Red Hat [Electronic resources] : The Complete Reference Enterprise Linux Fedora Edition؛ The Complete Reference نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Red Hat [Electronic resources] : The Complete Reference Enterprise Linux Fedora Edition؛ The Complete Reference - نسخه متنی

Richard L. Petersen

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید








IPsec Security Databases


The packets you choose to encrypt are designated by the IPsec Security Policy Database (SPD). The method you use to encrypt them is determined by the IPsec Security Association Database (SAD). The SAD associates an encryption method and key with a particular connection or kind of connection. The connections to be encrypted are designated in the Security Policy Database.


IPsec Tools


Several IPsec tools are provided with which you can manage your IPsec connections (see Table 17-1). The

libipsec tool lets you build a key library. With

setkey , you can manage both the policy and association databases. The

racoon tool configures the key exchange process to implement secure decryption key exchanges across connections. To see what your current security policies are in the SPD database, you can use

setkey-DP . For security associations in SDP, you can use

setkey-SP .





Note

To enable IPsec in the kernel, be sure to enable the PF_KEY, AH, and ESP options in Cryptographic Options.




























Table 17-1: IPsec Tools


Tools


Description


libipsec


Build PFkey


setkey


Manage policy (SPD) and association (SAD) databases


racoon


Configure and implement secure key exchanges using IPsec Key Exchange (IKE)


setkey-SP


Examine security associations in SAD database


setkey-DP


Examine security policies in SDP database



IPsec and IP Tables


IPtables netfiltering will stop many IPsec packets. To enable IPtables to pass IPsec packets, use the following

IPtables commands. The number for the AH protocol is 51, and for the ESP protocol, it is 50. To allow IPsec packets, you should set policy rules such as the following.

iptables -A INPUT -p 50 -j ACCEPT
iptables -A OUTPUT -p 51 -j ACCEPT


/ 328