CreaticaWiki RecentChanges

IPSec on Solaris

IPSec on Solaris

Quick steps to enable Solaris IPSec (in transport mode)

 1. Enter computer names into /etc/hosts, for example:
# vi /etc/hosts

10.1.1.1      computer1
10.1.1.2      computer2

 2. Create /etc/inet/ipsecinit.conf, for example, to protect telnet traffic:
# vi /etc/inet/ipsecinit.conf
{laddr computer1
 raddr computer2
 proto tcp
 rport 23} ipsec {encr_algs aes encr_auth_algs sha1}

{laddr computer1
 raddr computer2
 proto tcp
 lport 23} ipsec {encr_algs aes encr_auth_algs sha1}

 3. Create /etc/inet/ike/config
# vi /etc/inet/ike/config

## Some defaults
p1_lifetime_secs 14400
p1_nonce_len 20
p2_nonce_len 32

## Parameters that may also show up in rules.
p1_xform { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
p2_pfs 2

### Now some rules...
{ label "computer1-computer2"
  local_id_type ip
  local_addr 10.1.1.1
  remote_addr 10.1.1.2
  p1_xform { auth_method preshared oakley_group 5 auth_alg sha1 encr_alg aes }
  p2_pfs 5
}

 4. Generate preshared key for IKE using, for example
# od -N 32 -X -A n /dev/random|tr -d '[:space:]'
36fa1f15f023e604c4bcd9b9d19133f6c606b5ffaf5b9c8c39315341aa66367e

 5. Create /etc/inet/secret/ike.preshared
{ 
  localidtype IP
  localid 91.208.73.132
  remoteidtype IP
  remoteid 91.208.73.103
  # shared key in hex (192 bits)
  key 36fa1f15f023e604c4bcd9b9d19133f6c606b5ffaf5b9c8c39315341aa66367e
}

 6. Start ike service and enable IPSec. Depending on the Solaris release either run
# svcadm enable ike
# svcadm restart policy

or if IPSec is not implemented as a SMF services, then run 

# /usr/lib/inet/in.iked
# ipsecconf -a /etc/inet/ipsecinit.conf

 7. To verify that IPSec is working, telnet from computer1 to computer2 and snoop esp
computer1# telnet computer2
computer2# snoop '(host computer1 or host computer2) and esp'

 8. To troubleshoot IPSec rules use
# ipsecconf -l
# ipsecconf -d <index>
# ipsecconf -a <ipsec_add_rules.file>

 9. To troubleshoot IKE use ipseckey or ikeadm, for example:
# ipseckey
>dump
>get esp spi 0x12345678 dst 10.1.1.1

# ikeadm write rule /tmp/ike.conf
# ikeadm
> save esp

 10. To manually manipulate the keys, stop in.iked daemon or disable ike SMF service and start manual-key SMF service or run ipseckey -f /etc/inet/secret/ipseckeys, where keys are in ipseckey format, which can be obtained (if some keys are already loaded by running ipseckey -s <file>. For example,
# pkill in.iked
or
# svcadm disable ike
then
# vi /etc/inet/secret/ipseckeys

 # begin assoc
 add esp  \
    spi 0xcfa1277a encr_alg aes auth_alg hmac-sha1 \
    proto 6 \
    src 10.1.1.6 \
    dst 10.1.1.1 dport 3306 \
        authkey 4b4b6dfaa38da30fd88b8a2c3d675e372f951e778a/160 \
        encrkey f0232655060e4fba7f60c71fb7c286004b0e6363df013289f3e6d94f4934f4cc/256 \

 # end assoc

 # begin assoc
 add esp  \
    spi 0xd89ba688 encr_alg aes auth_alg hmac-sha1 \
    proto 6 \
    src 10.1.1.6 \
    dst 10.1.1.1 dport 3306 \
        authkey 2df2481863ea2bbb0cd76f942aadf86e9ccc85f3ed/160 \
        encrkey 4bb72078a65e114fa841c0deffee1ef57467e94ede1f57dbb4bef0d0cb02af2b/256 \

 # end assoc
and
# svcadm enable manual-key
or
# ipseckey -f /etc/inet/secret/ipseckeys

To automatically generate ipseckeys file you may try ipseckeysgen script].

Comments on IPSec on Solaris This page is read-only View other revisions Administration
Last edited 2011-03-23 03:51 UTC by arkadi