Securing Data in Transit with the IPsec Add-on
Page last updated:
This guide describes the Pivotal Cloud Foundry (PCF) IPsec add-on. The topics included in this guide cover installation and configuration, troubleshooting, and credential rotation. Your organization may require IPsec if you transmit sensitive data.
Note: If you apply the IPsec add-on to your PCF deployment, you cannot remove IPsec without removing and reinstalling the entire deployment.
The IPsec add-on for PCF provides security to the network layer of the OSI model with a strongSwan implementation of IPsec. The IPsec add-on provides a strongSwan job to each BOSH-deployed virtual machine (VM).
IPsec encrypts IP data flow between hosts, between security gateways, and between security gateways and hosts. The PCF IPsec add-on secures network traffic within a Cloud Foundry deployment and provides internal system protection if a malicious actor breaches your firewall.
PCF IPsec Implementation Details
The PCF IPsec add-on implements the following cryptographic suite:
|Key Agreement (Diffie-Hellman)||IKEv2 Main Mode|
|Integrity/Authentication Tag||128 bit GHASH ICV|
|Digital Signing||RSA 3072/4096|
|Peer Authentication Method||Public/Private Key|
Refer to the following topics for more information about the IPsec add-on: