JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Securing the Network in Oracle Solaris 11.1     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information


1.  Using Link Protection in Virtualized Environments

2.  Tuning Your Network (Tasks)

3.  Web Servers and the Secure Sockets Layer Protocol

4.  IP Filter in Oracle Solaris (Overview)

5.  IP Filter (Tasks)

6.  IP Security Architecture (Overview)

7.  Configuring IPsec (Tasks)

8.  IP Security Architecture (Reference)

IPsec Services

ipsecconf Command

ipsecinit.conf File

Sample ipsecinit.conf File

Security Considerations for ipsecinit.conf and ipsecconf

ipsecalgs Command

Security Associations Database for IPsec

Utilities for SA Generation in IPsec

Security Considerations for ipseckey

snoop Command and IPsec

9.  Internet Key Exchange (Overview)

10.  Configuring IKE (Tasks)

11.  Internet Key Exchange (Reference)



ipsecinit.conf File

To enable the IPsec security policy when you start Oracle Solaris, you create a configuration file to initialize IPsec with your specific IPsec policy entries. The default name for this file is /etc/inet/ipsecinit.conf. See the ipsecconf(1M) man page for details about policy entries and their format. After the policy is configured, you can refresh the policy with the svcadm refresh ipsec/policy command.

Sample ipsecinit.conf File

The Oracle Solaris software includes a sample IPsec policy file, ipsecinit.sample. You can use the file as a template to create your own ipsecinit.conf file. The ipsecinit.sample file contains the following examples:

# In the following simple example, outbound network traffic between the local
# host and a remote host will be encrypted. Inbound network traffic between
# these addresses is required to be encrypted as well.
# This example assumes that is the IPv4 address of this host (laddr)
# and is the IPv4 address of the remote host (raddr).

{laddr raddr} ipsec
    {encr_algs aes encr_auth_algs sha256 sa shared}

# The policy syntax supports IPv4 and IPv6 addresses as well as symbolic names.
# Refer to the ipsecconf(1M) man page for warnings on using symbolic names and
# many more examples, configuration options and supported algorithms.
# This example assumes that is the IPv4 address of this host (laddr)
# and is the IPv4 address of the remote host (raddr).
# The remote host will also need an IPsec (and IKE) configuration that mirrors
# this one.
# The following line will allow ssh(1) traffic to pass without IPsec protection:

{lport 22 dir both} bypass {}

# {laddr dir in} drop {}
# Uncommenting the above line will drop all network traffic to this host unless
# it matches the rules above. Leaving this rule commented out will allow
# network packets that does not match the above rules to pass up the IP
# network stack. ,,,

Security Considerations for ipsecinit.conf and ipsecconf

IPsec policy cannot be changed for established connections. A socket whose policy cannot be changed is called a latched socket. New policy entries do not protect sockets that are already latched. For more information, see the connect(3SOCKET) and accept(3SOCKET) man pages. If you are in doubt, restart the connection.

Protect your naming system. If the following two conditions are met, then your host names are no longer trustworthy:

Security weaknesses often arise from the misapplication of tools, not from the actual tools. You should be cautious when using the ipsecconf command. Use ssh, or a console or other hard-connected TTY for the safest mode of operation.