How to Configure a Tunnel Across an Untrusted <meta http-equiv="refresh" content="0;url='http://www.oracle.com/pls/topic/lookup?ctx=solaris11'"> Network (Solaris Trusted Extensions Administrator's Procedures)

Solaris Trusted Extensions Administrator's Procedures

How to Configure a Tunnel Across an Untrusted Network

This procedure configures an IPsec tunnel across a public network between two Trusted Extensions VPN gateway systems. The example that is used in this procedure is based on the configuration that is illustrated in Description of the Network Topology for the IPsec Tasks to Protect a VPN in System Administration Guide: IP Services.

Assume the following modifications to the illustration:

The net 10 networks are multilevel trusted networks. CIPSO IP option security labels are visible on these LANs.
The net 192.168 networks are single-label untrusted networks that operate at the PUBLIC label. These networks do not support CIPSO IP options.
Labeled traffic between enigma and partym is protected against unauthorized changes.

Before You Begin

You must be in the Security Administrator role in the global zone.

Follow the procedures in Configuring Trusted Network Databases (Task Map) to define the following:
1. Define net 10.0.0.0/8 IP addresses as multilevel.
  
  Use a template with a cipso host type. Set the label range from ADMIN_LOW to ADMIN_HIGH.
2. Define net 192.168.0.0/16 IP addresses as unlabeled at label PUBLIC.
  
  Use a template with an unlabeled host type. Set the default label to be PUBLIC.
3. Define Calif-vpn and Euro-vpn Internet facing addresses 192.168.13.213 and 192.168.116.16 as multilevel.
  
  Use a template with a cipso host type. Set the label range from ADMIN_LOW to ADMIN_HIGH.

Create an IPsec tunnel.

Follow the procedure in How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv4 in System Administration Guide: IP Services. Use IKE for key management, as described in the following step.

Add labels to IKE negotiations.

Follow the procedure in How to Configure IKE With Preshared Keys in System Administration Guide: IP Services, then modify the ike/config file as follows:

Add the keywords label_aware, multi_label, and wire_label none PUBLIC to the enigma system's /etc/inet/ike/config file.

The resulting file appears similar to the following. The label additions are highlighted.

        ### ike/config file on enigma, 192.168.116.16
	## Global parameters
	#
        ## Phase 1 transform defaults
	p1_lifetime_secs 14400
	p1_nonce_len 40
	#
        ## Use IKE to exchange security labels.
	label_aware
	#
        ## Defaults that individual rules can override.
	p1_xform
          { auth_method preshared oakley_group 5 auth_alg sha encr_alg des }
	p2_pfs 2
	#
   ## The rule to communicate with partym
       # Label must be unique
	{ label "enigma-partym"
          local_addr 192.168.116.16
          remote_addr 192.168.13.213
          multi_label
          wire_label none PUBLIC
          p1_xform
           { auth_method preshared oakley_group 5 auth_alg md5 encr_alg aes }
          p2_pfs 5
        }

Add the same keywords to the ike/config file on the partym system.

	### ike/config file on partym, 192.168.13.213
	## Global Parameters
	#
        p1_lifetime_secs 14400
	p1_nonce_len 40
	#
        ## Use IKE to exchange security labels.
	label_aware
	#
        p1_xform
          { auth_method preshared oakley_group 5 auth_alg sha encr_alg des }
	p2_pfs 2
	## The rule to communicate with enigma
	# Label must be unique
	{ label "partym-enigma"
          local_addr 192.168.13.213
          remote_addr 192.168.116.16
          multi_label
          wire_label none PUBLIC
	p1_xform
           { auth_method preshared oakley_group 5 auth_alg md5 encr_alg aes }
        p2_pfs 5
	}

Note –

You can also add labels to systems that are protected by certificates. Modify the ike/config files similarly when completing the procedures in Configuring IKE With Public Key Certificates in System Administration Guide: IP Services.