JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Securing the Network in Oracle Solaris 11.1     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

1.  Using Link Protection in Virtualized Environments

2.  Tuning Your Network (Tasks)

3.  Web Servers and the Secure Sockets Layer Protocol

4.  IP Filter in Oracle Solaris (Overview)

5.  IP Filter (Tasks)

6.  IP Security Architecture (Overview)

7.  Configuring IPsec (Tasks)

Protecting Traffic With IPsec

How to Secure Traffic Between Two Systems With IPsec

How to Use IPsec to Protect a Web Server From Nonweb Traffic

How to Display IPsec Policies

Protecting a VPN With IPsec

Examples of Protecting a VPN With IPsec by Using Tunnel Mode

Description of the Network Topology for the IPsec Tasks to Protect a VPN

How to Protect a VPN With IPsec in Tunnel Mode

Managing IPsec and IKE

How to Manually Create IPsec Keys

How to Configure a Role for Network Security

How to Manage IPsec and IKE Services

How to Verify That Packets Are Protected With IPsec

8.  IP Security Architecture (Reference)

9.  Internet Key Exchange (Overview)

10.  Configuring IKE (Tasks)

11.  Internet Key Exchange (Reference)

Glossary

Index

Protecting Traffic With IPsec

This section provides procedures that enable you to secure traffic between two systems and to secure a web server. To protect a VPN, see Protecting a VPN With IPsec. For additional procedures to manage IPsec and to use SMF commands with IPsec and IKE, see Managing IPsec and IKE.

The following information applies to all IPsec configuration tasks:

The following task map points to procedures that set up IPsec between one or more systems. The ipsecconf(1M), ipseckey(1M), and ipadm(1M) man pages also describe useful procedures in their respective Examples sections.

Task
Description
For Instructions
Secure traffic between two systems.
Protects packets from one system to another system.
Secure a web server by using IPsec policy.
Requires non-web traffic to use IPsec. Web clients are identified by particular ports, which bypass IPsec checks.
Display IPsec policies.
Displays the IPsec policies that are currently being enforced, in the order of enforcement.
Use IKE to automatically create keying material for IPsec SAs.
Provides the raw data for security associations.
Set up a secure virtual private network (VPN).
Sets up IPsec between two systems across the Internet.

How to Secure Traffic Between Two Systems With IPsec

This procedure assumes the following setup:


Note - To use IPsec with labels on a Trusted Extensions system, see the extension of this procedure in How to Apply IPsec Protections in a Multilevel Trusted Extensions Network in Trusted Extensions Configuration and Administration.


Before You Begin

IPsec policy can be configured in the global zone or in an exclusive-IP stack zone. The policy for a shared-IP stack zone must be configured in the global zone. For an exclusive-IP zone, you configure IPsec policy in the non-global zone.

To run configuration commands, you must become an administrator who is assigned the Network IPsec Management rights profile. To edit system files and create keys, you must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

If you log in remotely, use the ssh command for a secure remote login. For an example, see Example 7-1.

  1. On each system, add host entries to the /etc/inet/hosts file.

    This step enables the Service Management Facility (SMF) to use the system names without depending on nonexistent naming services. For more information, see the smf(5) man page.

    1. On a system that is named partym, type the following in the hosts file:
      # Secure communication with enigma
      192.168.116.16 enigma
    2. On a system that is named enigma, type the following in the hosts file:
      # Secure communication with partym
      192.168.13.213 partym
  2. On each system, create the IPsec policy file.

    The file name is /etc/inet/ipsecinit.conf. For an example, see the /etc/inet/ipsecinit.sample file.

  3. Add an IPsec policy entry to the ipsecinit.conf file.
    1. On the enigma system, add the following policy:
      {laddr enigma raddr partym} ipsec {encr_algs aes encr_auth_algs sha512 sa shared}
    2. On the partym system, add the identical policy:
      {laddr partym raddr enigma} ipsec {encr_algs aes encr_auth_algs sha512 sa shared}

      For the syntax of IPsec policy entries, see the ipsecconf(1M) man page.

  4. On each system, configure IKE to add a pair of IPsec SAs between the two systems.

    Configure IKE by following one of the configuration procedures in Configuring IKE (Task Map). For the syntax of the IKE configuration file, see the ike.config(4) man page.


    Note - If you must generate and maintain your keys manually, see How to Manually Create IPsec Keys.


