Protecting Traffic With IPsec

This section provides procedures that enable you to secure traffic between two systems and to secure a web server. To protect a VPN, see Protecting a VPN With IPsec. For additional procedures to manage IPsec and to use SMF commands with IPsec and IKE, see Managing IPsec and IKE.

The following information applies to all IPsec configuration tasks:

IPsec and zones – To manage IPsec policy and keys for a shared-IP non-global zone, create the IPsec policy file in the global zone, and run the IPsec configuration commands from the global zone. Use the source address that corresponds to the non-global zone that is being configured. For an exclusive-IP zone, you configure IPsec policy in the non-global zone.
IPsec and RBAC – To use roles to administer IPsec, see Chapter 9, Using Role-Based Access Control (Tasks), in Oracle Solaris Administration: Security Services. For an example, see How to Configure a Role for Network Security.
IPsec and SCTP – IPsec can be used to protect Streams Control Transmission Protocol (SCTP) associations, but caution must be used. For more information, see IPsec and SCTP.
IPsec and Trusted Extensions labels – On systems that are configured with the Trusted Extensions feature of Oracle Solaris, labels can be added to IPsec packets. For more information, see Administration of Labeled IPsec in Trusted Extensions Configuration and Administration.
IPv4 and IPv6 addresses – The IPsec example in this guide use IPv4 addresses. Oracle Solaris supports IPv6 addresses as well. To configure IPsec for an IPv6 network, substitute IPv6 addresses in the examples. When protecting tunnels with IPsec, you can mix IPv4 and IPv6 addresses for the inner and outer addresses. Such a configuration enables you to tunnel IPv6 over an IPv4 network, for example.

The following task map points to procedures that set up IPsec between one or more systems. The ipsecconf(1M), ipseckey(1M), and ipadm(1M) man pages also describe useful procedures in their respective Examples sections.

Task	Description	For Instructions
Secure traffic between two systems.	Protects packets from one system to another system.	How to Secure Traffic Between Two Systems With IPsec
Secure a web server by using IPsec policy.	Requires non-web traffic to use IPsec. Web clients are identified by particular ports, which bypass IPsec checks.	How to Use IPsec to Protect a Web Server From Nonweb Traffic
Display IPsec policies.	Displays the IPsec policies that are currently being enforced, in the order of enforcement.	How to Display IPsec Policies
Use IKE to automatically create keying material for IPsec SAs.	Provides the raw data for security associations.	Configuring IKE (Task Map)
Set up a secure virtual private network (VPN).	Sets up IPsec between two systems across the Internet.	Protecting a VPN With IPsec

How to Secure Traffic Between Two Systems With IPsec

This procedure assumes the following setup:

The two systems are named enigma and partym.
Each system has an IP address. This can be an IPv4 address, an IPv6 address, or both.
Each system requires ESP encryption with the AES algorithm, which requires a key of 128 bits, and ESP authentication with a SHA-2 message digest, which requires a key of 512 bits.
Each system uses shared security associations.

With shared SAs, only one pair of SAs is needed to protect the two systems.

Note - To use IPsec with labels on a Trusted Extensions system, see the extension of this procedure in How to Apply IPsec Protections in a Multilevel Trusted Extensions Network in Trusted Extensions Configuration and Administration.

Before You Begin

IPsec policy can be configured in the global zone or in an exclusive-IP stack zone. The policy for a shared-IP stack zone must be configured in the global zone. For an exclusive-IP zone, you configure IPsec policy in the non-global zone.

Become an administrator.
For more information, see How to Obtain Administrative Rights in Oracle Solaris Administration: Security Services. If you log in remotely, use the ssh command for a secure remote login. For an example, see Example 15-1.
On each system, add host entries to the /etc/inet/hosts file.
This step enables the Service Management Facility (SMF) to use the system names without depending on nonexistent naming services. For more information, see the smf(5) man page.
1. On a system that is named partym, type the following in the hosts file:
```
# Secure communication with enigma
192.168.116.16 enigma
```
2. On a system that is named enigma, type the following in the hosts file:
```
# Secure communication with partym
192.168.13.213 partym
```
On each system, create the IPsec policy file.
The file name is /etc/inet/ipsecinit.conf. For an example, see the /etc/inet/ipsecinit.sample file.
Add an IPsec policy entry to the ipsecinit.conf file.
1. On the enigma system, add the following policy:
```
{laddr enigma raddr partym} ipsec {encr_algs aes encr_auth_algs sha512 sa shared}
```
2. On the partym system, add the identical policy:
```
{laddr partym raddr enigma} ipsec {encr_algs aes encr_auth_algs sha512 sa shared}
```
  For the syntax of IPsec policy entries, see the ipsecconf(1M) man page.
On each system, configure IKE to add a pair of IPsec SAs between the two systems.
Configure IKE by following one of the configuration procedures in Configuring IKE (Task Map). For the syntax of the IKE configuration file, see the ike.config(4) man page.

