Protecting a VPN With IPsec (Task Map)

The following task map points to procedures that configure IPsec to protect traffic across the Internet. These procedures set up a secure virtual private network (VPN) between two systems that are across the Internet. One common use of this technology is to securely connect a remote office to the corporate network across the Internet.

Task	Description	For Instructions
Protect tunnel traffic in tunnel mode over IPv4.	Protects traffic in tunnel mode between two Solaris 10 systems, or between a Solaris 10 system and an Oracle Solaris 11 system. The Solaris 10 system must be running at least the Solaris 10 7/07 release. Also, protects traffic in tunnel mode between a Solaris 10 system or an Oracle Solaris 11 system, and a system that is running on another platform. The Solaris 10 system must be running at least the Solaris 10 7/07 release.	How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Using IPv4
Protect tunnel traffic in tunnel mode over IPv6.	Protects traffic in tunnel mode between two Oracle Solaris systems that are using the IPv6 protocol.	How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Using IPv6
Protect tunnel traffic in transport mode over IPv4.	Protects traffic in transport mode between two Solaris 10 systems, or between a Solaris 10 system and an Oracle Solaris system. The Solaris 10 system must be running at least the Solaris 10 7/07 release. Also, protects traffic in transport mode between a system that is running an earlier version of the Solaris OS and a Solaris 10 or an Oracle Solaris system. The Solaris 10 system must be running at least the Solaris 10 7/07 release.	How to Protect a VPN With an IPsec Tunnel in Transport Mode Using IPv4
Protect tunnel traffic in transport mode over IPv4.	Protects traffic by using an older, deprecated syntax. This method is useful when you are communicating with a system that is running an earlier version of the Solaris OS. This method simplifies comparing the configuration files on the two systems.	Example 20-11 Example 20-16
Protect tunnel traffic in transport mode over IPv6.	Protects traffic in transport mode between two Oracle Solaris systems that are using the IPv6 protocol.	How to Protect a VPN With an IPsec Tunnel in Transport Mode Using IPv6
Prevent IP spoofing.	Creates an SMF service to prevent the system from forwarding packets across a VPN without decrypting the packets.	How to Prevent IP Spoofing

Description of the Network Topology for the IPsec Tasks to Protect a VPN

The procedures that follow this section assume the following setup. For a depiction of the network, see Figure 20-2.

Each system is using an IPv4 address space.

For a similar example with IPv6 addresses, see How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Using IPv6.
Each system has two interfaces. The hme0 interface connects to the Internet. In this example, Internet IP addresses begin with 192.168. The hme1 interface connects to the company's LAN, its intranet. In this example, intranet IP addresses begin with the number 10.
Each system requires ESP authentication with the SHA–1 algorithm. The SHA–1 algorithm requires a 160-bit key.
Each system requires ESP encryption with the AES algorithm. The AES algorithm uses a 128-bit or 256–bit key.
Each system can connect to a router that has direct access to the Internet.
Each system uses shared security associations.

Figure 20-2 Sample VPN Between Offices Separated by the Internet

image:Diagram shows details of VPN between Europe and California offices.

As the preceding illustration shows, the procedures for the IPv4 network use the following configuration parameters.

Parameter	Europe	California
System name	enigma	partym
System intranet interface	hme1	hme1
System intranet address, also the `-point` address in Step 7	10.16.16.6	10.1.3.3
System Internet interface	hme0	hme0
System Internet address, also the `tsrc` address in Step 7	192.168.116.16	192.168.13.213
Name of Internet router	router-E	router-C
Address of Internet router	192.168.116.4	192.168.13.5
Tunnel name	ip.tun0	ip.tun0

The following IPv6 addresses are used in the procedures. The tunnel names are the same.

Parameter	Europe	California
System intranet address	6000:6666::aaaa:1116	6000:3333::eeee:1113
System Internet address	2001::aaaa:6666:6666	2001::eeee:3333:3333
Address of Internet router	2001::aaaa:0:4	2001::eeee:0:1

How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Using IPv4

In tunnel mode, the inner IP packet determines the IPsec policy that protects its contents.

This procedure extends the procedure How to Secure Traffic Between Two Systems With IPsec. The setup is described in Description of the Network Topology for the IPsec Tasks to Protect a VPN.

Note - Perform the steps in this procedure on both systems.

In addition to connecting two systems, you are connecting two intranets that connect to these two systems. The systems in this procedure function as gateways.

Before You Begin

You must be in the global zone to configure IPsec policy for the system or for a shared-IP zone. For an exclusive-IP zone, you configure IPsec policy in the non-global zone.

On the system console, assume the Primary Administrator role or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in Oracle Solaris Administration: Basic Administration.

Note - Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Use the ssh command for secure remote login.
Control the flow of packets before configuring IPsec.
1. Ensure that IP forwarding and IP dynamic routing are disabled.
```
 # routeadm
Configuration   Current              Current
       Option   Configuration        System State
---------------------------------------------------------------
IPv4 routing      default (enabled)    enabled 
IPv4 forwarding   disabled             disabled
...
```
  If IP forwarding and IP dynamic routing are enabled, disable them.
```
# routeadm -d ipv4-routing -d ipv4-forwarding
# routeadm -u
```
  Turning off IP forwarding prevents packets from being forwarded from one network to another network through this system. For a description of the routeadm command, see the routeadm(1M) man page.
2. Turn on IP strict destination multihoming.
```
# ndd -set /dev/ip ip_strict_dst_multihoming 1
```
  Turning on IP strict destination multihoming requires that packets for one of the system's destination addresses arrive at the correct destination address.
  When strict destination multihoming is enabled, packets that arrive on a particular interface must be addressed to one of the local IP addresses of that interface. All other packets, even packets that are addressed to other local addresses of the system, are dropped.
  
  Caution - The multihoming value reverts to the default when the system is booted. To make the changed value persistent, see How to Prevent IP Spoofing.
3. Disable most network services, and possibly all network services.
  Note - If your system was installed with the “limited” SMF profile, then you can skip this step. Network services, with the exception of the Secure Shell feature of Oracle Solaris, are disabled.
  
