Chapter 20

Configuring IPsec (Tasks)

This chapter provides procedures for implementing IPsec on your network. The procedures are described in the following task maps:

• Protecting Traffic With IPsec (Task Map)

• Protecting a VPN With IPsec (Task Map)

For overview information about IPsec, see Chapter 19, IP Security Architecture (Overview). For reference information about IPsec, see Chapter 21, IP Security Architecture (Reference).

Protecting Traffic With IPsec (Task Map)

The following table points to procedures that set up IPsec between one or more systems. The ipsecconf(1M), ipseckey(1M), and ifconfig(1M) man pages also describe useful procedures in their respective Examples sections.

Task	Description	For Instructions
Secure traffic between two systems	Protects packets from one system to another system.	How to Secure Traffic Between Two Systems With IPsec
Secure a web server by using IPsec policy	Requires non-web traffic to use IPsec. Web clients are identified by particular ports, which bypass IPsec checks.	How to Secure a Web Server With IPsec
Display IPsec policies	Displays the IPsec policies that are currently being enforced, in the order in which the policies are enforced.	How to Display IPsec Policies
Generate random numbers	Generates random numbers for keying material for manually created security associations.	How to Generate Random Numbers on a Solaris System
Create or replace security associations manually	Provides the raw data for security associations: IPsec algorithm name and keying material Key for the security parameter index IP source and destination addresses	How to Manually Create IPsec Security Associations
Check that IPsec is protecting the packets	Examines snoop output for specific headers that indicate how the IP datagrams are protected.	How to Verify That Packets Are Protected With IPsec
(Optional) Create a Network Security role	Creates a role that can set up a secure network, but has fewer powers than superuser.	How to Create a Role for Configuring Network Security
Set up a secure virtual private network (VPN)	Sets up IPsec between two systems that are separated by the Internet.	Protecting a VPN With IPsec (Task Map)

Protecting Traffic With IPsec

This section provides procedures that enable you to secure traffic between two systems, and to secure a web server. To protect a VPN, see Protecting a VPN With IPsec (Task Map). Additional procedures provide keying material, provide security associations, and verify that IPsec is working as configured.

The following information applies to all IPsec configuration tasks:

• IPsec and zones - To manage IPsec policy and keys for a non-global zone, create the IPsec policy file in the global zone, and run the IPsec configuration commands from the global zone. Use the source address which corresponds to the non-global zone that is being configured. You can also configure IPsec policy and keys in the global zone for the global zone. In the Solaris Express, Developer Edition 2/07 release, you can use IKE to manage keys in a non-global zone.

• IPsec and RBAC - To use roles to administer IPsec, see Chapter 8, "Using Role-Based Access Control (Tasks)," in System Administration Guide: Security Services. For an example, see How to Create a Role for Configuring Network Security.

• IPsec and SCTP - IPsec can be used to protect Streams Control Transmission Protocol (SCTP) associations, but caution must be used. For more information, see IPsec and SCTP.

How to Secure Traffic Between Two Systems With IPsec

---

Note - You configure IPsec policy in the global zone.

---

This procedure assumes the following setup:

• The two systems are named enigma and partym.

• Each system has two addresses, an IPv4 address and an IPv6 address.

• Each system invokes AH protection with the MD5 algorithm, which requires a key of 128 bits.

• Each system invokes ESP protections with the 3DES algorithm, which requires a key of 192 bits.

• Each system uses shared security associations.

  With shared SAs, only one pair of SAs is needed to protect the two systems.

1. On the system console, assume the Primary Administrator role or become superuser.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, "Working With the Solaris Management Console (Tasks)," in System Administration Guide: Basic Administration.

   ---

   Note - Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session.

   ---

2. On each system, add host entries to the /etc/inet/hosts file.

   1. On a system that is named partym, type the following in the hosts file:

      # Secure communication with enigma 192.168.116.16 enigma 2001::aaaa:6666:6666 enigma

      
      

   2. On a system that is named enigma, type the following in the hosts file:

      # Secure communication with partym 192.168.13.213 partym 2001::eeee:3333:3333 partym

      
      

3. On each system, create the IPsec policy file.

   The file name is /etc/inet/ipsecinit.conf. For an example, see the /etc/inet/ipsecinit.sample file.

4. Add an IPsec policy entry to the ipsecinit.conf file.

   1. On the enigma system, add the following policy:

      {laddr enigma raddr partym} ipsec {auth_algs any encr_algs any sa shared}

      
      

   2. On the partym system, add the identical policy:

      {laddr partym raddr enigma} ipsec {auth_algs any encr_algs any sa shared}

      
      

      For the syntax of IPsec policy entries, see the ipsecconf(1M) man page.

5. On each system, add a pair of IPsec SAs between the two systems.

   You can configure Internet Key Exchange (IKE) to create the SAs automatically. You can also add the SAs manually.

   ---

   Note - You should use IKE unless you have good reason to generate and maintain your keys manually. IKE key management is more secure than manual key management.

   ---

   • Configure IKE by following one of the configuration procedures in Configuring IKE (Task Map). For the syntax of the IKE configuration file, see the ike.config(4) man page.

   • To add the SAs manually, see How to Manually Create IPsec Security Associations.

6. Reboot each system.

   # init 6

   
   

7. Verify that packets are being protected.

   For the procedure, see How to Verify That Packets Are Protected With IPsec.

Example 20-1   Securing Traffic With IPsec Without Rebooting

The following example describes how to implement IPsec in a test environment. In a production environment, it is more secure to reboot than to run the ipsecconf command. For the security considerations, see the end of this example.

Instead of rebooting at Step 6, choose one of the following options.

• If you used IKE to create keying material, stop and then restart the in.iked daemon.

  # pkill in.iked # /usr/lib/inet/in.iked

  
  

• If you added keys manually, use the ipseckey command to add the SAs to the database.

  # ipseckey -f /etc/inet/secret/ipseckeys

  
  

  Then activate the IPsec policy with the ipsecconf command.

  # ipsecconf -a /etc/inet/ipsecinit.conf

  
  

Security Considerations - Read the warning when you execute the ipsecconf command. A socket that is already latched, that is, a socket that is already in use, provides an unsecured back door into the system. For more extensive discussion, see Security Considerations for ipsecinit.conf and ipsecconf.