Note - If you must generate and maintain your keys manually, see How to Manually Create IPsec Keys.
Verify the syntax of the IPsec policy file.
```
# ipsecconf -c -f /etc/inet/ipsecinit.conf
```
Fix any errors, verify the syntax of the file, and continue.
Refresh the IPsec policy.
```
# svcadm refresh svc:/network/ipsec/policy:default
```
IPsec policy is enabled by default, so you refresh it. If you have disabled IPsec policy, enable it.
```
# svcadm enable svc:/network/ipsec/policy:default
```
Activate the keys for IPsec.
- If the ike service is not enabled, enable it.
```
# svcadm enable svc:/network/ipsec/ike:default
```
- If the ike service is enabled, restart it.
```
# svcadm restart svc:/network/ipsec/ike:default
```
If you manually configured keys in Step 5, complete How to Manually Create IPsec Keys to activate the keys.
Verify that packets are being protected.
For the procedure, see How to Verify That Packets Are Protected With IPsec.

Example 15-1 Adding IPsec Policy When Using an ssh Connection

In this example, the administrator in the root role configures IPsec policy and keys on two systems by using the ssh command to reach the second system. For more information, see the ssh(1) man page.

First, the administrator configures the first system by performing Step 2 through Step 6 of the preceding procedure.
Then, in a different terminal window, the administrator uses the ssh command to log in to the second system.
```
local-system # ssh other-system
other-system # 
```
In the terminal window of the ssh session, the administrator configures the IPsec policy and keys of the second system by completing Step 2 through Step 8.
Then, the administrator ends the ssh session.
```
other-system # exit
local-system #
```
Finally, the administrator enables IPsec policy on the first system by completing Step 7 and Step 8.

The next time the two systems communicate, including by using an ssh connection, the communication is protected by IPsec.

How to Use IPsec to Protect a Web Server From Nonweb Traffic

A secure web server allows web clients to talk to the web service. On a secure web server, traffic that is not web traffic must pass security checks. The following procedure includes bypasses for web traffic. In addition, this web server can make unsecured DNS client requests. All other traffic requires ESP with AES and SHA-2 algorithms.

Before You Begin

You must be in the global zone to configure IPsec policy. For an exclusive-IP zone, you configure IPsec policy in the non-global zone. You have completed How to Secure Traffic Between Two Systems With IPsec so that the following conditions are in effect:

Communication between the two systems is protected by IPsec.
Keying material is being generated by IKE.
You have verified that packets are being protected.

Become an administrator.
For more information, see How to Obtain Administrative Rights in Oracle Solaris Administration: Security Services. If you log in remotely, use the ssh command for a secure remote login. For an example, see Example 15-1.
Determine which services need to bypass security policy checks.
For a web server, these services include TCP ports 80 (HTTP) and 443 (Secure HTTP). If the web server provides DNS name lookups, the server might also need to include port 53 for both TCP and UDP.

Add the web server policy to the IPsec policy file.

Add the following lines to the /etc/inet/ipsecinit.conf file:

# Web traffic that web server should bypass.
{lport  80 ulp tcp dir both} bypass {}
{lport 443 ulp tcp dir both} bypass {}

# Outbound DNS lookups should also be bypassed.
{rport 53 dir both} bypass {}

# Require all other traffic to use ESP with AES and SHA-2.
# Use a unique SA for outbound traffic from the port
{} ipsec {encr_algs aes encr_auth_algs sha512 sa shared}

This configuration allows only secure traffic to access the system, with the bypass exceptions that are described in Step 2.

Verify the syntax of the IPsec policy file.

# ipsecconf -c -f /etc/inet/ipsecinit.conf

Refresh the IPsec policy.

# svcadm refresh svc:/network/ipsec/policy:default

Refresh the keys for IPsec.
Restart the ike service.
```
# svcadm restart svc:/network/ipsec/ike
```
If you manually configured the keys, follow the instructions in How to Manually Create IPsec Keys.
Your setup is complete. Optionally, you can perform Step 7.
(Optional) Enable a remote system to communicate with the web server for nonweb traffic.
Add the following lines to a remote system's /etc/inet/ipsecinit.conf file:
```
# Communicate with web server about nonweb stuff
#
{laddr webserver} ipsec {encr_algs aes encr_auth_algs sha512 sa shared}
```
Verify the syntax then refresh the IPsec policy to activate it.
```
remote-system # ipsecconf -c -f /etc/inet/ipsecinit.conf
remote-system # svcadm refresh svc:/network/ipsec/policy:default
```
A remote system can communicate securely with the web server for nonweb traffic only when the systems' IPsec policies match.

How to Display IPsec Policies

You can see the policies that are configured in the system when you issue the ipsecconf command without any arguments.

Before You Begin

You must run the ipsecconf command in the global zone. For an exclusive-IP zone, you run the ipsecconf command in the non-global zone.

Assume a role that includes the Network IPsec Management profile.
To create a discrete role for network security and assign that role to a user, see How to Configure a Role for Network Security.
Display IPsec policies.
- Display the global IPsec policy entries in the order that the entries were added.
```
$ ipsecconf
```
  The command displays each entry with an index followed by a number.
- Display the IPsec policy entries in the order in which a match occurs.
```
$ ipsecconf -l -n
```
- Display the IPsec policy entries, including per-tunnel entries, in the order in which a match occurs.
```
$ ipsecconf -L -n
```

Skip Navigation Links
Exit Print View
	Oracle Solaris Administration: IP Services Oracle Solaris 11 Information Library