  The disabling of network services prevents IP packets from doing any harm to the system. For example, an SNMP daemon, a telnet connection, or an rlogin connection could be exploited.
  
  Choose one of the following options:
  - If you are running the Solaris 10 11/06 release or a later release, run the “limited” SMF profile.
```
# netservices limited
```
  - Otherwise, individually disable network services.
```
# svcadm disable network/ftp:default
# svcadm disable network/finger:default
# svcadm disable network/login:rlogin
# svcadm disable network/nfs/server:default
# svcadm disable network/rpc/rstat:default
# svcadm disable network/smtp:sendmail
# svcadm disable network/telnet:default
```
4. Verify that most network services are disabled.
  Verify that loopback mounts and the ssh service are running.
```
# svcs | grep network
online         Aug_02   svc:/network/loopback:default
…
online         Aug_09   svc:/network/ssh:default
```
Add a pair of SAs between the two systems.
Choose one of the following options:
- Configure IKE to manage the keys for the SAs. Use one of the procedures in Configuring IKE (Task Map) to configure IKE for the VPN.
- If you have an overriding reason to manually manage the keys, see How to Manually Create IPsec Security Associations.
Add IPsec policy.
Edit the /etc/inet/ipsecinit.conf file to add the IPsec policy for the VPN. To strengthen the policy, see Example 20-12. For additional examples, see Examples of Protecting a VPN With IPsec by Using Tunnel Mode.
In this policy, IPsec protection is not required between systems on the local LAN and the internal IP address of the gateway, so a bypass statement is added.
1. On the enigma system, type the following entry into the ipsecinit.conf file:
```
# LAN traffic to and from this host can bypass IPsec.
{laddr 10.16.16.6 dir both} bypass {}

# WAN traffic uses ESP with AES and SHA-1.
{tunnel ip.tun0 negotiate tunnel} 
 ipsec {encr_algs aes encr_auth_algs sha1 sa shared}
```
2. On the partym system, type the following entry into the ipsecinit.conf file:
```
# LAN traffic to and from this host can bypass IPsec.
{laddr 10.1.3.3 dir both} bypass {}

# WAN traffic uses ESP with AES and SHA-1.
{tunnel ip.tun0 negotiate tunnel} 
 ipsec {encr_algs aes encr_auth_algs sha1 sa shared}
```
(Optional) Verify the syntax of the IPsec policy file.
```
# ipsecconf -c -f /etc/inet/ipsecinit.conf
```
To configure the tunnel and protect it with IPsec, follow the steps according to the Oracle Solaris release:
- Starting in the Solaris 10 4/09 release, follow the steps from Step 7 to Step 13, then run the routing protocol in Step 22.
- If you are running a release prior to the Solaris 10 4/09 release, follow the steps from Step 14 to Step 22.
Configure the tunnel, ip.tun0, in the /etc/hostname.ip.tun0 file.
The syntax of the file is the following:
```
system1-point system2-point tsrc system1-taddr tdst system2-taddr router up
```
1. On the enigma system, add the following entry to the hostname.ip.tun0 file:
```
10.16.16.6 10.1.3.3 tsrc 192.168.116.16 tdst 192.168.13.213 router up
```
2. On the partym system, add the following entry to the hostname.ip.tun0 file:
```
10.1.3.3 10.16.16.6 tsrc 192.168.13.213 tdst 192.168.116.16 router up
```
Protect the tunnel with the IPsec policy that you created.
```
# svcadm refresh svc:/network/ipsec/policy:default
```
To read the contents of the tunnel configuration file into the kernel, restart the network services.
```
# svcadm restart svc:/network/initial:default
```
Turn on IP forwarding for the hme1 interface.
1. On the enigma system, add the router entry to the /etc/hostname.hme1 file.
```
192.168.116.16 router
```
2. On the partym system, add the router entry to the /etc/hostname.hme1 file.
```
192.168.13.213 router
```
IP forwarding means that packets that arrive from somewhere else can be forwarded. IP forwarding also means that packets that leave this interface might have originated somewhere else. To successfully forward a packet, both the receiving interface and the transmitting interface must have IP forwarding turned on.
Because the hme1 interface is inside the intranet, IP forwarding must be turned on for hme1. Because ip.tun0 connects the two systems through the Internet, IP forwarding must be turned on for ip.tun0.
The hme0 interface has its IP forwarding turned off to prevent an outside adversary from injecting packets into the protected intranet. The outside refers to the Internet.
Ensure that the routing protocols do not advertise the default route within the intranet.
1. On the enigma system, add the private flag to the /etc/hostname.hme0 file.
```
10.16.16.6 private
```
2. On the partym system, add the private flag to the /etc/hostname.hme0 file.
```
10.1.3.3 private
```
Even if hme0 has IP forwarding turned off, a routing protocol implementation might still advertise the interface. For example, the in.routed protocol might still advertise that hme0 is available to forward packets to its peers inside the intranet. By setting the interface's private flag, these advertisements are prevented.
Manually add a default route over the hme0 interface.
The default route must be a router with direct access to the Internet.
1. On the enigma system, add the following route:
```
# route add default 192.168.116.4
```
2. On the partym system, add the following route:
```
# route add default 192.168.13.5
```
  Even though the hme0 interface is not part of the intranet, hme0 does need to reach across the Internet to its peer system. To find its peer, hme0 needs information about Internet routing. The VPN system appears to be a host, rather than a router, to the rest of the Internet. Therefore, you can use a default router or run the router discovery protocol to find a peer system. For more information, see the route(1M) and in.routed(1M) man pages.
To complete the procedure, go to Step 22 to run a routing protocol.

Configure the tunnel, ip.tun0.

Note - The following steps configure a tunnel on a system that is running a release prior to the Solaris 10 4/09 release.

