JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Securing the Network in Oracle Solaris 11.1     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

1.  Using Link Protection in Virtualized Environments

2.  Tuning Your Network (Tasks)

3.  Web Servers and the Secure Sockets Layer Protocol

4.  IP Filter in Oracle Solaris (Overview)

5.  IP Filter (Tasks)

6.  IP Security Architecture (Overview)

7.  Configuring IPsec (Tasks)

Protecting Traffic With IPsec

How to Secure Traffic Between Two Systems With IPsec

How to Use IPsec to Protect a Web Server From Nonweb Traffic

How to Display IPsec Policies

Protecting a VPN With IPsec

Examples of Protecting a VPN With IPsec by Using Tunnel Mode

Description of the Network Topology for the IPsec Tasks to Protect a VPN

How to Protect a VPN With IPsec in Tunnel Mode

Managing IPsec and IKE

How to Manually Create IPsec Keys

How to Configure a Role for Network Security

How to Manage IPsec and IKE Services

How to Verify That Packets Are Protected With IPsec

8.  IP Security Architecture (Reference)

9.  Internet Key Exchange (Overview)

10.  Configuring IKE (Tasks)

11.  Internet Key Exchange (Reference)

Glossary

Index

Managing IPsec and IKE

The following task map points to tasks that you might use when managing IPsec.

Task
Description
For Instructions
Create or replace security associations manually.
Provides the raw data for security associations:
  • IPsec algorithm name and keying material

  • The security parameter index (SPI)

  • IP source and destination addresses, and other parameters

Create a Network Security role.
Creates a role that can set up a secure network, but has fewer powers than the root role.
Manage IPsec and keying material as a set of SMF services.
Describes when and how to use the commands that enable, disable, refresh, and restart services. Also describes the commands that change the property values of services.
Check that IPsec is protecting the packets.
Examines snoop output for specific headers that indicate how the IP datagrams are protected.

How to Manually Create IPsec Keys

The following procedure provides the keying material for Step 4 in How to Secure Traffic Between Two Systems With IPsec. You are generating keys for two systems, partym and enigma. You generate the keys on one system, and then use the keys from the first system on both systems.

Before You Begin

You must be in the global zone to manually manage keying material for a non-global zone.

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

  1. Generate the keying material for the SAs.
    1. Determine the keys that you require.

      You need three hexadecimal random numbers for outbound traffic and three hexadecimal random numbers for inbound traffic. Therefore, one system needs to generate the following numbers:

      • Two hexadecimal random numbers as the value for the spi keyword. One number is for outbound traffic. One number is for inbound traffic. Each number can be up to eight characters long.

      • Two hexadecimal random numbers for the SHA-2 algorithm for AH. Each number must be 512 characters long. One number is for dst enigma. One number is for dst partym.

      • Two hexadecimal random numbers for the 3DES algorithm for ESP. Each number must be 168 characters long. One number is for dst enigma. One number is for dst partym.

    2. Generate the required keys.
  2. In the root role on each system, add the keys to the manual keys file for IPsec.
    1. Edit the /etc/inet/secret/ipseckeys file on the enigma system to appear similar to the following:
      # ipseckeys - This file takes the file format documented in 
      #   ipseckey(1m).
      #   Note that naming services might not be available when this file
      #   loads, just like ipsecinit.conf.
      #
      #   Backslashes indicate command continuation.
      #
      # for outbound packets on enigma
      add esp spi 0x8bcd1407 \
         src 192.168.116.16 dst 192.168.13.213  \
         encr_alg 3des \
         auth_alg sha512  \
         encrkey  d41fb74470271826a8e7a80d343cc5aa... \
         authkey  e896f8df7f78d6cab36c94ccf293f031...
      #
      # for inbound packets
      add esp spi 0x122a43e4 \
         src 192.168.13.213 dst 192.168.116.16 \
         encr_alg 3des \
         auth_alg sha512  \
         encrkey dd325c5c137fb4739a55c9b3a1747baa... \
         authkey ad9ced7ad5f255c9a8605fba5eb4d2fd...
    2. Protect the file with read-only permissions.
      # chmod 400 /etc/inet/secret/ipseckeys
    3. Verify the syntax of the file.
      # ipseckey -c -f /etc/inet/secret/ipseckeys

    Note - The keying material on the two systems must be identical.


