Previous
How to Protect a VPN With an IPsec Tunnel
in Transport Mode Over IPv6
To set up a VPN on an IPv6 network, you follow the same steps as for an IPv4 network. However, the syntax of the commands is slightly different. For a fuller description of the reasons for running particular commands, see How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv4.
This procedure uses the following configuration parameters.
Parameter | Europe | California |
|---|---|---|
System name | enigma | partym |
System intranet interface | hme1 | hme1 |
System Internet interface | hme0 | hme0 |
System intranet address | 6000:6666::aaaa:1116 | 6000:3333::eeee:1113 |
System Internet address | 2001::aaaa:6666:6666 | 2001::eeee:3333:3333 |
Name of Internet router | router-E | router-C |
Address of Internet router | 2001::aaaa:0:4 | 2001::eeee:0:1 |
Tunnel name | ip6.tun0 | ip6.tun0 |
On the system console on one of the systems, assume the Primary Administrator role or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, "Working With the Solaris Management Console (Tasks)," in System Administration Guide: Basic Administration.
Note - Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session.
Control the flow of packets before configuring IPsec.
For the effects of these commands, see Step 2 in How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv4.
Ensure that IP forwarding and IP dynamic routing are disabled.
# routeadm Configuration Current Current Option Configuration System State -------------------------------------------------- ... IPv6 forwarding disabled disabled IPv6 routing disabled disabledIf forwarding and routing are enabled, you can disable them by typing:
# routeadm -d ipv6-forwarding -d ipv6-routing # routeadm -u
Turn on IP strict destination multihoming.
# ndd -set /dev/ip ip6_strict_dst_multihoming 1
Disable most network services, and possibly all network services.
Note - If your system was installed with the "limited" SMF profile, then you can skip this step. Network services, with the exception of Solaris Secure Shell, are disabled.
The disabling of network services prevents IP packets from doing any harm to the system. For example, an SNMP daemon, a telnet connection, or an rlogin connection could be exploited.
You have two options.
Run the "limited" SMF profile.
# netservices limited
Or, individually disable network services.
# svcadm disable network/ftp:default # svcadm disable network/finger:default # svcadm disable network/login:rlogin # svcadm disable network/nfs/server:default # svcadm disable network/rpc/rstat:default # svcadm disable network/smtp:sendmail # svcadm disable network/telnet:default # svcs | grep network online Aug_02 svc:/network/loopback:default ... online Aug_09 svc:/network/ssh:default ...
On each system, add a pair of SAs between the two systems.
Choose one of the following options.
Configure IKE to manage the keys for the SAs. Use one of the procedures in Configuring IKE (Task Map) to configure IKE for the VPN.
If you have an overriding reason to manually manage the keys, see How to Manually Create IPsec Security Associations.
On each system, add IPsec policy.
Edit the /etc/inet/ipsecinit.conf file to add the IPsec policy for the VPN.
For example, on the enigma system, type the following entry into the ipsecinit.conf file:
# IPv6 Neighbor Discovery messages bypass IPsec. {ulp ipv6-icmp type 133-137 dir both} pass {} # LAN traffic can bypass IPsec. {laddr 6000:6666::aaaa:1116 dir both} bypass {} # WAN traffic uses ESP with 3DES and MD5. {tunnel ip6.tun0 negotiate transport} ipsec {encr_algs 3des encr_auth_algs md5}On the partym system, type the following entry into the ipsecinit.conf file:
# IPv6 Neighbor Discovery messages bypass IPsec. {ulp ipv6-icmp type 133-137 dir both} pass {} # LAN traffic can bypass IPsec. {laddr 6000:3333::eeee:1113 dir both} bypass {} # WAN traffic uses ESP with 3DES and MD5. {tunnel ip6.tun0 negotiate transport} ipsec {encr_algs 3des encr_auth_algs md5}
On each system, configure a secure tunnel, ip6.tun0.
For example, on the enigma system, type the following commands:
# ifconfig ip6.tun0 inet6 plumb # ifconfig ip6.tun0 inet6 6000:6666::aaaa:1116 6000:3333::eeee:1113 \ tsrc 2001::aaaa:6666:6666 tdst 2001::eeee:3333:3333
On the partym system, type the following commands:
# ifconfig ip6.tun0 inet6 plumb # ifconfig ip6.tun0 inet6 6000:3333::eeee:1113 6000:6666::aaaa:1116 \ tsrc 2001::eeee:3333:3333 tdst 2001::aaaa:6666:6666
On each system, turn on IP forwarding for the hme1 interface.
# ifconfig hme1 router
On each system, ensure that routing protocols do not advertise the default route within the intranet.
# ifconfig hme0 private
Manually, add a default route over hme0.
Ensure that the VPN starts after a reboot by adding an entry to the /etc/hostname6.ip6.tun0 file.
The entry replicates the parameters that were passed to the ifconfig command in Step 5.
For example, on the enigma system, add the following entry to the hostname6.ip6.tun0 file:
6000:6666::aaaa:1116 6000:3333::eeee:1113 \ tsrc 2001::aaaa:6666:6666 tdst 2001::eeee:3333:3333 router up
On the partym system, add the following entry to the hostname6.ip6.tun0 file:
6000:3333::eeee:1113 6000:6666::aaaa:1116 \ tsrc 2001::eeee:3333:3333 tdst 2001::aaaa:6666:6666 router up
On each system, configure the interface files to pass the correct parameters to the routing daemon.
On the enigma system, modify the /etc/hostname6.interface files.
# cat enigma hostname6.hme0 6000:6666::aaaa:1116 inet6 private
# cat enigma hostname6.hme1 2001::aaaa:6666:6666 inet6 router
On the partym system, modify the /etc/hostname6.interface files.
# cat partym hostname6.hme0 6000:3333::eeee:1113 inet6 private
# cat partym hostname6.hme1 2001::eeee:3333:3333 inet6 router
On each system, run a routing protocol.
# routeadm -e ipv6-routing # routeadm -u
Example 20-12 Using Deprecated Syntax to Configure IPsec in Transport Mode Over IPv6
In this example, administrator is connecting a Solaris Express system with a system that is running the Solaris 10 release. Therefore, the administrator uses Solaris 10 syntax in the configuration file, and includes the IPsec algorithms in the ifconfig command. The steps are performed in the same order, but uses the Solaris 10 syntax.
In Step 4, the syntax is the following:
# IPv6 Neighbor Discovery messages bypass IPsec. {ulp ipv6-icmp type 133-137 dir both} pass {} # LAN traffic can bypass IPsec. {laddr 6000:3333::eeee:1113 dir both} bypass {} # WAN traffic uses ESP with 3DES and MD5. {} ipsec {encr_algs 3des encr_auth_algs md5}For Step 5 to Step 7, the syntax is the following:
# ifconfig ip6.tun0 inet6 plumb # ifconfig ip6.tun0 inet6 6000:6666::aaaa:1116 6000:3333::eeee:1113 \ tsrc 2001::aaaa:6666:6666 tdst 2001::eeee:3333:3333 \ encr_algs 3des encr_auth_algs md5 # ifconfig ip6.tun0 inet6 router up
The IPsec policy that is passed to the ifconfig commands must be the same as the IPsec policy in the ipsecinit.conf file. Upon reboot, each system reads the ipsecinit.conf file for its policy.
In Step 9, the syntax is the following:
6000:6666::aaaa:1116 6000:3333::eeee:1113 \ tsrc 2001::aaaa:6666:6666 tdst 2001::eeee:3333:3333 \ encr_algs 3des encr_auth_algs md5 router up