  5. Verify the syntax of the IPsec policy file.
    # ipsecconf -f -c /etc/inet/ipsecinit.conf

    Fix any errors, verify the syntax of the file, and continue.

  6. Refresh the IPsec policy.
    # svcadm refresh svc:/network/ipsec/policy:default

    IPsec policy is enabled by default, so you refresh it. If you have disabled IPsec policy, enable it.

    # svcadm enable svc:/network/ipsec/policy:default
  7. Activate the keys for IPsec.
    • If the ike service is not enabled, enable it.
      # svcadm enable svc:/network/ipsec/ike:default
    • If the ike service is enabled, restart it.
      # svcadm restart svc:/network/ipsec/ike:default

    If you manually configured keys in Step 4, complete How to Manually Create IPsec Keys to activate the keys.

  8. Verify that packets are being protected.

    For the procedure, see How to Verify That Packets Are Protected With IPsec.

Example 7-1 Adding IPsec Policy When Using an ssh Connection

In this example, the administrator in the root role configures IPsec policy and keys on two systems by using the ssh command to reach the second system. The administrator is defined identically on both systems. For more information, see the ssh(1) man page.

The next time the two systems communicate, including by using an ssh connection, the communication is protected by IPsec.

How to Use IPsec to Protect a Web Server From Nonweb Traffic

A secure web server allows web clients to talk to the web service. On a secure web server, traffic that is not web traffic must pass security checks. The following procedure includes bypasses for web traffic. In addition, this web server can make unsecured DNS client requests. All other traffic requires ESP with AES and SHA-2 algorithms.

Before You Begin

You must be in the global zone to configure IPsec policy. For an exclusive-IP zone, you configure IPsec policy in the non-global zone.

You have completed How to Secure Traffic Between Two Systems With IPsec so that the following conditions are in effect:

To run configuration commands, you must become an administrator who is assigned the Network IPsec Management rights profile. To edit system files, you must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

If you log in remotely, use the ssh command for a secure remote login. For an example, see Example 7-1.

  1. Determine which services need to bypass security policy checks.

    For a web server, these services include TCP ports 80 (HTTP) and 443 (Secure HTTP). If the web server provides DNS name lookups, the server might also need to include port 53 for both TCP and UDP.

  2. Add the web server policy to the IPsec policy file.

    Add the following lines to the /etc/inet/ipsecinit.conf file:

    # Web traffic that web server should bypass.
    {lport  80 ulp tcp dir both} bypass {}
    {lport 443 ulp tcp dir both} bypass {}
    
    # Outbound DNS lookups should also be bypassed.
    {rport 53 dir both} bypass {}
    
    # Require all other traffic to use ESP with AES and SHA-2.
    # Use a unique SA for outbound traffic from the port
    {} ipsec {encr_algs aes encr_auth_algs sha512 sa shared}

    This configuration allows only secure traffic to access the system, with the bypass exceptions that are described in Step 1.

  3. Verify the syntax of the IPsec policy file.
    # ipsecconf -f -c /etc/inet/ipsecinit.conf
  4. Refresh the IPsec policy.
    # svcadm refresh svc:/network/ipsec/policy:default
  5. Refresh the keys for IPsec.

    Restart the ike service.

    # svcadm restart svc:/network/ipsec/ike

    If you manually configured the keys, follow the instructions in How to Manually Create IPsec Keys.

    Your setup is complete. Optionally, you can perform Step 6.

  6. (Optional) Enable a remote system to communicate with the web server for nonweb traffic.

    Add the following lines to a remote system's /etc/inet/ipsecinit.conf file:

    # Communicate with web server about nonweb stuff
    #
    {laddr webserver} ipsec {encr_algs aes encr_auth_algs sha512 sa shared}

    Verify the syntax then refresh the IPsec policy to activate it.

    remote-system # ipsecconf -f -c /etc/inet/ipsecinit.conf
    remote-system # svcadm refresh svc:/network/ipsec/policy:default

    A remote system can communicate securely with the web server for nonweb traffic only when the systems' IPsec policies match.

How to Display IPsec Policies

You can see the policies that are configured in the system when you issue the ipsecconf command without any arguments.

Before You Begin

You must run the ipsecconf command in the global zone. For an exclusive-IP zone, you run the ipsecconf command in the non-global zone.

You must become an administrator who is assigned the Network IPsec Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.