Use ifconfig commands to create the point-to-point interface:

# ifconfig ip.tun0 plumb

# ifconfig ip.tun0 system1-point system2-point \
tsrc system1-taddr tdst system2-taddr

On the enigma system, type the following commands:

# ifconfig ip.tun0 plumb

# ifconfig ip.tun0 10.16.16.6 10.1.3.3 \
tsrc 192.168.116.16 tdst 192.168.13.213

On the partym system, type the following commands:

# ifconfig ip.tun0 plumb

# ifconfig ip.tun0 10.1.3.3 10.16.16.6  \
tsrc 192.168.13.213 tdst 192.168.116.16

Protect the tunnel with the IPsec policy that you created.
```
# ipsecconf
```
Bring up the router for the tunnel.
```
# ifconfig ip.tun0 router up
```
Turn on IP forwarding for the hme1 interface.
```
# ifconfig hme1 router
```
IP forwarding means that packets that arrive from somewhere else can be forwarded. IP forwarding also means that packets that leave this interface might have originated somewhere else. To successfully forward a packet, both the receiving interface and the transmitting interface must have IP forwarding turned on.
Because the hme1 interface is inside the intranet, IP forwarding must be turned on for hme1. Because ip.tun0 connects the two systems through the Internet, IP forwarding must be turned on for ip.tun0.
The hme0 interface has its IP forwarding turned off to prevent an outside adversary from injecting packets into the protected intranet. The outside refers to the Internet.
Ensure that routing protocols do not advertise the default route within the intranet.
```
# ifconfig hme0 private
```
Even if hme0 has IP forwarding turned off, a routing protocol implementation might still advertise the interface. For example, the in.routed protocol might still advertise that hme0 is available to forward packets to its peers inside the intranet. By setting the interface's private flag, these advertisements are prevented.
Manually add a default route over hme0.
The default route must be a router with direct access to the Internet.
1. On the enigma system, add the following route:
```
# route add default 192.168.116.4
```
2. On the partym system, add the following route:
```
# route add default 192.168.13.5
```
  Even though the hme0 interface is not part of the intranet, hme0 does need to reach across the Internet to its peer system. To find its peer, hme0 needs information about Internet routing. The VPN system appears to be a host, rather than a router, to the rest of the Internet. Therefore, you can use a default router or run the router discovery protocol to find a peer system. For more information, see the route(1M) and in.routed(1M) man pages.
Ensure that the VPN starts after a reboot by adding an entry to the /etc/hostname.ip.tun0 file.
```
system1-point system2-point tsrc system1-taddr tdst system2-taddr router up
```
1. On the enigma system, add the following entry to the hostname.ip.tun0 file:
```
10.16.16.6 10.1.3.3 tsrc 192.168.116.16 tdst 192.168.13.213 router up
```
2. On the partym system, add the following entry to the hostname.ip.tun0 file:
```
10.1.3.3 10.16.16.6 tsrc 192.168.13.213 tdst 192.168.116.16 router up
```

Configure the interface files to pass the correct parameters to the routing daemon.

On the enigma system, modify the /etc/hostname.interface files.

# cat /etc/hostname.hme0
## enigma
10.16.16.6 private

# cat /etc/hostname.hme1
## enigma
192.168.116.16 router

On the partym system, modify the /etc/hostname.interface files.

# cat /etc/hostname.hme0
## partym
10.1.3.3 private

# cat /etc/hostname.hme1
## partym
192.168.13.213 router

Run a routing protocol.
```
# routeadm -e ipv4-routing
# routeadm -u
```
You might need to configure the routing protocol before running the routing protocol. For more information, see Routing Protocols in Oracle Solaris. For a procedure, see How to Configure an IPv4 Router.

Example 20-10 Creating Temporary Tunnels When Testing

In this example, the administrator tests tunnel creation on a Solaris 10 4/09 system. Later, the administrator will use the procedure How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Using IPv4 to make the tunnels permanent. During testing, the administrator performs the following series of steps on the systems system1 and system2:

On both systems, the administrator completes the first five steps of How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Using IPv4.

The administrator uses the ifconfig command to plumb and configure a temporary tunnel.

system1 # ifconfig ip.tun0 plumb
system1 # ifconfig ip.tun0 10.16.16.6 10.1.3.3 \
          tsrc 192.168.116.16 tdst 192.168.13.213

# ssh system2
Password: admin-password-on-system2
system2 # ifconfig ip.tun0 plumb
system2 # ifconfig ip.tun0  10.1.3.3 10.16.16.6 \
          tsrc 192.168.13.213 tdst 192.168.116.16

The administrator enables IPsec policy on the tunnel. The policy was created in Step 4 of How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Using IPv4.
```
system1 # svcadm refresh svc:/network/ipsec/policy:default
system2 # svcadm refresh svc:/network/ipsec/policy:default
```
The administrator makes the Internet interface a router and prevents routing protocols from going over the intranet interface.
```
system1 # ifconfig hme1 router ; ifconfig hme0 private

system2 # ifconfig hme1 router ; ifconfig hme0 private
```
The administrator manually adds routing and runs the routing protocol by completing Step 12 and Step 22 of How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Using IPv4 on both systems.

Example 20-11 Creating a Tunnel to an Earlier Version of a Solaris System by Using the Command Line

In the Solaris 10 7/07 release, the syntax of the ifconfig command was simplified. In this example, the administrator tests tunnel creation to a system that is running a version of Solaris prior to the Solaris 10 7/07 release. By using the original syntax of the ifconfig command, the administrator can use identical commands on the two communicating systems. Later, the administrator will use How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Using IPv4 to make the tunnels permanent.

During testing, the administrator performs the following steps on the systems system1 and system2:

On both systems, the administrator completes the first five steps of How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Using IPv4.

The administrator plumbs and configures the tunnel.

system1 # ifconfig ip.tun0 plumb
system1 # ifconfig ip.tun0 10.16.16.6 10.1.3.3 \
          tsrc 192.168.116.16 tdst 192.168.13.213 \
          encr_algs aes encr_auth_algs sha1
system1 # ifconfig ip.tun0 router up

# ssh system2
Password: admin-password-on-system2
system2 # ifconfig ip.tun0 plumb
system2 # ifconfig ip.tun0 10.1.3.3  10.16.16.6 \
          tsrc 192.168.13.213 tdst 192.168.116.16 \
          encr_algs aes encr_auth_algs sha1
system2 # ifconfig ip.tun0 router up

The administrator enables IPsec policy on the tunnel. The policy was created in Step 4 of How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Using IPv4.
```
system1 # svcadm refresh svc:/network/ipsec/policy:default
system2 # svcadm refresh svc:/network/ipsec/policy:default
```
The administrator makes the Internet interface a router and prevents routing protocols from going over the intranet interface.
```
system1 # ifconfig hme1 router ; ifconfig hme0 private
system2 # ifconfig hme1 router ; ifconfig hme0 private
```
The administrator adds routing by completing Step 12 and Step 22 of How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Using IPv4 on both systems.

