test

System Administration Guide: IP Services

How to Configure IKE With Pre-Shared Keys

  1. Become superuser on the system console.

    Note –

    Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the total security of the system is reduced to the security of the remote login session.

  2. On each system, create an /etc/inet/ike/config file with global parameters and rules that permit the IPsec policy in ipsecinit.conf to succeed. For example, 


    ### ike/config file on enigma, 192.168.66.1

## Global parameters
#
## Phase 1 transform defaults
p1_lifetime_secs 14400
p1_nonce_len 40
#
## Defaults that individual rules can override.
p1_xform { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
p2_pfs 2
#
## The rule to communicate with partym

{ label "Enigma-Partym"
  localid 192.168.66.1
  remoteid 192.168.55.2
  p1_xform
	  { auth_method preshared  oakley_group 5  auth_alg md5  encr_alg des }
  p2_pfs 5
	}
    		 

    ### ike/config file on partym, 192.168.55.2
## Global Parameters
#
p1_lifetime_secs 14400
p1_nonce_len 40
#
p1_xform
  { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
p2_pfs 2

## The rule to communicate with enigma

{ label "Partym-Enigma"
  localid 192.168.55.2
  remoteid 192.168.66.1
  p1_xform
    { auth_method preshared  oakley_group 5  auth_alg md5  encr_alg des }
  p2_pfs 5
}
    Note –

    These machine names are examples only. Use the names and addresses of your machines when securing traffic between them.

  3. On each machine, check the validity of the file:


    # /usr/lib/inet/in.iked -c -f /etc/inet/ike/config

  4. Generate random keys.

    On a Solaris system, you can use the od command. For example,


    # od -x </dev/random | head -4
0000000 df97 6d2f 4ef5 2c28 02d5 02aa f9de 481d
0000020 2ae8 b949 67e6 b9b0 dd16 e6d4 b7ea 7278
0000040 ac07 7cc6 99c1 7055 848a 3cf3 4377 980a
0000060 5ad7 5b40 b428 9f3a da20 7daa 65a4 83fe

  5. Create the file /etc/inet/secret/ike.preshared on each system and put the pre-shared key in each file.

    The encryption algorithm in this example (see Step 2) is DES, so the pre-shared key must be at least 64 bits. However, a longer key length is a good idea. For example,


    # ike.preshared on enigma, 192.168.66.1
{ localidtype IP
	  localid 192.168.66.1
	  remoteidtype IP
	  remoteid 192.168.55.2
	  # enigma and partym's shared key in hex (128 bits)
	  key ac077cc699c17055848a3cf34377980a
	}
    		 

    # ike.preshared on partym, 192.168.55.2
{ localidtype IP
	  localid 192.168.55.2
	  remoteidtype IP
	  remoteid 192.168.66.1
	  # partym and enigma's shared key in hex (128 bits)
	  key ac077cc699c17055848a3cf34377980a
	}
    Note –

    The pre-shared keys must be identical.

  6. On each system, add the address and host name for the other system in the /etc/hosts file. For example,

    On a system named partym:


    # Secure communication with enigma 
192.168.66.1 enigma

    On a system named enigma:


    # Secure communication with partym 
192.168.55.2  partym

  7. On each system, edit the /etc/inet/ipsecinit.conf file by adding the following lines:

    On enigma:


    {laddr enigma raddr partym} ipsec {auth_algs any sa shared}

    On partym:


    {laddr partym raddr enigma} ipsec {auth_algs any sa shared}

  8. Enable secure communication by rebooting each system.


    # /usr/sbin/reboot