PLATFORM We choose to implement it in Linux 2.6, because Linux 2.6 has built-in IPsec implementation, and related IPsec tools, including racoon (an IKE daemon) and setkey (a tool for policy configuration), are also available at http://ipsec-tools.sourceforge.net/. The guidance of building IPsec in Linux 2.6 can be found at http://www.ipsec-howto.org/x247.html. SOURCE CODE DISTRIBUTION Main directory /ipsappol daemon.c : user level daemon, policy translation parse.y scan.l : parse configuration file, policy query grabmyaddr.c grabmyaddr.h : find IP addresses of local machine srv-rules.conf : application policy of server side. cli-rules.conf : application policy of client side. ips-test1.sh ips-test2.sh ssh-test1.sh ssh-test2.sh: shell programs for performance evaluation. /ipsappol/kernel/ipskm.c : kernel module, pseudo character device USAGE 1. Build a) Build kernel module: In .../ipsappol/kernel, type "make" command. The output kernel module is "ipskm.ko". b) Build application policy daemon: In .../ipsappol, type "make" command. The output executable is "ipsappold". 2. Insert kernel module [root@localhost kernel]# insmod ipskm.ko 3. Create a device node "ips" in /dev. (This step only needs to be done for once.) a) Find out the major device number it uses by using dmesg [root@localhost kernel]# dmesg b) Create a device node (e.g the major number is 254). [root@localhost kernel]# mknod /dev/ips c 254 0 4. Start IKE daemon "racoon". Configure appropriate racoon policy, so that machines can authenticate with each other sucessfully. Refer to the manual page of racoon.conf. 4. Start the policy daemon. For server machine, [root@localhost ipsappol]# ./ipsappold srv-rules.conf For client machine, [root@localhost ipsappol]# ./ipsappold cli-rules.conf 5. Use setkey to dump IPsec policy information and SA information, to see which policies are created and deleted. [root@localhost ipsappol]# setkey -D //dump SAs [root@localhost ipsappol]# setkey -DP //dump policies