Monday 13 June 2016

IPsec-Tools: Tools For IPSec Implementations

IPsec-Tools: Tools For IPSec Implementations 

IPsec is known as "IP security". It is a means of verifying as well as optionally encrypting TCP/IP traffic, therefore, make sure a selected measure of security.

The user-space IPsec tools used for various IPsec implementations. This is a port of KAME's lib IPsec, set key, and raccoon to the Linux OS. Also works on various BSD systems.

Before Linux had IPsec support, there was FreeS/WAN and KAME. And they both included a kernel patch that communicated with a key exchange daemon. Whereas KAME had no Debian package that you would install the packages freeswan and kernel-patch-freeswan both version 1.96 as well as it recompiles your kernel with the patch. Life was simple,still if you were forced to use a non-standard kernel.

The newer Linux source packages could not be unpatched to eliminate the IPsec support without unsuccessful hunks. Neither could the FreeS/WAN source be fixed to understand the new API without similar problems. The newer FreeS/WAN packages from "unstable" and "testing" failed to compile in Woody.

Now that Sarge is released that you can generate the IPsec tunnels in two different ways. Either by using the Freeswan/Openswan KLIPS methodology or by using the Raccoon/BSD KAME method. The necessary fixes for Openswan modules are already backported into the stock Debian kernel (2.4.27 & 2.6.8 <I can verify this is true for the 2.6.8 kernel but haven't tried the 2.4.27 kernel>).

And this method permits for basic use (no NAT) with Shorewall but does not implement the new Security Policy Database (SPD).

Whereas the other method is the newer KAME methodology. This is included directly into the 2.6 kernel but in order to work with the new security policies (SPD), you need to fix the kernel and iptables with the new Netfilter policy match. There is a different Shorewall setup for this type of method.

The KAME packages that are known as IPsec-tools and raccoon which is a key exchange daemon.



It is a library with PF_KEY implementation.

set key-

It is used as a tool to manipulate and dump the kernel Security Policy Database (SPD) and Security Association Database (SAD).


It is an Internet Key Exchange(IKE) daemon for automatically keying IPsec connections.

racoon CTL-

This is a shell-based control tool for raccoon.


BSD License



Post a Comment

Note: only a member of this blog may post a comment.

Toggle Footer