Open HA Cluster Installation Guide

How to Configure IP Security Architecture (IPsec) on the Cluster Private Interconnect

You can configure IP Security Architecture (IPsec) for the private-interconnect interface to provide secure TCP/IP communication on the cluster interconnect.

For information about IPsec, see Part IV, IP Security, in System Administration Guide: IP Services and the ipsecconf(1M) man page. For information about the clprivnet interface, see the clprivnet(7) man page.

Perform this procedure on each cluster node that you want to configure to use IPsec.

Become superuser.

Alternatively, if your user account is assigned the Primary Administrator profile, execute commands as non-root through a profile shell, or prefix the command with the pfexec command.

On each node, determine the IP address of the clprivnet interface.
phys-schost# ifconfig clprivnet0

If you use virtual NICs (VNICs) to route private interconnect communication over the public network, also determine the IP address of the physical interfaces that the VNICs use.

Display the status of all transport paths in the cluster and the physical interfaces that are used.

Output is similar to the following:

phys-schost# /usr/cluster/bin/clinterconnect status
-- Cluster Transport Paths --

                   Endpoint                Endpoint                Status
                   --------                --------                ------
  Transport path:  phys-schost-1:adapter1  phys-schost-2:adapter1  Path online
  Transport path:  phys-schost-1:adapter2  phys-schost-2:adapter2  Path online

Identify the IP address of each interface that is used on each node.

phys-schost-1# ifconfig adapter
phys-schost-2# ifconfig adapter

On each node, configure the /etc/inet/ipsecinit.conf policy file and add Security Associations (SAs) between each pair of private-interconnect IP addresses that you want to use IPsec.

Follow the instructions in How to Secure Traffic Between Two Systems With IPsec in System Administration Guide: IP Services. In addition, observe the following guidelines:
- Ensure that the values of the configuration parameters for these addresses are consistent on all the partner nodes.
- Configure each policy as a separate line in the configuration file.
- To implement IPsec without rebooting, follow the instructions in the procedure's example, Securing Traffic With IPsec Without Rebooting.
For more information about the sa unique policy, see the ipsecconf(1M) man page.
1. In each file, add one entry for each clprivnet IP address in the cluster to use IPsec.
  
  Include the clprivnet private-interconnect IP address of the local node.
2. If you use VNICs, also add one entry for the IP address of each physical interface that is used by the VNICs.
3. (Optional) To enable striping of data over all links, include the sa unique policy in the entry.
  
  This feature helps the driver to optimally utilize the bandwidth of the cluster private network, which provides a high granularity of distribution and better throughput. The private-interconnect interface uses the Security Parameter Index (SPI) of the packet to stripe the traffic.

On each node, edit the /etc/inet/ike/config file to set the p2_idletime_secs parameter.

Add this entry to the policy rules that are configured for cluster transports. This setting provides the time for security associations to be regenerated when a cluster node reboots, and limits how quickly a rebooted node can rejoin the cluster. A value of 30 seconds should be adequate.
phys-schost# vi /etc/inet/ike/config … { label "clust-priv-interconnect1-clust-priv-interconnect2" … p2_idletime_secs 30 } …

Next Steps

Configure the data services that you want to run on your cluster. Go to Configuring Data Services.