Filter
Top Products
188 AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers
RouterOS v3 Configuration and User Guide
Description
IPsec (IP Security) supports secure (encrypted) communications over IP networks.
Encryption
After packet is src-natted (if needed), but before putting it into interface queue, IPsec policy database is
consulted to find out if packet should be encrypted. Security Policy Database (SPD) is a list of rules that
have two parts:
Packet matching - packet source/destination, protocol and ports (for TCP and UDP) are compared to
values in policy rules, one after another
Action - if rule matches action specified in rule is performed:
none - continue with the packet as if there was no IPsec
discard - drop the packet
encrypt - apply IPsec transformations to the packet
Each SPD rule can be associated with several Security Associations (SA) that determine packet encryption
parameters (key, algorithm, SPI).
Note that packet can only be encrypted if there is a usable SA for policy rule. Same SA may be used for
different policies, unless especially prohibited by a policy. By setting SPD rule security "level" user can
control what happens when there is no valid SA for policy rule:
use - if there is no valid SA, send packet unencrypted (like accept rule)
require - drop packet, and ask IKE daemon to establish a new SA.
unique - same as require, but establish a unique SA for this policy (i.e., this SA may not be shared with
other policy)
Decryption
When encrypted packet is received for local host (after dst-nat and input filter), the appropriate SA is
looked up to decrypt it (using packet source, destination, security protocol and SPI value). If no SA is
found, the packet is dropped. If SA is found, packet is decrypted. Then decrypted packet's fields are
compared to the policy rule that SA is linked to. If the packet does not match the policy rule, it is
dropped. If the packet is decrypted fine (or authenticated fine) it is "received once more" - it goes
through dst-nat and routing (which finds out what to do - either forward or deliver locally) again.
before forward and input firewall chains, a packet that was not decrypted on local host is
compared with SPD reversing its matching rules. If SPD requires encryption (there is valid SA
associated with matching SPD rule), the packet is dropped. This is called incoming policy
check.
Internet Key Exchange
The Internet Key Exchange (IKE) is a protocol that provides authenticated keying material for Internet
Security Association and Key Management Protocol (ISAKMP) framework. There are other key exchange
schemes that work with ISAKMP, but IKE is the most widely used one. Together they provide means for
authentication of hosts and automatic management of security associations (SA).
Most of the time IKE daemon is doing nothing. There are two possible situations when it is activated:
• There is some traffic caught by a policy rule which needs to become encrypted or authenticated, but
the policy doesn't have any SAs. The policy notifies IKE daemon about that, and IKE daemon initiates
connection to remote host.
• IKE daemon responds to remote connection.
In both cases, peers establish connection and execute 2 phases:
• Phase 1 - The peers agree upon algorithms they will use in the following IKE messages and
authenticate. The keying material used to derive keys for all SAs and to protect following ISAKMP
exchanges between hosts is generated also.