  3. Activate the keys for IPsec.
    • If the manual-key service is not enabled, enable it.
      # svcadm enable svc:/network/ipsec/manual-key:default
    • If the manual-key service is enabled, refresh it.
      # svcadm refresh ipsec/manual-key

Next Steps

If you have not completed establishing IPsec policy, return to the IPsec procedure to enable or refresh IPsec policy.

How to Configure a Role for Network Security

If you are using the role-based access control (RBAC) feature of Oracle Solaris to administer your systems, you use this procedure to provide a network management role or network security role.

Before You Begin

You must assume the root role to create and assign a role. Regular users can list and view the contents of available rights profiles.

  1. List the available network-related rights profiles.
    % getent prof_attr | grep Network | more
    Console User:RO::Manage System as the Console User...
    Network Management:RO::Manage the host and network configuration...
    Network Autoconf Admin:RO::Manage Network Auto-Magic configuration via nwamd...
    Network Autoconf User:RO::Network Auto-Magic User...
    Network ILB:RO::Manage ILB configuration via ilbadm...
    Network LLDP:RO::Manage LLDP agents via lldpadm...
    Network VRRP:RO::Manage VRRP instances...
    Network Observability:RO::Allow access to observability devices...
    Network Security:RO::Manage network and host security...:profiles=Network Wifi
    Security,Network Link Security,Network IPsec Management...
    Network Wifi Management:RO::Manage wifi network configuration...
    Network Wifi Security:RO::Manage wifi network security...
    Network Link Security:RO::Manage network link security...
    Network IPsec Management:RO::Manage IPsec and IKE...
    System Administrator:RO::Can perform most non-security administrative tasks:
    profiles=...Network Management...
    Information Security:RO::Maintains MAC and DAC security policies:
    profiles=...Network Security...

    The Network Management profile is a supplementary profile in the System Administrator profile. If you have included the System Administrator rights profile in a role, then that role can execute the commands in the Network Management profile.

  2. List the commands in the Network Management rights profile.
    % getent exec_attr | grep "Network Management"
    ...
    Network Management:solaris:cmd:::/sbin/dlstat:euid=dladm;egid=sys
    ...
    Network Management:solaris:cmd:::/usr/sbin/snoop:privs=net_observability
    Network Management:solaris:cmd:::/usr/sbin/spray:euid=0 ...
  3. Decide the scope of the network security roles at your site.

    Use the definitions of the rights profiles in Step 1 to guide your decision.

    • To create a role that handles all network security, use the Network Security rights profile.

    • To create a role that handles IPsec and IKE only, use the Network IPsec Management rights profile.

  4. Create a network security role that includes the Network Management rights profile.

    A role with the Network Security or the Network IPsec Management rights profile, in addition to the Network Management profile, can execute the ipadm, ipseckey, and snoop commands, among others, with appropriate privilege.

    To create the role, assign the role to a user, and register the changes with the naming service, see Initially Configuring RBAC (Task Map) in Oracle Solaris 11.1 Administration: Security Services.

Example 7-4 Dividing Network Security Responsibilities Between Roles

In this example, the administrator divides network security responsibilities between two roles. One role administers Wifi and link security and another role administers IPsec and IKE. Each role is assigned to three people, one person per shift.

The roles are created by the administrator as follows:

How to Manage IPsec and IKE Services

The following steps provide the most likely uses of the SMF services for IPsec, IKE, and manual key management. By default, the policy and ipsecalgs services are enabled. Also by default, the ike and manual-key services are disabled.

