Sun Cluster Software Installation Guide for Solaris OS

ProcedureHow to Configure IP Security Architecture (IPsec) on the Cluster Interconnect

You can configure IP Security Architecture (IPsec) for the clprivnet interface to provide secure communication on the cluster interconnect. For information about IPsec, see Part IV, IP Security, in System Administration Guide: IP Services and the ipsecconf(1M) man page. For information about the clprivnet interface, see the clprivnet(7) man page.

Perform this procedure on each global-cluster voting node that you want to configure to use IPsec.

  1. Become superuser.

  2. On each node, determine the IP address of the clprivnet interface of the node.


    phys-schost# ifconfig clprivnet0
    
  3. On each node, configure the /etc/inet/ipsecinit.conf policy file and add Security Associations (SAs) between each pair of clprivnet IP addresses that you want to use IPsec.

    Follow the instructions in How to Secure Traffic Between Two Systems With IPsec in System Administration Guide: IP Services.


    Note –

    To implement IPsec without rebooting, follow the instructions in the procedure's example, Securing Traffic With IPsec Without Rebooting.


    Observe the following guidelines when you add entries to the configuration file:

    • In each file, add one entry for each clprivnet IP address to use IPsec, including the clprivnet IP address of the local node.

    • Configure each policy as a separate line in the configuration file.

    • Ensure that the values of the configuration parameters for these addresses are consistent on all the partner nodes.

    • To enable striping of data over all links, include the sa unique policy in the entry. This features helps the driver to optimally utilize the bandwidth of the cluster private network, which provides a high granularity of distribution and better throughput. The clprivnet interface uses the Security Parameter Index (SPI) of the packet to stripe the traffic. For more information about the sa unique policy, see the ipsecconf(1M) man page.

Next Steps

Determine from the following list the next task to perform that applies to your cluster configuration. If you need to perform more than one task from this list, go to the first of those tasks in this list.