How to Apply IPsec Protections in <meta http-equiv="refresh" content="0;url='http://www.oracle.com/pls/topic/lookup?ctx=solaris11'"> a Multilevel Trusted Extensions Network (Solaris Trusted Extensions Administrator's Procedures)

Solaris Trusted Extensions Administrator's Procedures

How to Apply IPsec Protections in a Multilevel Trusted Extensions Network

In this procedure, you configure IPsec on two Trusted Extensions systems to handle the following conditions:

The two systems, enigma and partym, are multilevel Trusted Extensions systems that are operating in a multilevel network.
Application data is encrypted and protected against unauthorized change within the network.
The security label of the data is visible in the form of a CIPSO IP option for use by multilabel routers and security devices on the path between the enigma and partym systems.
The security labels that enigma and partym exchange are protected against unauthorized changes.

Before You Begin

You must be in the Security Administrator role in the global zone.

Define the enigma and partym systems' IP addresses as multilevel addresses.

Follow the procedures in Configuring Trusted Network Databases (Task Map). Use a template with a CIPSO host type.

Configure IPsec for the enigma and partym systems.

For the procedure, see How to Secure Traffic Between Two Systems With IPsec in System Administration Guide: IP Services. Use IKE for key management, as described in the following step.

Add labels to IKE negotiations.

Follow the procedure in How to Configure IKE With Preshared Keys in System Administration Guide: IP Services, then modify the ike/config file as follows:

Add the keywords label_aware, multi_label, and wire_label inner to the enigma system's /etc/inet/ike/config file.

The resulting file appears similar to the following. The label additions are highlighted.

	### ike/config file on enigma, 192.168.116.16
	## Global parameters
	#
        ## Phase 1 transform defaults
	p1_lifetime_secs 14400
	p1_nonce_len 40
	#
        ## Use IKE to exchange security labels.
	label_aware
  #
        ## Defaults that individual rules can override.
	p1_xform
          { auth_method preshared oakley_group 5 auth_alg sha encr_alg des }
	p2_pfs 2
	#
  ## The rule to communicate with partym
      # Label must be unique
	{ label "enigma-partym"
          local_addr 192.168.116.16
          remote_addr 192.168.13.213
          multi_label
          wire_label inner
          p1_xform
           { auth_method preshared oakley_group 5 auth_alg md5 encr_alg aes }
          p2_pfs 5
	}

Add the same keywords to the ike/config file on the partym system.

	### ike/config file on partym, 192.168.13.213
	## Global Parameters
	#
        p1_lifetime_secs 14400
	p1_nonce_len 40
	#
        ## Use IKE to exchange security labels.
	label_aware
	#
        p1_xform
          { auth_method preshared oakley_group 5 auth_alg sha encr_alg des }
	p2_pfs 2
	## The rule to communicate with enigma
	# Label must be unique
	{ label "partym-enigma"
          local_addr 192.168.13.213
          remote_addr 192.168.116.16
          multi_label
          wire_label inner
	p1_xform
           { auth_method preshared oakley_group 5 auth_alg md5 encr_alg aes }
        p2_pfs 5
	}

If AH protection of CIPSO IP options cannot be used on the network, use ESP authentication.

Use encr_auth_algs rather than auth_algs in the /etc/inet/ipsecinit.conf file to handle authentication. ESP authentication does not cover the IP header and IP options, but will authenticate all information after the ESP header.
{laddr enigma raddr partym} ipsec {encr_algs any encr_auth_algs any sa shared}
Note –
You can also add labels to systems that are protected by certificates. Public key certificates are managed in the global zone on Trusted Extensions systems. Modify the ike/config files similarly when completing the procedures in Configuring IKE With Public Key Certificates in System Administration Guide: IP Services.