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

  1. To manage IPsec policy, do one of the following:
    • After adding new policies to the ipsecinit.conf file, refresh the policy service.
      # svcadm refresh svc:/network/ipsec/policy
    • After changing the value of a service property, view the property value, then refresh and restart the policy service.
      # svccfg -s policy setprop config/config_file=/etc/inet/MyIpsecinit.conf
      # svccfg -s policy listprop config/config_file
      config/config_file  astring  /etc/inet/MyIpsecinit.conf
      # svcadm refresh svc:/network/ipsec/policy
      # svcadm restart svc:/network/ipsec/policy
  2. To automatically manage keys, do one of the following:
    • After adding entries to the /etc/inet/ike/config file, enable the ike service.
      # svcadm enable svc:/network/ipsec/ike
    • After changing entries in the /etc/inet/ike/config file, restart the ike service.
      # svcadm restart svc:/network/ipsec/ike:default
    • After changing the value of a service property, view the property value, then refresh and restart the service.
      # svccfg -s ike setprop config/admin_privilege = astring: "modkeys"
      # svccfg -s ike listprop config/admin_privilege
      config/admin_privilege  astring  modkeys
      # svcadm refresh svc:/network/ipsec/ike
      # svcadm restart svc:/network/ipsec/ike
    • To stop the ike service, disable it.
      # svcadm disable svc:/network/ipsec/ike
  3. To manually manage keys, do one of the following:
    • After adding entries to the /etc/inet/secret/ipseckeys file, enable the manual-key service.
      # svcadm enable svc:/network/ipsec/manual-key:default
    • After changing the ipseckeys file, refresh the service.
      # svcadm refresh manual-key
    • After changing the value of a service property, view the property value, then refresh and restart the service.
      # svccfg -s manual-key setprop config/config_file=/etc/inet/secret/MyIpseckeyfile
      # svccfg -s manual-key listprop config/config_file
      config/config_file  astring  /etc/inet/secret/MyIpseckeyfile
      # svcadm refresh svc:/network/ipsec/manual-key
      # svcadm restart svc:/network/ipsec/manual-key
    • To prevent manual key management, disable the manual-key service.
      # svcadm disable svc:/network/ipsec/manual-key
  4. If you modify the IPsec protocols and algorithms table, refresh the ipsecalgs service.
    # svcadm refresh svc:/network/ipsec/ipsecalgs

Troubleshooting

Use the svcs service command to find the status of a service. If the service is in maintenance mode, follow the debugging suggestions in the output of the svcs -x service command.

How to Verify That Packets Are Protected With IPsec

To verify that packets are protected, test the connection with the snoop command. The following prefixes can appear in the snoop output:

Before You Begin

You must have access to both systems to test the connection.

You must assume the root role to create the snoop output. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

  1. On one system, such as partym, assume the root role.
    % su -
    Password: Type root password
    # 
  2. From the partym system, prepare to snoop packets from a remote system.

    In a terminal window on partym, snoop the packets from the enigma system.

    # snoop -d net0 -v enigma
    Using device /dev/bge (promiscuous mode)
  3. Send a packet from the remote system.

    In another terminal window, remotely log in to the enigma system. Provide your password. Then, assume the root role and send a packet from the enigma system to the partym system. The packet should be captured by the snoop -v enigma command.

    % ssh enigma
    Password: Type your password
    % su -
    Password: Type root password
    # ping partym
  4. Examine the snoop output.

    On the partym system, you should see output that includes AH and ESP information after the initial IP header information. AH and ESP information that resembles the following shows that packets are being protected:

    IP:   Time to live = 64 seconds/hops
    IP:   Protocol = 51 (AH)
    IP:   Header checksum = 4e0e
    IP:   Source address = 192.168.116.16, enigma
    IP:   Destination address = 192.168.13.213, partym
    IP:   No options
    IP:
    AH:  ----- Authentication Header -----
    AH:
    AH:  Next header = 50 (ESP)
    AH:  AH length = 4 (24 bytes)
    AH:  <Reserved field = 0x0>
    AH:  SPI = 0xb3a8d714
    AH:  Replay = 52
    AH:  ICV = c653901433ef5a7d77c76eaa
    AH:
    ESP:  ----- Encapsulating Security Payload -----
    ESP:
    ESP:  SPI = 0xd4f40a61
    ESP:  Replay = 52
    ESP:     ....ENCRYPTED DATA....
    
    ETHER:  ----- Ether Header -----
    ...