Example 20-12 Requiring IPsec Policy on All Systems on a LAN

In this example, the administrator comments out the bypass policy that was configured in Step 4, thereby strengthening the protection. With this policy configuration, each system on the LAN must activate IPsec to communicate with the router.

# LAN traffic must implement IPsec.
# {laddr 10.1.3.3 dir both} bypass {}

# WAN traffic uses ESP with AES and SHA-1.
{tunnel ip.tun0 negotiate tunnel} ipsec {encr_algs aes encr_auth_algs sha1}

Example 20-13 Using IPsec to Protect Telnet Traffic Differently From SMTP Traffic

In this example, the first rule protects telnet traffic on port 23 with Blowfish and SHA-1. The second rule protects SMTP traffic on port 25 with AES and MD5.

{laddr 10.1.3.3 ulp tcp dport 23 dir both} 
  ipsec {encr_algs blowfish encr_auth_algs sha1 sa unique}
{laddr 10.1.3.3 ulp tcp dport 25 dir both} 
 ipsec {encr_algs aes encr_auth_algs md5 sa unique}

Example 20-14 Using an IPsec Tunnel in Tunnel Mode to Protect a Subnet Differently From Other Network Traffic

The following tunnel configuration protects all traffic from subnet 10.1.3.0/24 across the tunnel:

{tunnel ip.tun0 negotiate tunnel laddr 10.1.3.0/24} 
  ipsec {encr_algs aes encr_auth_algs sha1 sa shared}

The following tunnel configurations protect traffic from subnet 10.1.3.0/24 to different subnets across the tunnel. Subnets that begin with 10.2.x.x are across the tunnel.

{tunnel ip.tun0 negotiate tunnel laddr 10.1.3.0/24 raddr 10.2.1.0/24} 
  ipsec {encr_algs blowfish encr_auth_algs sha1 sa shared}

{tunnel ip.tun0 negotiate tunnel laddr 10.1.3.0/24 raddr 10.2.2.0/24} 
  ipsec {encr_algs blowfish encr_auth_algs sha1 sa shared}

{tunnel ip.tun0 negotiate tunnel laddr 10.1.3.0/24 raddr 10.2.3.0/24} 
  ipsec {encr_algs aes encr_auth_algs sha1 sa shared}

How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Using IPv6

To set up a VPN on an IPv6 network, you follow the same steps as for an IPv4 network. However, the syntax of the commands is slightly different. For a fuller description of the reasons for running particular commands, see the corresponding steps in How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Using IPv4.

Note - Perform the steps in this procedure on both systems.

This procedure uses the following configuration parameters.

Parameter	Europe	California
System name	enigma	partym
System intranet interface	hme1	hme1
System Internet interface	hme0	hme0
System intranet address	6000:6666::aaaa:1116	6000:3333::eeee:1113
System Internet address	2001::aaaa:6666:6666	2001::eeee:3333:3333
Name of Internet router	router-E	router-C
Address of Internet router	2001::aaaa:0:4	2001::eeee:0:1
Tunnel name	ip6.tun0	ip6.tun0

On the system console, assume the Primary Administrator role or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in Oracle Solaris Administration: Basic Administration.

Note - Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Use the ssh command for secure remote login.
Control the flow of packets before configuring IPsec.
For the effects of these commands, see Step 2 in How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Using IPv4.
1. Ensure that IP forwarding and IP dynamic routing are disabled.
```
# routeadm
Configuration       Current         Current
       Option       Configuration  System State
--------------------------------------------------
…
IPv6 forwarding     disabled          disabled
   IPv6 routing     disabled          disabled
```
  If IP forwarding and IP dynamic routing are enabled, you can disable them by typing:
```
# routeadm -d ipv6-forwarding -d ipv6-routing
# routeadm -u
```
2. Turn on IP strict destination multihoming.
```
# ndd -set /dev/ip ip6_strict_dst_multihoming 1
```
  Caution - The value of ip6_strict_dst_multihoming reverts to the default when the system is booted. To make the changed value persistent, see How to Prevent IP Spoofing.
3. Disable most network services, and possibly all network services.
  Note - If your system was installed with the “limited” SMF profile, then you can skip this step. Network services, with the exception of Secure Shell, are disabled.
  
  The disabling of network services prevents IP packets from doing any harm to the system. For example, an SNMP daemon, a telnet connection, or an rlogin connection could be exploited.
  
  Choose one of the following options:
  - If you are running the Solaris 10 11/06 release or a later release, run the “limited” SMF profile.
```
# netservices limited
```
  - Otherwise, individually disable network services.
```
# svcadm disable network/ftp:default
# svcadm disable network/finger:default
# svcadm disable network/login:rlogin
# svcadm disable network/nfs/server:default
# svcadm disable network/rpc/rstat:default
# svcadm disable network/smtp:sendmail
# svcadm disable network/telnet:default 
```
4. Verify that most network services are disabled.
  Verify that loopback mounts and the ssh service are running.
```
# svcs | grep network
online         Aug_02   svc:/network/loopback:default
...
online         Aug_09   svc:/network/ssh:default
```
Add a pair of SAs between the two systems.
Choose one of the following options:
- Configure IKE to manage the keys for the SAs. Use one of the procedures in Configuring IKE (Task Map) to configure IKE for the VPN.
- If you have an overriding reason to manually manage the keys, see How to Manually Create IPsec Security Associations.

Add IPsec policy for the VPN.

Edit the /etc/inet/ipsecinit.conf file to add the IPsec policy for the VPN.

