Sun Cluster Software Installation Guide for Solaris OS

ProcedureHow to Configure IP Security Architecture (IPsec) on the Cluster Private Interconnect

You can configure IP Security Architecture (IPsec) for the clprivnetinterface to provide secure TCP/IP communication on the cluster interconnect.

For information about IPsec, see Part IV, IP Security, in System Administration Guide: IP Services and the ipsecconf(1M) man page. For information about the clprivnet interface, see the clprivnet(7) man page.

Perform this procedure on each global-cluster voting node that you want to configure to use IPsec.

  1. Become superuser.

  2. On each node, determine the IP address of the clprivnet interface of the node.

    phys-schost# ifconfig clprivnet0
  3. On each node, configure the /etc/inet/ipsecinit.conf policy file and add Security Associations (SAs) between each pair of private-interconnect IP addresses that you want to use IPsec.

    Follow the instructions in How to Secure Traffic Between Two Systems With IPsec in System Administration Guide: IP Services. In addition, observe the following guidelines:

    • Ensure that the values of the configuration parameters for these addresses are consistent on all the partner nodes.

    • Configure each policy as a separate line in the configuration file.

    • To implement IPsec without rebooting, follow the instructions in the procedure's example, Securing Traffic With IPsec Without Rebooting.

    For more information about the sa unique policy, see the ipsecconf(1M) man page.

    1. In each file, add one entry for each clprivnet IP address in the cluster to use IPsec.

      Include the clprivnet IP address of the local node.

    2. If you use VNICs, also add one entry for the IP address of each physical interface that is used by the VNICs.

    3. (Optional) To enable striping of data over all links, include the sa unique policy in the entry.

      This feature helps the driver to optimally utilize the bandwidth of the cluster private network, which provides a high granularity of distribution and better throughput. The clprivnetinterface uses the Security Parameter Index (SPI) of the packet to stripe the traffic.

  4. On each node, edit the /etc/inet/ike/config file to set the p2_idletime_secs parameter.

    Add this entry to the policy rules that are configured for cluster transports. This setting provides the time for security associations to be regenerated when a cluster node reboots, and limits how quickly a rebooted node can rejoin the cluster. A value of 30 seconds should be adequate.

    phys-schost# vi /etc/inet/ike/config
        label "clust-priv-interconnect1-clust-priv-interconnect2"
    p2_idletime_secs 30
Next Steps

Determine from the following list the next task to perform that applies to your cluster configuration. If you need to perform more than one task from this list, go to the first of those tasks in this list.