Classic IPsec Toolkit

A complete, highly scalable IPsec implementation that supports all relevant (90+) RFCs and standards required for servers and clients that need to communicate with any type of client/server device and interoperate with existing gateways. The Linux Data Plane is supported without any kernel dependency and is ideal for high traffic gateways or deployment in virtual environments.

Classic IPsec toolkit (Classic QuickSec) is optionally integrated with the FIPS 140-2 or FIPS 140-3 validated crypto module and deployed by leading vendors of physical and virtual cloud/networking products, printers and embedded devices.

How the Classic IPsec Toolkit works

As our customers develop products that must work seamlessly with various IPsec implementations, the Rambus IPsec Toolkit supports the 90+ standard specifications required to work with the various flavors of IPsec. Interoperability is verified as part of the QA process in Rambus’ own laboratory.

High scalability

  • High session set-up rate. Able to surpass 4000 IPsec tunnel-establishment per-second with a 8 core CPU; scales well on multicore architectures
  • Tunnel number only limited by available computing resources
  • High availability (HA). HA can be achieved with the native clustering implementation based on RFC 6311 or the APIs for import and export of IKE and IPsec SAs
  • Easy debugging. Enables requesting detailed logs for specific tunnels for problem resolution in large deployments without impacting performance
  • Multi-tenancy: supports independent and overlapping virtual routing and forwarding (VRF) instances for multiple networks or eNodeB support of multiple operators
  • Integrates with Linux kernel IPsec data plane or any other data plane supporting the same API. Additionally, a higher-level common data plane API allows integration with any IPsec data plane.
 
 

Leading companies are using the IPsec Toolkit for implementations in Cloud, SASE, SD-WAN, enterprise security gateways, high-security government appliances, high-capacity carrier gateways, eNodeB, embedded devices and printers.

Solution Offerings

Features
  • Complete IPsec and IKE Client/Server Toolkit
  • Highly interoperable and standards compliant
  • High availability with active/standby clustering
  • Fastest IKE implementation available on the market with unbeaten tunnel setup rate
  • Scalability: Deployments with 1M+ IPsec tunnels
  • Available with FIPS 140-2 or FIPS 140-3 validated crypto module
  • Written in clear, highly-portable C-source code free of GPL constraints
  • Routing instances isolate traffic for multi-tenancy
  • Broad hardware and software platform support
  • High-quality commercial replacement for GPL licensed open source software
  • Engineer-level support and regular updates provided under maintenance
 

IKE (Internet Key Exchange) Support

  • IKEv2 (RFC 7296), IKEv2 fragmentation (RFC 7383), IKEv2 redirect (RFC 5685)
  • High availability (RFC 6311)
  • MOBIKE (RFC 4555, RFC 4621)
  • IKEv1 main mode and aggressive mode
  • Perfect forward secrecy (PFS) option
  • Re-keying, dead peer detection (DPD), NAT-Traversal (NAT-T)
  • Authentication: pre-shared keys (PSK), XAUTH, certificates (full PKI support), extensible authentication protocol (EAP-SIM, EAP-AKA, EAPMD5), RADIUS, multiple authentication (RFC 4739)
  • IPv4 and IPv6 support: IPv4 over IPv6, IPv6 over IPv4, IPv6 over IPv6, DHCPv4 and DHCPv6
  • RSA, DSA and ECDSA public key algorithms (IKE signature modes only)
  • RSA signature support for SHA2 in IKE per NIST Special Pub. 800-131A
  • Diffie-Hellman key exchange algorithm
  • FIPS 140-2 or FIPS 140-3 certified cryptography as an optional commercial option
  • Remote access support: virtual adapter configured by the server
  • Built-in IP address allocation
  • Generic raw public key (RFC 7670): RSA, DSA, ECDSA
  • Mixing preshared keys in IKEv2 for post-quantum security (RFC 8784)
  • IKEv2 algorithm requirements (RFC 8247)
 

Certificates and PKI Functionality

  • 509v3 (PKIX) certificate profile support
  • 509v3 (PKIX) certificate revocation list (CRL) support
  • Certificate distribution point support, with LDAP and HTTP
  • On-line certificate status checking, using OCSP
  • RSA signature support for SHA2 in certificates per NIST Special Pub. 800-131A
 

Complete IPsec Cryptography

  • Cipher algorithms: AES, AES-CCM, AES-GCM, AES-GCM-64, GMAC-AES, 3DES
  • MAC algorithms: SHA-1, SHA-2, GMAC-AES, AES-XCBC
  • Asymmetric crypto algorithms: RSA, Diffie-Hellman, ECC DH, ECC DSA, PKCS#1, PKCS#5, PKCS#7, PKCS#8, PKCS#10, PKCS#12
  • Elliptic curve crypto: Brainpool elliptic curves (RFC 5639, RFC 6932), ECDSA (RFC 4754) ECP groups (RFC 5903), Elliptic curve digital signature (ECDS)
Rambus logo