On the enigma system, type the following entry into the ipsecinit.conf file:

# IPv6 Neighbor Discovery messages bypass IPsec.
{ulp ipv6-icmp type 133-137 dir both} pass {}

# LAN traffic to and from this host can bypass IPsec.
{laddr 6000:6666::aaaa:1116 dir both} bypass {}

# WAN traffic uses ESP with AES and SHA-1.
{tunnel ip6.tun0 negotiate tunnel} 
  ipsec {encr_algs aes encr_auth_algs sha1 sa shared}

On the partym system, type the following entry into the ipsecinit.conf file:

# IPv6 Neighbor Discovery messages bypass IPsec.
{ulp ipv6-icmp type 133-137 dir both} pass {}

# LAN traffic to and from this host can bypass IPsec.
{laddr 6000:3333::eeee:1113 dir both} bypass {}

# WAN traffic uses ESP with AES and SHA-1.
{tunnel ip6.tun0 negotiate tunnel} 
  ipsec {encr_algs aes encr_auth_algs sha1 sa shared}

(Optional) Verify the syntax of the IPsec policy file.
```
# ipsecconf -c -f /etc/inet/ipsecinit.conf
```
To configure the tunnel and protect it with IPsec, follow the steps according to the Oracle Solaris release:
- Starting in the Solaris 10 4/09 release, follow the steps from Step 7 to Step 13, then run the routing protocol in Step 22.
- If you are running a release prior to the Solaris 10 4/09 release, follow the steps from Step 14 to Step 22.
Configure the tunnel, ip6.tun0, in the /etc/hostname.ip6.tun0 file.
1. On the enigma system, add the following entry to the hostname.ip6.tun0 file:
```
6000:6666::aaaa:1116 6000:3333::eeee:1113 tsrc 2001::aaaa:6666:6666 tdst 2001::eeee:3333:3333 router up
```
2. On the partym system, add the following entry to the hostname.ip6.tun0 file:
```
6000:3333::eeee:1113  6000:6666::aaaa:1116 tsrc 2001::eeee:3333:3333 tdst 2001::aaaa:6666:6666 router up
```
Protect the tunnel with the IPsec policy that you created.
```
# svcadm refresh svc:/network/ipsec/policy:default
```
To read the contents of the tunnel configuration file into the kernel, restart the network services.
```
# svcadm restart svc:/network/initial:default
```
Turn on IP forwarding for the hme1 interface.
1. On the enigma system, add the router entry to the /etc/hostname6.hme1 file.
```
2001::aaaa:6666:6666 inet6 router
```
2. On the partym system, add the router entry to the /etc/hostname6.hme1 file.
```
2001::eeee:3333:3333 inet6 router
```
Ensure that routing protocols do not advertise the default route within the intranet.
1. On the enigma system, add the private flag to the /etc/hostname6.hme0 file.
```
6000:6666::aaaa:1116 inet6 private
```
2. On the partym system, add the private flag to the /etc/hostname6.hme0 file.
```
6000:3333::eeee:1113 inet6 private
```
Manually add a default route over hme0.
1. On the enigma system, add the following route:
```
# route add -inet6 default 2001::aaaa:0:4
```
2. On the partym system, add the following route:
```
# route add -inet6 default 2001::eeee:0:1
```
To complete the procedure, go to Step 22 to run a routing protocol.

Configure a secure tunnel, ip6.tun0.

Note - The following steps configure a tunnel on a system that is running a release prior to the Solaris 10 4/09 release.

On the enigma system, type the following commands:

# ifconfig ip6.tun0 inet6 plumb

# ifconfig ip6.tun0 inet6 6000:6666::aaaa:1116 6000:3333::eeee:1113 \
tsrc 2001::aaaa:6666:6666   tdst 2001::eeee:3333:3333

On the partym system, type the following commands:

# ifconfig ip6.tun0 inet6 plumb

# ifconfig ip6.tun0 inet6 6000:3333::eeee:1113 6000:6666::aaaa:1116 \
tsrc 2001::eeee:3333:3333   tdst 2001::aaaa:6666:6666

Protect the tunnel with the IPsec policy that you created.
```
# ipsecconf
```
Bring up the router for the tunnel.
```
# ifconfig ip6.tun0 router up
```
On each system, turn on IP forwarding for the hme1 interface.
```
# ifconfig hme1 router
```
Ensure that routing protocols do not advertise the default route within the intranet.
```
# ifconfig hme0 private
```
Manually add a default route over hme0.
The default route must be a router with direct access to the Internet.
1. On the enigma system, add the following route:
```
# route add -inet6 default 2001::aaaa:0:4
```
2. On the partym system, add the following route:
```
# route add -inet6 default 2001::eeee:0:1
```
Ensure that the VPN starts after a reboot by adding an entry to the /etc/hostname6.ip6.tun0 file.
The entry replicates the parameters that were passed to the ifconfig command in Step 14.
1. On the enigma system, add the following entry to the hostname6.ip6.tun0 file:
```
6000:6666::aaaa:1116 6000:3333::eeee:1113 \
tsrc 2001::aaaa:6666:6666  tdst 2001::eeee:3333:3333 router up
```
2. On the partym system, add the following entry to the hostname6.ip6.tun0 file:
```
6000:3333::eeee:1113 6000:6666::aaaa:1116 \
tsrc 2001::eeee:3333:3333   tdst 2001::aaaa:6666:6666  router up
```

On each system, configure the interface files to pass the correct parameters to the routing daemon.

On the enigma system, modify the /etc/hostname6.interface files.

# cat /etc/hostname6.hme0
## enigma
6000:6666::aaaa:1116 inet6 private

#  cat /etc/hostname6.hme1
## enigma
2001::aaaa:6666:6666 inet6 router

On the partym system, modify the /etc/hostname6.interface files.

# cat /etc/hostname6.hme0
## partym
6000:3333::eeee:1113 inet6 private

# cat /etc/hostname6.hme1
## partym
2001::eeee:3333:3333 inet6 router

Run a routing protocol.
```
# routeadm -e ipv6-routing
# routeadm -u
```
You might need to configure the routing protocol before running the routing protocol. For more information, see Routing Protocols in Oracle Solaris. For a procedure, see Configuring an IPv6 Router.

