1. Enter computer names into /etc/hosts, for example:
# vi /etc/hosts 10.1.1.1 computer1 10.1.1.2 computer2
2. Create /etc/inet/ipsecinit.conf, for example, to protect telnet traffic:
# vi /etc/inet/ipsecinit.conf
{laddr computer1
raddr computer2
proto tcp
rport 23} ipsec {encr_algs aes encr_auth_algs sha1}
{laddr computer1
raddr computer2
proto tcp
lport 23} ipsec {encr_algs aes encr_auth_algs sha1}
3. Create /etc/inet/ike/config
# vi /etc/inet/ike/config
## Some defaults
p1_lifetime_secs 14400
p1_nonce_len 20
p2_nonce_len 32
## Parameters that may also show up in rules.
p1_xform { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
p2_pfs 2
### Now some rules...
{ label "computer1-computer2"
local_id_type ip
local_addr 10.1.1.1
remote_addr 10.1.1.2
p1_xform { auth_method preshared oakley_group 5 auth_alg sha1 encr_alg aes }
p2_pfs 5
}
4. Generate preshared key for IKE using, for example
# od -N 32 -X -A n /dev/random|tr -d '[:space:]' 36fa1f15f023e604c4bcd9b9d19133f6c606b5ffaf5b9c8c39315341aa66367e
5. Create /etc/inet/secret/ike.preshared
{
localidtype IP
localid 91.208.73.132
remoteidtype IP
remoteid 91.208.73.103
# shared key in hex (192 bits)
key 36fa1f15f023e604c4bcd9b9d19133f6c606b5ffaf5b9c8c39315341aa66367e
}
6. Start ike service and enable IPSec. Depending on the Solaris release either run
# svcadm enable ike # svcadm restart policy
or if IPSec is not implemented as a SMF services, then run
# /usr/lib/inet/in.iked # ipsecconf -a /etc/inet/ipsecinit.conf
7. To verify that IPSec is working, telnet from computer1 to computer2 and snoop esp
computer1# telnet computer2 computer2# snoop '(host computer1 or host computer2) and esp'
8. To troubleshoot IPSec rules use
# ipsecconf -l # ipsecconf -d <index> # ipsecconf -a <ipsec_add_rules.file>
9. To troubleshoot IKE use ipseckey or ikeadm, for example:
# ipseckey >dump >get esp spi 0x12345678 dst 10.1.1.1 # ikeadm write rule /tmp/ike.conf # ikeadm > save esp
10. To manually manipulate the keys, stop in.iked daemon or disable ike SMF service and start manual-key SMF service or run ipseckey -f /etc/inet/secret/ipseckeys, where keys are in ipseckey format, which can be obtained (if some keys are already loaded by running ipseckey -s <file>. For example,
# pkill in.iked
or
# svcadm disable ike
then
# vi /etc/inet/secret/ipseckeys
# begin assoc
add esp \
spi 0xcfa1277a encr_alg aes auth_alg hmac-sha1 \
proto 6 \
src 10.1.1.6 \
dst 10.1.1.1 dport 3306 \
authkey 4b4b6dfaa38da30fd88b8a2c3d675e372f951e778a/160 \
encrkey f0232655060e4fba7f60c71fb7c286004b0e6363df013289f3e6d94f4934f4cc/256 \
# end assoc
# begin assoc
add esp \
spi 0xd89ba688 encr_alg aes auth_alg hmac-sha1 \
proto 6 \
src 10.1.1.6 \
dst 10.1.1.1 dport 3306 \
authkey 2df2481863ea2bbb0cd76f942aadf86e9ccc85f3ed/160 \
encrkey 4bb72078a65e114fa841c0deffee1ef57467e94ede1f57dbb4bef0d0cb02af2b/256 \
# end assoc
and
# svcadm enable manual-key
or
# ipseckey -f /etc/inet/secret/ipseckeys
To automatically generate ipseckeys file you may try ipseckeysgen script].