Standards and Technologies: IPsec
Hardware usage: consumes a lot of CPU time (Intel Pentium MMX or AMD K6 suggested as a
minimal configuration)
Related Documents
• Software Package Management
• IP Addresses and ARP
•
Description
IPsec (IP Security) supports secure (encrypted) communications over IP networks.
Encryption
After packet is src-natted, but before putting it into interface queue, IPsec policy database is
consulted to find out if packet should be encrypted. Security Policy Database (SPD) is a list of rules
that have two parts:
• Packet matching - packet source/destination, protocol and ports (for TCP and UDP) are
compared to values in policy rules, one after another
• Action - if rule matches action specified in rule is performed:
•
• accept - continue with packet as if there was no IPsec
• drop - drop packet
• encrypt - encrypt packet
Each SPD rule can be associated with several Security Associations (SA) that determine packet
encryption parameters (key, algorithm, SPI).
Note that packet can only be encrypted if there is usable SA for policy rule. By setting SPD rule
security "level" user can control what happens when there is no valid SA for policy rule:
• use - if there is no valid SA, send packet unencrypted (like accept rule)
• acquire - send packet unencrypted, but ask IKE daemon to establish new SA
• require - drop packet, and ask IKE daemon to establish new SA.
Decryption
When encrypted packet is received for local host (after dst-nat and input filter), the appropriate SA
is looked up to decrypt it (using packet source, destination, security protocol and SPI value). If no
SA is found, the packet is dropped. If SA is found, packet is decrypted. Then decrypted packet's
fields are compared to policy rule that SA is linked to. If the packet does not match the policy rule it
is dropped. If the packet is decrypted fine (or authenticated fine) it is "received once more" - it goes
through dst-nat and routing (which finds out what to do - either forward or deliver locally) again.
Note that before forward and input firewall chains, a packet that was not decrypted on local host is
compared with SPD reversing its matching rules. If SPD requires encryption (there is valid SA
associated with matching SPD rule), the packet is dropped. This is called incoming policy check.
Page 304 of 695
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
To Next Page
Loading...
General