How to Protect a VPN With an IPsec Tunnel in Transport Mode Using IPv4

In transport mode, the outer header determines the IPsec policy that protects the inner IP packet.

This procedure extends the procedure How to Secure Traffic Between Two Systems With IPsec. In addition to connecting two systems, you are connecting two intranets that connect to these two systems. The systems in this procedure function as gateways.

This procedure uses the setup that is described in Description of the Network Topology for the IPsec Tasks to Protect a VPN. For a fuller description of the reasons for running particular commands, see the corresponding steps in How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Using IPv4.

Note - Perform the steps in this procedure on both systems.

On the system console, assume the Primary Administrator role or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in Oracle Solaris Administration: Basic Administration.

Note - Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Use the ssh command for secure remote login.
Control the flow of packets before configuring IPsec.
1. Ensure that IP forwarding and IP dynamic routing are disabled.
```
# routeadm
Configuration       Current         Current
       Option       Configuration  System State
--------------------------------------------------
IPv4 forwarding     disabled           disabled
   IPv4 routing     default (enabled)   enabled
…
```
  If IP forwarding and IP dynamic routing are enabled, you can disable them by typing:
```
# routeadm -d ipv4-routing -d ipv4-forwarding
# routeadm -u
```
2. Turn on IP strict destination multihoming.
```
# ndd -set /dev/ip ip_strict_dst_multihoming 1
```
  Caution - The value of ip_strict_dst_multihoming reverts to the default when the system is booted. To make the changed value persistent, see How to Prevent IP Spoofing.
3. Disable most network services, and possibly all network services.
  Note - If your system was installed with the “limited” SMF profile, then you can skip this step. Network services, with the exception of Secure Shell, are disabled.
  
  The disabling of network services prevents IP packets from doing any harm to the system. For example, an SNMP daemon, a telnet connection, or an rlogin connection could be exploited.
  
  Choose one of the following options:
  - If you are running the Solaris 10 11/06 release or a later release, run the “limited” SMF profile.
```
# netservices limited
```
  - Otherwise, individually disable network services.
```
# svcadm disable network/ftp:default
# svcadm disable network/finger:default
# svcadm disable network/login:rlogin
# svcadm disable network/nfs/server:default
# svcadm disable network/rpc/rstat:default
# svcadm disable network/smtp:sendmail
# svcadm disable network/telnet:default 
```
4. Verify that most network services are disabled.
  Verify that loopback mounts and the ssh service are running.
```
# svcs | grep network
online         Aug_02   svc:/network/loopback:default
…
online         Aug_09   svc:/network/ssh:default
```
Add a pair of SAs between the two systems.
Choose one of the following options:
- Configure IKE to manage the keys for the SAs. Use one of the procedures in Configuring IKE (Task Map) to configure IKE for the VPN.
- If you have an overriding reason to manually manage the keys, see How to Manually Create IPsec Security Associations.

Add IPsec policy.

Edit the /etc/inet/ipsecinit.conf file to add the IPsec policy for the VPN. To strengthen the policy, see Example 20-15.

On the enigma system, type the following entry into the ipsecinit.conf file:

# LAN traffic to and from this host can bypass IPsec.
{laddr 10.16.16.6 dir both} bypass {}

# WAN traffic uses ESP with AES and SHA-1.
{tunnel ip.tun0 negotiate transport} 
 ipsec {encr_algs aes encr_auth_algs sha1 sa shared}

On the partym system, type the following entry into the ipsecinit.conf file:

# LAN traffic to and from this host can bypass IPsec.
{laddr 10.1.3.3 dir both} bypass {}

# WAN traffic uses ESP with AES and SHA-1.
{tunnel ip.tun0 negotiate transport} 
 ipsec {encr_algs aes encr_auth_algs sha1 sa shared}

(Optional) Verify the syntax of the IPsec policy file.
```
# ipsecconf -c -f /etc/inet/ipsecinit.conf
```
To configure the tunnel and protect it with IPsec, follow the steps according to the Oracle Solaris release:
- Starting in the Solaris 10 4/09 release, follow the steps from Step 7 to Step 13, then run the routing protocol in Step 22.
- If you are running a release prior to the Solaris 10 4/09 release, follow the steps from Step 14 to Step 22.
Configure the tunnel, ip.tun0, in the /etc/hostname.ip.tun0 file.
1. On the enigma system, add the following entry to the hostname.ip.tun0 file:
```
10.16.16.6 10.1.3.3 tsrc 192.168.116.16 tdst 192.168.13.213 router up
```
2. On the partym system, add the following entry to the hostname.ip.tun0 file:
```
10.1.3.3 10.16.16.6 tsrc 192.168.13.213 tdst 192.168.116.16 router up
```
Protect the tunnel with the IPsec policy that you created.
```
# svcadm refresh svc:/network/ipsec/policy:default
```
To read the contents of the hostname.ip.tun0 file into the kernel, restart the network services.
```
# svcadm restart svc:/network/initial:default
```
Turn on IP forwarding for the hme1 interface.
1. On the enigma system, add the router entry to the /etc/hostname.hme1 file.
```
192.168.116.16 router
```
2. On the partym system, add the router entry to the /etc/hostname.hme1 file.
```
192.168.13.213 router
```
Ensure that routing protocols do not advertise the default route within the intranet.
1. On the enigma system, add the private flag to the /etc/hostname.hme0 file.
```
10.16.16.6 private
```
2. On the partym system, add the private flag to the /etc/hostname.hme0 file.
```
10.1.3.3 private
```
Manually add a default route over hme0.
1. On the enigma system, add the following route:
```
# route add default 192.168.116.4
```
2. On the partym system, add the following route:
```
# route add default 192.168.13.5
```
To complete the procedure, go to Step 22 to run a routing protocol.

Configure the tunnel, ip.tun0.

Note - The following steps configure a tunnel on a system that is running a release prior to the Solaris 10 4/09 release.

