23. Virtual Private Networks — IPsec

Kernun supports IPsec in the transport and tunnel modes, using the ESP protocol. In the transport mode, Kernun requires a tunnel (GIF or GRE) interface and uses IPsec to encrypt the encapsulated traffic passed via this interface. In the tunnel mode, IPsec encrypts traffic between the specified networks. IPsec in Kernun consists of several parts, represented by components in GKAT. IPsec packets are handled by the operating system kernel according to the SPD (Security Policy Database) and SAD (Security Association Database). The SPD entries for individual IPsec tunnels are controlled by the ipsec Kernun components. Security associations are created by ISAMKP daemon Racoon, presented also as a separate component.

A GKAT window with IPsec-related components is depicted in Figure 5.98, “IPsec components in a GKAT window”. There is a GIF tunnel network interface called GIF-IPSEC, which is used by the IPsec tunnel represented by the TRANSPORT component. Another IPsec tunnel, the TUNNEL component, uses IPsec in the tunnel mode (without a related tunnel interface). The RACOON component is the ISAKMP daemon.

Figure 5.98. IPsec components in a GKAT window

IPsec components in a GKAT window

The examples of IPsec configuration described here are available in the sample configuration file /usr/local/kernun/conf/samples/cml/ipsec.cml.

23.1. IPsec Configuration

Figure 5.99. IPsec configuration

IPsec configuration

The resulting IPSec configuration in both modes is shown in Figure 5.99, “IPsec configuration”. When applied, IPsec-related components GIF-IPSEC, RACOON, TRANSPORT, and TUNNEL will be created and become visible in GKAT (see Figure 5.98, “IPsec components in a GKAT window”). For IPsec in the transport mode, the configuration contains the tunnel interface GIF-IPSEC. Its configuration section defines the interface device name, local and remote logical IP addresses, and the tunnel addresses (the physical IP addresses used for the encapsulation of tunneled packets). Section ipsec-global can contain global parameters of the ISAKMP daemon. There is a section for each IPsec tunnel. Section ipsec TRANSPORT configures IPsec in the transport mode for encryption of packets travelling via interface GIF-IPSEC. The authentication utilizes X.509 certificates. Other ISAKMP phase 1 and phase 2 parameters have the default values. Section ipsec TUNNEL sets up IPsec in the tunnel mode. It is not related to any network interface, hence the networking parameters — local, remote, and tunnel (physical) addresses, set of protocols handled by IPsec, and security association mode — are defined inside the ipsec section. A pre-shared secret key for authentication is specified. Again, the remaining ISAKMP parameters have the default values.