet. The racoon keying daemon handles the IKE key distribution and exchange. Refer
to the racoon man page for more information about this daemon.

43.7.5. IPsec Installation

Implementing IPsec requires that the ipsec-tools RPM package be installed on all IPsec hosts
(if using a host-to-host configuration) or routers (if using a network-to-network configuration). The
RPM package contains essential libraries, daemons, and configuration files for setting up the IPsec
connection, including:
• /sbin/setkey — manipulates the key management and security attributes of IPsec in the kernel.
This executable is controlled by the racoon key management daemon. Refer to the setkey(8)
man page for more information.
• /usr/sbin/racoon — the IKE key management daemon, used to manage and control security
associations and key sharing between IPsec-connected systems.
• /etc/racoon/racoon.conf — the racoon daemon configuration file used to configure various
aspects of the IPsec connection, including authentication methods and encryption algorithms
used in the connection. Refer to the racoon.conf(5) man page for a complete listing of available
directives.
To configure IPsec on Red Hat Enterprise Linux, you can use the Network Administration Tool, or
manually edit the networking and IPsec configuration files.
• To connect two network-connected hosts via IPsec, refer to
Configuration".
Section 43.7.6, "IPsec Host-to-Host
IPsec
683