Red Hat Enterprise Linux supports IPsec for connecting remote
hosts and networks to each other using a secure tunnel on a common
carrier network such as the Internet. IPsec can be implemented
using a host-to-host (one computer workstation to another) or
network-to-network (one LAN/WAN to another). The IPsec
implementation in Red Hat Enterprise Linux uses Internet Key Exchange (IKE), which is a protocol implemented by the
Internet Engineering Task Force (IETF) to be used for mutual authentication and
secure associations between connecting systems.
An IPsec connection is split into two logical phases. In phase
1, an IPsec node initializes the connection with the remote node or
network. The remote node/network checks the requesting node's
credentials and both parties negotiate the authentication method
for the connection. On Red Hat Enterprise Linux systems, an IPsec
connection uses the pre-shared key method
of IPsec node authentication. In a pre-shared key IPsec connection,
both hosts must use the same key in order to move to the second
phase of the IPsec connection.
Phase 2 of the IPsec connection is where the security association (SA) is created between IPsec nodes. This phase
establishes an SA database with configuration information, such as
the encryption method, secret session key exchange parameters, and
more. This phase manages the actual IPsec connection between remote
nodes and networks.
The Red Hat Enterprise Linux implementation of IPsec uses IKE
for sharing keys between hosts across the Internet. The racoon keying daemon handles the IKE key
distribution and exchange.