|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris Administration: IP Services Oracle Solaris 11 Information Library|
The following task map points to tasks that you might use when managing IPsec.
The following procedure provides the keying material for Step 5 in How to Secure Traffic Between Two Systems With IPsec. You are generating keys for two systems, partym and enigma. You generate the keys on one system, and then use the keys from the first system on both systems.
Before You Begin
You must be in the global zone to manually manage keying material for a non-global zone.
You need three hexadecimal random numbers for outbound traffic and three hexadecimal random numbers for inbound traffic. Therefore, one system needs to generate the following numbers:
Two hexadecimal random numbers as the value for the spi keyword. One number is for outbound traffic. One number is for inbound traffic. Each number can be up to eight characters long.
Two hexadecimal random numbers for the SHA-2 algorithm for AH. Each number must be 512 characters long. One number is for dst enigma. One number is for dst partym.
Two hexadecimal random numbers for the 3DES algorithm for ESP. Each number must be 168 characters long. One number is for dst enigma. One number is for dst partym.
If you have a random number generator at your site, use the generator.
Use the pktool command, as shown in How to Generate a Symmetric Key by Using the pktool Command in Oracle Solaris Administration: Security Services and the IPsec example in that section.
# ipseckeys - This file takes the file format documented in # ipseckey(1m). # Note that naming services might not be available when this file # loads, just like ipsecinit.conf. # # Backslashes indicate command continuation. # # for outbound packets on enigma add esp spi 0x8bcd1407 \ src 192.168.116.16 dst 192.168.13.213 \ encr_alg 3des \ auth_alg sha512 \ encrkey d41fb74470271826a8e7a80d343cc5aa... \ authkey e896f8df7f78d6cab36c94ccf293f031... # # for inbound packets add esp spi 0x122a43e4 \ src 192.168.13.213 dst 192.168.116.16 \ encr_alg 3des \ auth_alg sha512 \ encrkey dd325c5c137fb4739a55c9b3a1747baa... \ authkey ad9ced7ad5f255c9a8605fba5eb4d2fd...
# chmod 400 /etc/inet/secret/ipseckeys
# ipseckey -c -f /etc/inet/secret/ipseckeys
Note - The keying material on the two systems must be identical.
# svcadm enable svc:/network/ipsec/manual-key:default
# svcadm refresh ipsec/manual-key
If you have not completed establishing IPsec policy, return to the IPsec procedure to enable or refresh IPsec policy.
If you are using the role-based access control (RBAC) feature of Oracle Solaris to administer your systems, you use this procedure to provide a network management role or network security role.
% getent prof_attr | grep Network | more Console User:RO::Manage System as the Console User... Network Management:RO::Manage the host and network configuration... Network Autoconf Admin:RO::Manage Network Auto-Magic configuration via nwamd... Network Autoconf User:RO::Network Auto-Magic User... Network ILB:RO::Manage ILB configuration via ilbadm... Network LLDP:RO::Manage LLDP agents via lldpadm... Network VRRP:RO::Manage VRRP instances... Network Observability:RO::Allow access to observability devices... Network Security:RO::Manage network and host security...:profiles=Network Wifi Security,Network Link Security,Network IPsec Management... Network Wifi Management:RO::Manage wifi network configuration... Network Wifi Security:RO::Manage wifi network security... Network Link Security:RO::Manage network link security... Network IPsec Management:RO::Manage IPsec and IKE... System Administrator:RO::Can perform most non-security administrative tasks:profiles=...Network Management... Information Security:RO::Maintains MAC and DAC security policies:profiles=...Network Security...
The Network Management profile is a supplementary profile in the System Administrator profile. If you have included the System Administrator rights profile in a role, then that role can execute the commands in the Network Management profile.
% getent exec_attr | grep "Network Management" ... Network Management:solaris:cmd:::/sbin/dlstat:euid=dladm;egid=sys ... Network Management:solaris:cmd:::/usr/sbin/snoop:privs=net_observability Network Management:solaris:cmd:::/usr/sbin/spray:euid=0 ...
Use the definitions of the rights profiles in Step 1 to guide your decision.
To create a role that handles all network security, use the Network Security rights profile.
To create a role that handles IPsec and IKE only, use the Network IPsec Management rights profile.
