0
Internet Protocol Security (IPSec) has two database: Security Policy Database (SPD) and Security Association Database (SAD)
I want to know where are these database located? Do they exist on both sides of sender and receiver (IPsec peers)? Can anyone tell me some more details? that will be great.
My understanding is SPD and SAD are stored locally, on each side of IPSec sessions. Tell me if I was right or wrong.
Thank you all
Leanne
Posted 2018-10-24T21:49:09.020
Reputation: 5
0
Yes, the "database" is stored by the IPsec peers themselves. (Although they're called "databases", they're just short single tables – not too different from the routing table.)
If the OS performs IPsec ESP/AH processing in kernel, then the SPD/SAD will be stored in kernel as well (maintained by the userspace IKE software).
On modern Linux systems using the Netkey interface, you can use ip xfrm policy and ip xfrm state to see the current state of both databases.
Most BSDs appear to use setkey -DP and setkey -D. (Note: These tools might also be present on Linux and will show the same data, but they are practically obsolete there.)
Windows lets you see the databases via the IPsec 'snap-in' inside mmc.
user1686
Posted 2018-10-24T21:49:09.020
Reputation: 283 655