IPSECIKELINUX177INTERNETTCP/IPIETFInternetEngineeringTaskForceInternetPtotocolSECurityIPSECINTERNETIPv6IPSECIPIPSECConfidentialityMACMessageAuthenticationCodeIntegrityAuthenticationIPSECTCP/IPAHESPAHESPSASecurityAssociationIKEInternetKeyExchangeLINUXLINUXLINUXFreeS/WANLINUXIPSECFreeS/WANIPSECIPSEC1.01.91IPSECRFC2401RFC2409IPSECFreeS/WANIPSECIPSECIPSECFreeS/WANIPSECFreeS/WANIPSECFreeS/WANIKEFreeS/WANIKEIKEIPSECIKELINUX277IPSECVPNIPSECIKELINUX377InternetIPSECIPSECIKELINUX477ADES64563216643DES3*56=168DESDESDES3CBCCBCIVIVIVIVIVIVBIPSECIKELINUX577RSARSARSARSAHASHHASHHASHHASHMACMD5SHAMD5128IPSECIKELINUX677SHA160IPSECIPAHESPIPIPIPSECIPSECIPIPIPSECTCPUDPIPIPSECIPTCPUDPIPIPIPSECIPIPIPIPSECIPSECAHESPIPSECIPIPIPSECIPIPIPSECESPFrees/WANESP3DES-CBCHMAC-MD5-96HMC-SHA-96ESPAHESPAHIPSECIKELINUX777ESPESPESPIPSPIIVTCPESPIPSPIIVIPTCPIPSECIKELINUX877SPIESPAHSPI32IPAHESPSA32SA0SAIP1SA232IPSAIVCBCICVSAAHAHAHAHIPAHAHIPSPIIPSECIKELINUX977AHIPSPIIPFrees/WANAHHMAC-SHA-96HMAC-MD5-96ESPAHESPIPIPIPSECSASecurityAssociationIPSECIPSECSAIPSEC/SASAAHESPSAABAHESPSASASASASPIIPAHESPSASASASASASASAIPSECIKELINUX1077SAIPAHESPSASASASASASAIPIPIPSECHostA--------Gateway1-----------................---------Gateway2--------------HostBSASASASAAHESPAHIPESPAHESPSAAHESPIPSECSPDBSASADBIPSPDBSPDBSPDBSADBSAAHSATunnelESPSA(Tunnel)IPSECIKELINUX1177SASASADBSADatatBaseSASASAFrees/WANSADBIPIPSECSPDBSASASASASAIPSECIPSECIPSECIPSPIIPSADBSAIPAHESPIPSECSASASPISAIPSECSAIKEIKEISAKMPOakleySKEMEIKEIPSECSARFC2407IPSECDOIRFC2408ISAKMPRFC2409IKEISAKMPSASAIPSECRFC2407RFC2409IKEISAKMPRFC2407IKEIKEIPSECSAISAKMPSASAISAKMPSAIPSECIKELINUX1277IPSECSAISAKMPSAIKEInformationalNewGroupISAKMPSADiffie-HellmanIPSECIKELINUX1377LINUXLINUXLINUXIPSECFreeS/WANIPSECFreeS/WAN1.01.9LINUX2.02.4FreeS/WANIPSECIKEIKEFreeS/WANIKEFreeS/WANIPSECIPSECIPSECIPSECIPSECIKELINUX1477-------------------------------------------------------------------------------------------------------------[PF_KEYSocket][PF_UNIXSocket][PF_INETSocket]----------------------------------------------------------------------------------------------------2-1IPSECFreeS/WANPF_INETSocketPF_INETSocketTCP/IPIPSECIPIPTCP/UDPAHESPSPDB(SecurityPolicyDataBase)SADB(SecurityAssociationDataBase)IPvirtualinterfacenetworkinterfaceIKEPlutoDaemonwhackIPSECIKELINUX1577IPESPAHIPIPIPIPESPAHIPIPFreeS/WANIPipsec0ipsec1......TCP/IPIPIPIPIPIPIPESPAHFreeS/WANIPESPAHESPAHTCP/UDPESPAHIPIPIPIPPF_KEYSocketPF_KEYSocketSocketRFC2367PF_KEYKeyManagementAPI,Version2PF_KEYSocketIPSECOSPFv2SAsecurityassociationSADBSADataBasePF_ROUTESocketSADBPF_KEYSocketSocketRFC2367PF_KEYSocketSADBPF_KEYFreeS/WANPF_KEYRFCIPSECIKELINUX1677FreeS/WANSPDBSecurityPolicyDataBaseeroutetableSPDBPF_KEYSocketRFC2367PF_UNIXSocketFreeS/WANIKEPlutodaemonFreeS/WANPF_UNIXSocketWhackPF_UNIXSocketPlutodaemonPlutoPF_UNIXSocketLINUXPF_UNIXSocketPF_LOCAL2-2PlutoPF_KEYSocketSADBSPDBPF_UNIXSocketwhackselectPF_UNIXSocketPF_KEYSocketPF_INETSocketSocketIPSECIKELINUX1777PF_KEYSocketPF_UNIXSocketPF_INETSocket2-2Plutoevent_handleUDPSADBSAstructeventPlutoPF_KEYevent_handlePF_INETSocketUDP500comm_handlePF_UNIXSocketwhackwhack_handlePF_KEYSocketpfkey_eventIPSECIKELINUX1877EVENT_REINIT_SECRETEVENT_SO_DISCARDEVENT_RETRANSMITEVENT_SA_REPLACEEVENT_SA_EXPIREcomm_handleRFC2407RFC2408RFC2409IKEUDP500IANAUDPIKEPlutobigendianlittleendiancomm_handlewhack_handleWhackwhackWhackPlutostructwhack_messageWhackconnectionlisteninitiateconnectionPlutoconnectionstructconnectionstructconnectionPlutoRSAIDIPuser@FQDNlefthostrighthostIPISAKMPSAESPAHPFSperfectforwardsecurityleftsubnetrightsubnetIDciIDcrIPSECSAwhacklistenPlutoPF_INETSocketUDPPF_INETSocketPlutolistenioctlIPIPIPSECIKELINUX1977500UDPSocketIKEcomm_handleinitiatePlutostructconnectionISAKMPSAIPSECSApfkey_eventIKESADB_ACQUIRESADB_REGISTERSADB_ACQUIREFreeS/WANIPSECopportunismEncryptionPlutoIPSECSAopportunismEncryptionPF_KEYPF_KEYPF_KEYSocketSADBSASADB_ACQUIREPF_KEYPlutoPF_KEYSADB_REGISTERIKESADB_REGISTERSADB_REGISTERFreeS/WANshellsetupIPSECIPSECPlutoIPSECipsec.confautoAutoWhackWhackWhackWhackPF_UNIXSocketPlutostructconnectionPlutoautoWhackinitiatePlutoinitiateISAKMPSAIPSECSAIPSECIKELINUX2077IKEIPSECSAIPSECSAIKESAautomanualeroutespierouteSPDBspiSADBSPISecurityParameterIndexIPSECSAIPSECIKELINUX2177InitiatorResponderHDRSAHDRSAHDRKENONCEHDRKENONCEHDR*IDiiAUTHHDR*IDirAUTH3-1InitiatorResponderstate_main_i1state_main_r0state_main_r1state_main_i2state_main_r2state_main_i3state_main_i4state_main_r3IPSECIKELINUX2277Initiatorstate_main_i1---state_main_i2---state_main_i3---state_main_i4Responderstate_main_r0---state_main_r1---state_main_r2---state_main_r3main_inI3_outR3main_inR3Plutostructstatestructstatest_stateSAISAKMPSAIPSECSASASASAISAKMPSAPlutoIPSECSASADBIPSECSAIPIPSECSAPlutoUDPRFC2409FreeS/WANFreeS/WAN-1.9RSARFC2409Pre-sharedkeyInitiatorResponderHDR,SA------1----IPSECIKELINUX2377----2------HDR,SAHDR,KE,Ni-----3--------4------HDR,KE,NrHDR*,IDii,HASH_I------5--------6------HDR*,IDir,HASH_RInitiatorResponderHDR,SA------1--------2------HDR,SAHDR,KE,Ni-----3--------4------HDR,KE