A role with the Network Security or the Network IPsec Management rights profile, in addition to the Network Management profile, can execute the ipadm, ipseckey, and snoop commands, among others, with appropriate privilege.
To create the role, assign the role to a user, and register the changes with the naming service, see Initially Configuring RBAC (Task Map) in Oracle Solaris Administration: Security Services.
Example 15-4 Dividing Network Security Responsibilities Between Roles
In this example, the administrator divides network security responsibilities between two roles. One role administers wifi and link security and another role administers IPsec and IKE. Each role is assigned to three people, one person per shift.
The roles are created by the administrator as follows:
The administrator names the first role LinkWifi.
The administrator assigns the Network Wifi, Network Link Security, and Network Management rights profiles to the role.
Then, the administrator assigns the LinkWifi role to the appropriate users.
The administrator names the second role IPsec Administrator.
The administrator assigns the Network IPsec Management and the Network Management rights profiles to the role.
Then, the administrator assigns the IPsec Administrator role to the appropriate users.
The following steps provide the most likely uses of the SMF services for IPsec, IKE, and manual key management. By default, the policy and ipsecalgs services are enabled. Also by default, the ike and manual-key services are disabled.
# svcadm refresh svc:/network/ipsec/policy
# svccfg -s policy setprop config/config_file=/etc/inet/MyIpsecinit.conf # svccfg -s policy listprop config/config_file config/config_file astring /etc/inet/MyIpsecinit.conf # svcadm refresh svc:/network/ipsec/policy # svcadm restart svc:/network/ipsec/policy
# svcadm enable svc:/network/ipsec/ike
# svcadm restart svc:/network/ipsec/ike:default
# svccfg -s ike setprop config/admin_privilege = astring: "modkeys" # svccfg -s ike listprop config/admin_privilege config/admin_privilege astring modkeys # svcadm refresh svc:/network/ipsec/ike # svcadm restart svc:/network/ipsec/ike
# svcadm disable svc:/network/ipsec/ike
# svcadm enable svc:/network/ipsec/manual-key:default
# svcadm refresh manual-key
# svccfg -s manual-key setprop config/config_file=/etc/inet/secret/MyIpseckeyfile # svccfg -s manual-key listprop config/config_file config/config_file astring /etc/inet/secret/MyIpseckeyfile # svcadm refresh svc:/network/ipsec/manual-key # svcadm restart svc:/network/ipsec/manual-key
# svcadm disable svc:/network/ipsec/manual-key
# svcadm refresh svc:/network/ipsec/ipsecalgs
Use the svcs service command to find the status of a service. If the service is in maintenance mode, follow the debugging suggestions in the output of the svcs -x service command.
To verify that packets are protected, test the connection with the snoop command. The following prefixes can appear in the snoop output:
AH: Prefix indicates that AH is protecting the headers. You see AH: if you used auth_alg to protect the traffic.
ESP: Prefix indicates that encrypted data is being sent. You see ESP: if you used encr_auth_alg or encr_alg to protect the traffic.
Before You Begin
You must be in the root role to create the snoop output. You must have access to both systems to test the connection.
% su - Password: Type root password #
In a terminal window on partym, snoop the packets from the enigma system.
# snoop -d net0 -v enigma Using device /dev/bge (promiscuous mode)
In another terminal window, remotely log in to the enigma system. Provide your password. Then, assume the root role and send a packet from the enigma system to the partym system. The packet should be captured by the snoop -v enigma command.
% ssh enigma Password: Type your password % su - Password: Type root password # ping partym
On the partym system, you should see output that includes AH and ESP information after the initial IP header information. AH and ESP information that resembles the following shows that packets are being protected:
IP: Time to live = 64 seconds/hops IP: Protocol = 51 (AH) IP: Header checksum = 4e0e IP: Source address = 192.168.116.16, enigma IP: Destination address = 192.168.13.213, partym IP: No options IP: AH: ----- Authentication Header ----- AH: AH: Next header = 50 (ESP) AH: AH length = 4 (24 bytes) AH: <Reserved field = 0x0> AH: SPI = 0xb3a8d714 AH: Replay = 52 AH: ICV = c653901433ef5a7d77c76eaa AH: ESP: ----- Encapsulating Security Payload ----- ESP: ESP: SPI = 0xd4f40a61 ESP: Replay = 52 ESP: ....ENCRYPTED DATA.... ETHER: ----- Ether Header ----- ...