test

IPsec and IKE Administration Guide

How to Manually Create IPsec Security Associations

Although manual management of IPsec security associations (SAs) is not recommended for security reasons, you can do so. The following procedure works with the procedure, How to Secure Traffic Between Two Systems. You first create SAs with the ipseckey command. You then place the keying material in the ipseckeys file.

  1. Generate the keying material for the SAs.

    You need three hexadecimal random numbers for outbound traffic, and three hexadecimal random numbers for inbound traffic. Therefore, one system needs to generate the following numbers:

    • Two hexadecimal random numbers as the value for the spi keyword. One number is for outbound traffic. One number is for inbound traffic. Each number can be up to eight characters long.

    • Two hexadecimal random numbers for the MD5 algorithm for AH. Each number must be 32 characters long. One number is for dst enigma. One number is for dst partym.

    • Two hexadecimal random numbers for the 3DES algorithm for ESP. For a 192-bit key, each number must be 48 characters long. One number is for dst enigma. One number is for dst partym.

    If you have a random number generator at your site, use the generator. You can also use the od command. See How to Generate Random Numbers for the procedure.

  2. On the system console on one of the systems, become superuser or assume an equivalent role.

    Note –

    Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session.

  3. Enable the ipseckey command mode:


    # ipseckey

>

    The > prompt indicates that you are in ipseckey command mode.

  4. If you are replacing existing SAs, flush the current SAs.


    > flush
>

    To prevent an adversary from having time to break your SAs, you need to replace the keying material.

    Note –

    You must coordinate key replacement on communicating systems. When you replace the SAs on one system, the SAs must also be replaced on the remote system.

  5. To create SAs, type the following command.

    You also use this syntax to replace SAs that you have just flushed.


    > add protocol spi random-hex-string \
src addr dst addr2 \
protocol-prefix_alg protocol-algorithm  \
protocol-prefixkey random-hex-string-of-algorithm-specified-length
    random-hex-string

    Specifies a random number of up to eight characters in hexadecimal format. Precede the characters with 0x. If you enter more numbers than the security parameter index (SPI) accepts, the system ignores the extra numbers. If you enter fewer numbers than the SPI accepts, the system pads your entry.

    protocol

    Specifies either esp or ah.

    addr

    Specifies the IP address of one system.

    addr2

    Specifies the IP address of the peer system of addr.

    protocol-prefix

    Specifies one of encr or auth. The encr prefix is used with the esp protocol. The auth prefix is used with the ah protocol. The option encr_auth_alg is used with the esp protocol.

    protocol-algorithm

    Specifies an algorithm for ESP or AH. Each algorithm requires a key of a specific length.

    Authentication algorithms include MD5 and SHA. Encryption algorithms include 3DES and AES.

    random-hex-string-of-algorithm-specified-length

    Specifies a random hexadecimal number of the length that is required by the algorithm. For example, the MD5 algorithm requires a 32-character string for its 128-bit key. The 3DES algorithm requires a 48-character string for its 192-bit key.

    1. For example, on the enigma system, type the following commands to protect outbound packets. Use the random numbers that you generated in Step 1.


      > add esp spi 0x8bcd1407 \
src 192.168.116.16 dst 192.168.13.213 \
encr_alg 3DES \
encrkey d41fb74470271826a8e7a80d343cc5aae9e2a7f05f13730d

> add ah spi 0x18907dae \
src 192.168.116.16 dst 192.168.13.213 \
auth_alg MD5 \
authkey e896f8df7f78d6cab36c94ccf293f031

>
      Note –

      The peer system must use the same keying material.

    2. Still in ipseckey command mode on the enigma system, type the following commands to protect inbound packets:


      > add esp spi 0x122a43e4 \
src 192.168.13.213 dst 192.168.116.16 \
encr_alg 3des \
encrkey dd325c5c137fb4739a55c9b3a1747baa06359826a5e4358e

> add ah spi 0x91825a77 \
src 192.168.13.213 dst 192.168.116.16 \
auth_alg md5 \
authkey ad9ced7ad5f255c9a8605fba5eb4d2fd

>
      Note –

      The keys and SPI can be different for each SA. You should assign different keys and a different SPI for each SA.

  6. To exit ipseckey command mode, press Control-D or type quit.

  7. To ensure that the keying material is available to IPsec at reboot, add the keying material to the /etc/inet/secret/ipseckeys file.

    The lines of the /etc/inet/secret/ipseckeys file are identical to the command line language.

    1. For example, the /etc/inet/secret/ipseckeys file on the enigma system would appear similar to the following:


      # ipseckeys - This file takes the file format documented in 
#   ipseckey(1m).
#   Note that naming services might not be available when this file
#   loads, just like ipsecinit.conf.
#
# for outbound packets on enigma
add esp spi 0x8bcd1407 \
   src 192.168.116.16 dst 192.168.13.213  \
   encr_alg 3DES \
   encrkey  d41fb74470271826a8e7a80d343cc5aae9e2a7f05f13730d
#
add ah spi  0x18907dae \
   src 192.168.116.16 dst 192.168.13.213 \
   auth_alg MD5  \
   authkey  e896f8df7f78d6cab36c94ccf293f031
#
# for inbound packets
add esp spi 0x122a43e4 \
   src 192.168.13.213 dst 192.168.116.16 \
   encr_alg 3DES \
   encrkey dd325c5c137fb4739a55c9b3a1747baa06359826a5e4358e
#
add ah spi  0x91825a77 \
   src 192.168.13.213 dst 192.168.116.16 \
   auth_alg MD5  \
   authkey  ad9ced7ad5f255c9a8605fba5eb4d2fd

    2. Protect the file with read-only permissions.


      # chmod 400 /etc/inet/secret/ipseckeys

  8. Repeat Step 2 through Step 7 on the partym system. Use the same keying material that was used on enigma.

    The keying material on the two systems must be identical. As shown in the following example, only the comments in the ipseckeys file differ. The comments differ because dst enigma is inbound on the enigma system, and outbound on the partym system.


    # partym ipseckeys file
#
#for inbound packets
add esp spi 0x8bcd1407 \
   src 192.168.116.16 dst 192.168.13.213  \
   encr_alg 3DES \
   encrkey  d41fb74470271826a8e7a80d343cc5aae9e2a7f05f13730d
#
add ah spi  0x18907dae \
   src 192.168.116.16 dst 192.168.13.213 \
   auth_alg MD5  \
   authkey  e896f8df7f78d6cab36c94ccf293f031
#
# for outbound packets
add esp spi 0x122a43e4 \
   src 192.168.13.213 dst 192.168.116.16 \
   encr_alg 3DES \
   encrkey dd325c5c137fb4739a55c9b3a1747baa06359826a5e4358e
#
add ah spi  0x91825a77 \
   src 192.168.13.213 dst 192.168.116.16 \
   auth_alg MD5  \
   authkey  ad9ced7ad5f255c9a8605fba5eb4d2fd