sun.com docs.sun.com My Sun Worldwide Sites

Previous Previous     Contents     Index     Next Next

ProcedureHow to Manually Create IPsec Security Associations


Note - You manually manage keying material for a non-global zone from the global zone.


The following procedure provides the keying material for the procedure, How to Secure Traffic Between Two Systems With IPsec.

  1. Generate the keying material for the SAs.

    You need three hexadecimal random numbers for outbound traffic and three hexadecimal random numbers for inbound traffic.

    Therefore, one system needs to generate the following numbers:

    • Two hexadecimal random numbers as the value for the spi keyword. One number is for outbound traffic. One number is for inbound traffic. Each number can be up to eight characters long.

    • Two hexadecimal random numbers for the MD5 algorithm for AH. Each number must be 32 characters long. One number is for dst enigma. One number is for dst partym.

    • Two hexadecimal random numbers for the 3DES algorithm for ESP. For a 192-bit key, each number must be 48 characters long. One number is for dst enigma. One number is for dst partym.

    If you have a random number generator at your site, use the generator. You can also use the od command. See How to Generate Random Numbers on a Solaris System for the procedure.

  2. On the system console on one of the systems, assume the Primary Administrator role or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, "Working With the Solaris Management Console (Tasks)," in System Administration Guide: Basic Administration.


    Note - Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session.


  3. Enable the ipseckey command mode:

    # ipseckey
    
    >

    The > prompt indicates that you are in ipseckey command mode.

  4. If you are replacing existing SAs, flush the current SAs.

    > flush
    > 

    To prevent an adversary from having time to break your SAs, you need to replace the keying material.


    Note - You must coordinate key replacement on communicating systems. When you replace the SAs on one system, the SAs must also be replaced on the remote system.


  5. To create SAs, type the following command.

    > add protocol spi random-hex-string \
    src addr dst addr2 \
    protocol-prefix_alg protocol-algorithm  \
    protocol-prefixkey random-hex-string-of-algorithm-specified-length

    You also use this syntax to replace SAs that you have just flushed.

    protocol

    Specifies either esp or ah.

    random-hex-string

    Specifies a random number of up to eight characters in hexadecimal format. Precede the characters with 0x. If you enter more numbers than the security parameter index (SPI) accepts, the system ignores the extra numbers. If you enter fewer numbers than the SPI accepts, the system pads your entry.

    addr

    Specifies the IP address of one system.

    addr2

    Specifies the IP address of the peer system of addr.

    protocol-prefix

    Specifies one of encr or auth. The encr prefix is used with the esp protocol. The auth prefix is used with the ah protocol, and for authenticating the esp protocol.

    protocol-algorithm

    Specifies an algorithm for ESP or AH. Each algorithm requires a key of a specific length.

    Authentication algorithms include MD5 and SHA. Encryption algorithms include 3DES and AES.

    random-hex-string-of-algorithm-specified-length

    Specifies a random hexadecimal number of the length that is required by the algorithm. For example, the MD5 algorithm requires a 32-character string for its 128-bit key. The 3DES algorithm requires a 48-character string for its 192-bit key.

    1. For example, on the enigma system, protect outbound packets.

      Use the random numbers that you generated in Step 1.

      For Solaris 10 1/06:

      > add esp spi 0x8bcd1407 \
      src 192.168.116.16 dst 192.168.13.213 \
      encr_alg 3des \
      auth_alg md5 \
      encrkey d41fb74470271826a8e7a80d343cc5aae9e2a7f05f13730d \
      authkey e896f8df7f78d6cab36c94ccf293f031
      >


      Note - The peer system must use the same keying material and the same SPI.


    2. Still in ipseckey command mode on the enigma system, protect inbound packets.

      Type the following commands to protect the packets:

      > add esp spi 0x122a43e4 \
      src 192.168.13.213 dst 192.168.116.16 \
      encr_alg 3des \
      auth_alg md5 \
      encrkey dd325c5c137fb4739a55c9b3a1747baa06359826a5e4358e \
      authkey ad9ced7ad5f255c9a8605fba5eb4d2fd
      >


      Note - The keys and SPI can be different for each SA. You should assign different keys and a different SPI for each SA.


  6. To exit ipseckey command mode, press Control-D or type quit.

  7. To ensure that the keying material is available to IPsec at reboot, add the keying material to the /etc/inet/secret/ipseckeys file.

    The lines of the /etc/inet/secret/ipseckeys file are identical to the command line language.

    1. For example, the /etc/inet/secret/ipseckeys file on the enigma system would appear similar to the following:

      # ipseckeys - This file takes the file format documented in 
      #   ipseckey(1m).
      #   Note that naming services might not be available when this file
      #   loads, just like ipsecinit.conf.
      #
      # for outbound packets on enigma
      add esp spi 0x8bcd1407 \
         src 192.168.116.16 dst 192.168.13.213  \
         encr_alg 3des \
         auth_alg md5  \
         encrkey  d41fb74470271826a8e7a80d343cc5aae9e2a7f05f13730d \
         authkey  e896f8df7f78d6cab36c94ccf293f031
      #
      # for inbound packets
      add esp spi 0x122a43e4 \
         src 192.168.13.213 dst 192.168.116.16 \
         encr_alg 3des \
         auth_alg md5  \
         encrkey dd325c5c137fb4739a55c9b3a1747baa06359826a5e4358e \
         authkey ad9ced7ad5f255c9a8605fba5eb4d2fd

    2. Protect the file with read-only permissions.

      # chmod 400 /etc/inet/secret/ipseckeys

  8. Repeat Step 2 through Step 7 on the partym system.

    Use the same keying material that was used on enigma.

    The keying material on the two systems must be identical. As shown in the following example, only the comments in the ipseckeys file differ. The comments differ because dst enigma is inbound on the enigma system, and outbound on the partym system.

    # partym ipseckeys file
    #
    # for inbound packets
    add esp spi 0x8bcd1407 \
       src 192.168.116.16 dst 192.168.13.213  \
       encr_alg 3des \
       auth_alg md5  \
       encrkey  d41fb74470271826a8e7a80d343cc5aae9e2a7f05f13730d \
       authkey  e896f8df7f78d6cab36c94ccf293f031
    #
    # for outbound packets
    add esp spi 0x122a43e4 \
       src 192.168.13.213 dst 192.168.116.16 \
       encr_alg 3des \
       auth_alg md5  \
       encrkey dd325c5c137fb4739a55c9b3a1747baa06359826a5e4358e \
       authkey ad9ced7ad5f255c9a8605fba5eb4d2fd

Previous Previous     Contents     Index     Next Next
Company Info Contact Terms of Use Privacy Copyright 1994-2007 Sun Microsystems, Inc.