VPN Encrypting & Decrypting Method?

Check Point Security Gateway performs IPSec encryption using the following two components:

• vpnd daemon ($FWDIR/bin/vpnd) -

User Mode daemon, which is in charge of handling both IKE and IPSec SAs, as well as initiating and responding for IKE negotiations with other VPN gateways. This daemon is spawned by fwd daemon.

• vpnk (VPN kernel - $FWDIR/boot/modules/vpn*mod*.o)                                                   module - Kernel component of the IKE and IPSec implementation - all SAs are downloaded from the vpnd daemon to the vpnk module. To see all the SAs currently downloaded to the vpnk module, run the command "vpn tu" on Security Gateway and select "List all IPSec SAs". The encryption and decryption of IPSec encrypted packets is performed in this kernel module.

Encrypting a packet

 

• A packet enters the Security Gateway (at Pre-Inbound chain "i").
• The packet is inspected by the FireWall and sent to the OS Kernel (at Post-Inbound chain "I").
• The OS routes the packet, using the destination address of the original packet.
• The outgoing packet is inspected by the FireWall (at Pre-Outbound chain "o").
• The vpnk module encrypts the packet (at Post-Outbound chain "O").
• The IPSec packet is sent out.

Decrypting a packet

• An IPSec packet enters the Security Gateway.
• The vpnk module decrypts the packet (at Pre-Inbound chain "i").
• The decrypted (original) packet is inspected by the FireWall and sent to the OS Kernel (at Post-Inbound chain "I").
• The OS routes the packet, using the destination address of the original packet (at Pre-Outbound chain "o").
• The outgoing packet is inspected by the FireWall (at Post-Outbound chain "O").