2.7.4. Creating an IPsec Connection
An
IPsec connection is split into two logical phases. In phase 1, an
IPsec node initializes the connection with the remote node or network. The remote node or network checks the requesting node's credentials and both parties negotiate the authentication method for the connection.
On Fedora systems, an
IPsec connection uses the
pre-shared key method of
IPsec node authentication. In a pre-shared key
IPsec connection, both hosts must use the same key in order to move to Phase 2 of the
IPsec connection.
Phase 2 of the
IPsec connection is where the
Security Association (
SA) is created between
IPsec nodes. This phase establishes an
SA database with configuration information, such as the encryption method, secret session key exchange parameters, and more. This phase manages the actual
IPsec connection between remote nodes and networks.
The Fedora implementation of
IPsec uses IKE for sharing keys between hosts across the Internet. The
racoon
keying daemon handles the IKE key distribution and exchange. Refer to the
racoon
man page for more information about this daemon.