Red Hat Enterprise Linux supports IPsec for connecting remote hosts and networks to
each other using a secure tunnel on a common carrier network such as the
Internet. IPsec can be implemented using a host-to-host (one computer
workstation to another) or network-to-network (one LAN/WAN to
another). The IPsec implementation in Red Hat Enterprise Linux uses Internet
Key Exchange (IKE), which is a
protocol implemented by the Internet Engineering Task Force
(IETF) to be used for mutual authentication and
secure associations between connecting systems.
An IPsec connection is split into two logical phases. In phase 1, an
IPsec node initializes the connection with the remote node or
network. The remote node/network checks the requesting node's
credentials and both parties negotiate the authentication method for the
connection. On Red Hat Enterprise Linux systems, an IPsec connection uses the
pre-shared key method of IPsec node
authentication. In a pre-shared key IPsec connection, both hosts must
use the same key in order to move to the second phase of the IPsec
connection.
Phase 2 of the IPsec connection is where the security
association (SA) is created between
IPsec nodes. This phase establishes an SA database with configuration
information, such as the encryption method, secret session key
exchange parameters, and more. This phase manages the actual IPsec
connection between remote nodes and networks.
The Red Hat Enterprise Linux implementation of IPsec uses IKE for sharing keys between
hosts across the Internet. The racoon keying daemon
handles the IKE key distribution and exchange.
