Security IP icon


IPsec Toolkit

A complete IPsec and IKE cloud server-optimized toolkit (previously QuickSec from Inside Secure) that supports all relevant (90+) RFCs and standards required for servers that need to communicate with any type of client/server device and interoperate with existing gateways. The Linux Data Plane is supported without any kernel dependency, and due to its stateless implementation option, is ideal for deployment of virtual environments.

The IPsec toolkit is optionally integrated with the FIPS 140-2 validated crypto module and deployed by leading vendors of physical and virtual cloud/networking products, printers and embedded devices.

Massive Scalability

Deployments over a million concurrent tunnels and unbeaten tunnel setup rates


Overlapping routing instances for IPsec servers and clients to isolate different traffic

Professional and GPL free

Engineer level support and regular updates provided under maintenance 

How the IPsec Toolkit works

As our customers develop products that must work seamlessly with various IPsec implementations, the Rambus IPsec Toolkit supports the 90+ standard specifications required to work with the various flavors of IPsec. Interoperability is verified as part of the QA process in Rambus’ own laboratory.

High scalability

  • High session set-up rate. Able to reach 2000 IPsec tunnel-establishment per-second with only two CPU cores; scales well on multicore architectures
  • High availability (HA). Includes HA APIs for import and export of IKE and IPsec security associations (SAs) for device redundancy and failover
  • Gradual restart. Restarts IPsec connections when needed by triggering IKE session establishment only when packets received vs. restarting all connections
  • Easy debugging. Enables requesting detailed logs for specific tunnels for problem resolution in large deployments without impacting performance
  • Multi-tenancy and easy integration
  • Supports independent and overlapping virtual routing and forwarding (VRF) instances for multiple network or eNodeB support of multiple operators
  • Pre-integrated with Netlink API and seamlessly integrates with Linux kernel IPsec data plane or with 6WINDgate’s IPsec data plane over DPDK. Integrates with any IPsec data plane through its common data-plane API

Leading companies are using the IPsec Toolkit for implementations in Cloud, SD-WAN, enterprise security gateways, high-security government appliances, high-capacity carrier gateways, eNodeB, mobile devices and printers.

CryptoManager Root of Trust Cover

The CryptoManager Root of Trust

Built around a custom RISC-V CPU, the Rambus CryptoManager Root of Trust (CMRT) is at the forefront of a new category of programmable hardware-based security cores. Siloed from the primary processor, it is designed to securely run sensitive code, processes and algorithms. More specifically, the CMRT provides the primary processor with a full suite of security services, such as secure boot and runtime integrity, remote attestation and broad crypto acceleration for symmetric and asymmetric algorithms.

Solution Offerings

  • Complete IPsec and IKE Client/Server Toolkit
  • Highly interoperable and standards compliant
  • Scalability: Deployments with 1M+ IPsec tunnels and unbeaten tunnel setup rate
  • Available with FIPS 140-2 validated crypto module
  • Written in clear, highly-portable C-source code free of GPL constraints
  • Routing instances isolate traffic for multi-tenancy
  • Broad hardware and software platform support
  • High-quality commercial replacement for GPLv2-licensed StrongSwan
  • Engineer-level support and regular updates provided under maintenance

IKE (Internet Key Exchange) Support

  • IKEv2 (RFC 7296), IKEv2 fragmentation (RFC 7383), IKEv2 redirect (RFC 5685)
  • MOBIKE (RFC 4555, RFC 4621)
  • IKEv1 main mode and aggressive mode
  • Perfect forward secrecy (PFS) option
  • Re-keying, dead peer detection (DPD), NAT-Traversal (NAT-T)
  • Authentication: pre-shared keys (PSK), XAUTH, certificates ((full PKI support), extensible authentication protocol (EAP-SIM, EAP-AKA, EAPMD5, EAP-TLS), RADIUS, multiple authentication (RFC 4739)
  • IPv4 and IPv6 support: IPv4 over IPv6, IPv6 over IPv4, IPv6 over IPv6, DHCPv4and DHCPv6
  • RSA, DSA and ECDSA public key algorithms (IKE signature modes only)
  • RSA signature support for SHA2 in IKE per NIST Special Pub. 800-131A
  • Diffie-Hellman key exchange algorithm
  • FIPS140-2 certified cryptography as an optional commercial option
  • Remote access support: virtual adapter configured by the server
  • Built-in IP address allocation

Certificates and PKI Functionality

  • X.509v3 (PKIX) certificate profile support
  • X.509v3 (PKIX) certificate revocation list (CRL) support
  • Certificate distribution point support, with LDAP and HTTP
  • On-line certificate status checking, using OCSP
  • Standard-based certificate enrollment support, using SCEP and CMP.
  • RSA signature support for SHA2 in certificates per NIST Special Pub. 800-131A

Complete IPsec Cryptography

  • Cipher algorithms: AES, AES-CCM, AES-GCM, AES-GCM-64, GMAC-AES, 3DES
  • MAC algorithms: SHA-1, SHA-2, MD5, GMAC-AES, AES-XCBC
  • Asymmetric crypto algorithms: RSA, Diffie-Hellman, ECC DH, ECC DSA, PKCS#1, PKCS#5, PKCS#7, PKCS#8, PKCS#10, PKCS#12
  • Elliptic curve cyrpto: Brainpool elliptic curves (RFC 5639, RFC 6932), ECDSA (RFC 4754) ECP groups (RFC 5903), Elliptic curve digital signature (ECDS)