Use ifconfig commands to create the point-to-point interface:

# ifconfig ip.tun0 plumb

# ifconfig ip.tun0 system1-point system2-point \
tsrc system1-taddr tdst system2-taddr

On the enigma system, type the following commands:

# ifconfig ip.tun0 plumb

# ifconfig ip.tun0 10.16.16.6 10.1.3.3 \
tsrc 192.168.116.16 tdst 192.168.13.213

On the partym system, type the following commands:

# ifconfig ip.tun0 plumb

# ifconfig ip.tun0 10.1.3.3 10.16.16.6  \
tsrc 192.168.13.213 tdst 192.168.116.16

Protect the tunnel with the IPsec policy that you created.
```
# ipsecconf
```
Bring up the router for the tunnel.
```
# ifconfig ip.tun0 router up
```
Turn on IP forwarding for the hme1 interface.
```
# ifconfig hme1 router
```
Ensure that routing protocols do not advertise the default route within the intranet.
```
# ifconfig hme0 private
```
Manually add a default route over hme0.
The default route must be a router with direct access to the Internet.
```
# route add default router-on-hme0-subnet
```
1. On the enigma system, add the following route:
```
# route add default 192.168.116.4
```
2. On the partym system, add the following route:
```
# route add default 192.168.13.5
```

Ensure that the VPN starts after a reboot by adding an entry to the /etc/hostname.ip.tun0 file.

system1-point system2-point tsrc system1-taddr \
tdst system2-taddr encr_algs aes encr_auth_algs sha1 router up

On the enigma system, add the following entry to the hostname.ip.tun0 file:

10.16.16.6 10.1.3.3 tsrc 192.168.116.16 \
tdst 192.168.13.213 router up

On the partym system, add the following entry to the hostname.ip.tun0 file:

10.1.3.3 10.16.16.6 tsrc 192.168.13.213 \
tdst 192.168.116.16 router up

Configure the interface files to pass the correct parameters to the routing daemon.

On the enigma system, modify the /etc/hostname.interface files.

# cat /etc/hostname.hme0
## enigma
10.16.16.6 private

# cat /etc/hostname.hme1
## enigma
192.168.116.16 router

On the partym system, modify the /etc/hostname.interface files.

# cat /etc/hostname.hme0
## partym
10.1.3.3 private

# cat /etc/hostname.hme1
## partym
192.168.13.213 router

Run a routing protocol.

# routeadm -e ipv4-routing
# routeadm -u

Example 20-15 Requiring IPsec Policy on All Systems in Transport Mode

# LAN traffic must implement IPsec.
# {laddr 10.1.3.3 dir both} bypass {}

# WAN traffic uses ESP with AES and SHA-1.
{tunnel ip.tun0 negotiate transport} ipsec {encr_algs aes encr_auth_algs sha1}

Example 20-16 Using Deprecated Syntax to Configure an IPsec Tunnel in Transport Mode

In this example, the administrator is connecting a Solaris 10 7/07 system with a system that is running the Oracle Solaris 10 release. Therefore, the administrator uses Solaris 10 syntax in the configuration file and includes the IPsec algorithms in the ifconfig command.

The administrator follows the procedure How to Protect a VPN With an IPsec Tunnel in Transport Mode Using IPv4 with the following changes in syntax.

For Step 4, the syntax of the ipsecinit.conf file is the following:

# LAN traffic to and from this address can bypass IPsec.
{laddr 10.1.3.3 dir both} bypass {}

# WAN traffic uses ESP with AES and SHA-1.
{} ipsec {encr_algs aes encr_auth_algs sha1}

For Step 14 to Step 16, the syntax to configure a secure tunnel is the following:

# ifconfig ip.tun0 plumb

# ifconfig ip.tun0 10.16.16.6 10.1.3.3 \
tsrc 192.168.116.16 tdst 192.168.13.213 \
encr_algs aes encr_auth_algs sha1

# ifconfig ip.tun0 router up

# ifconfig ip.tun0 plumb

# ifconfig ip.tun0 10.16.16.6 10.1.3.3 \
tsrc 192.168.116.16 tdst 192.168.13.213 \
encr_algs aes encr_auth_algs sha1

The IPsec policy that is passed to the ifconfig commands must be the same as the IPsec policy in the ipsecinit.conf file. Upon reboot, each system reads the ipsecinit.conf file for its policy.

For Step 20, the syntax of the hostname.ip.tun0 file is the following:

10.16.16.6 10.1.3.3 tsrc 192.168.116.16 \
tdst 192.168.13.213 encr_algs aes encr_auth_algs sha1 router up

How to Protect a VPN With an IPsec Tunnel in Transport Mode Using IPv6

Note - Perform the steps in this procedure on both systems.

This procedure uses the following configuration parameters.

Parameter	Europe	California
System name	enigma	partym
System intranet interface	hme1	hme1
System Internet interface	hme0	hme0
System intranet address	6000:6666::aaaa:1116	6000:3333::eeee:1113
System Internet address	2001::aaaa:6666:6666	2001::eeee:3333:3333
Name of Internet router	router-E	router-C
Address of Internet router	2001::aaaa:0:4	2001::eeee:0:1
Tunnel name	ip6.tun0	ip6.tun0

On the system console, assume the Primary Administrator role or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in Oracle Solaris Administration: Basic Administration.

Note - Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Use the ssh command for secure remote login.
Control the flow of packets before configuring IPsec.
1. Ensure that IP forwarding and IP dynamic routing are disabled.
```
# routeadm
Configuration       Current         Current
       Option       Configuration  System State
--------------------------------------------------
…
IPv6 forwarding     disabled          disabled
   IPv6 routing     disabled          disabled
```
  If IP forwarding and IP dynamic routing are enabled, you can disable them by typing:
```
# routeadm -d ipv6-forwarding -d ipv6-routing
# routeadm -u
```
2. Turn on IP strict destination multihoming.
```
# ndd -set /dev/ip ip6_strict_dst_multihoming 1
```
  Caution - The value of ip6_strict_dst_multihoming reverts to the default when the system is booted. To make the changed value persistent, see How to Prevent IP Spoofing.
3. Verify that most network services are disabled.
  Verify that loopback mounts and the ssh service are running.
```
# svcs | grep network
online         Aug_02   svc:/network/loopback:default
…
online         Aug_09   svc:/network/ssh:default
```
Add a pair of SAs between the two systems.
Choose one of the following options:
- Configure IKE to manage the keys for the SAs. Use one of the procedures in Configuring IKE (Task Map) to configure IKE for the VPN.
- If you have an overriding reason to manually manage the keys, see How to Manually Create IPsec Security Associations.

Add IPsec policy.

Edit the /etc/inet/ipsecinit.conf file to add the IPsec policy for the VPN.

On the enigma system, type the following entry into the ipsecinit.conf file:

# IPv6 Neighbor Discovery messages bypass IPsec.
{ulp ipv6-icmp type 133-137 dir both} pass {}

# LAN traffic can bypass IPsec.
{laddr 6000:6666::aaaa:1116 dir both} bypass {}

# WAN traffic uses ESP with AES and SHA-1.
{tunnel ip6.tun0 negotiate transport} 
 ipsec {encr_algs aes encr_auth_algs sha1}

On the partym system, type the following entry into the ipsecinit.conf file:

# IPv6 Neighbor Discovery messages bypass IPsec.
{ulp ipv6-icmp type 133-137 dir both} pass {}

# LAN traffic can bypass IPsec.
{laddr 6000:3333::eeee:1113 dir both} bypass {}

# WAN traffic uses ESP with AES and SHA-1.
{tunnel ip6.tun0 negotiate transport} 
 ipsec {encr_algs aes encr_auth_algs sha1}

(Optional) Verify the syntax of the IPsec policy file.
```
# ipsecconf -c -f /etc/inet/ipsecinit.conf
```
To configure the tunnel and protect it with IPsec, follow the steps according to the Oracle Solaris release:
- Starting in the Solaris 10 4/09 release, follow the steps from Step 7 to Step 13, then run the routing protocol in Step 22.
- If you are running a release prior to the Solaris 10 4/09 release, follow the steps from Step 14 to Step 22.
Configure the tunnel, ip6.tun0, in the /etc/hostname.ip6.tun0 file.
1. On the enigma system, add the following entry to the hostname.ip6.tun0 file:
```
6000:6666::aaaa:1116 6000:3333::eeee:1113 tsrc 2001::aaaa:6666:6666 tdst 2001::eeee:3333:3333 router up
```
2. On the partym system, add the following entry to the hostname.ip6.tun0 file:
```
6000:3333::eeee:1113  6000:6666::aaaa:1116 tsrc 2001::eeee:3333:3333 tdst 2001::aaaa:6666:6666 router up
```
Protect the tunnel with the IPsec policy that you created.
```
# svcadm refresh svc:/network/ipsec/policy:default
```
To read the contents of the hostname.ip6.tun0 file into the kernel, restart the network services.
```
# svcadm restart svc:/network/initial:default
```
Turn on IP forwarding for the hme1 interface.
1. On the enigma system, add the router entry to the /etc/hostname6.hme1 file.
```
2001::aaaa:6666:6666 inet6 router
```
2. On the partym system, add the router entry to the /etc/hostname6.hme1 file.
```
2001::eeee:3333:3333 inet6 router
```
Ensure that routing protocols do not advertise the default route within the intranet.
1. On the enigma system, add the private flag to the /etc/hostname6.hme0 file.
```
6000:6666::aaaa:1116 inet6 private
```
2. On the partym system, add the private flag to the /etc/hostname6.hme0 file.
```
6000:3333::eeee:1113 inet6 private
```
Manually add a default route over hme0.
1. On the enigma system, add the following route:
```
# route add -inet6 default 2001::aaaa:0:4
```
2. On the partym system, add the following route:
```
# route add -inet6 default 2001::eeee:0:1
```
To complete the procedure, go to Step 22 to run a routing protocol.

Configure a secure tunnel, ip6.tun0.

Note - The following steps configure a tunnel on a system that is running a release prior to the Solaris 10 4/09 release.

On the enigma system, type the following commands:

# ifconfig ip6.tun0 inet6 plumb

# ifconfig ip6.tun0 inet6 6000:6666::aaaa:1116 6000:3333::eeee:1113 \
tsrc 2001::aaaa:6666:6666   tdst 2001::eeee:3333:3333

On the partym system, type the following commands:

# ifconfig ip6.tun0 inet6 plumb

# ifconfig ip6.tun0 inet6  6000:3333::eeee:1113  6000:6666::aaaa:1116 \
tsrc 2001::eeee:3333:3333   tdst 2001::aaaa:6666:6666

Protect the tunnel with the IPsec policy that you created.
```
# ipsecconf
```
Bring up the router for the tunnel.
```
# ifconfig ip6.tun0 router up
```
Turn on IP forwarding for the hme1 interface.
```
# ifconfig hme1 router
```
Ensure that routing protocols do not advertise the default route within the intranet.
```
# ifconfig hme0 private
```
On each system, manually add a default route over hme0.
The default route must be a router with direct access to the Internet.
1. On the enigma system, add the following route:
```
# route add -inet6 default 2001::aaaa:0:4
```
2. On the partym system, add the following route:
```
# route add -inet6 default 2001::eeee:0:1
```
On each system, ensure that the VPN starts after a reboot by adding an entry to the /etc/hostname6.ip6.tun0 file.
The entry replicates the parameters that were passed to the ifconfig command in Step 14.
1. On the enigma system, add the following entry to the hostname6.ip6.tun0 file:
```
6000:6666::aaaa:1116  6000:3333::eeee:1113 \
tsrc 2001::aaaa:6666:6666   tdst 2001::eeee:3333:3333  router up
```
2. On the partym system, add the following entry to the hostname6.ip6.tun0 file:
```
6000:3333::eeee:1113  6000:6666::aaaa:1116 \
tsrc 2001::eeee:3333:3333   tdst 2001::aaaa:6666:6666  router up
```

Configure the interface files to pass the correct parameters to the routing daemon.

On the enigma system, modify the /etc/hostname6.interface files.

# cat /etc/hostname6.hme0
## enigma
6000:6666::aaaa:1116 inet6 private

#  cat /etc/hostname6.hme1
## enigma
2001::aaaa:6666:6666 inet6 router

On the partym system, modify the /etc/hostname6.interface files.

# cat /etc/hostname6.hme0
## partym
6000:3333::eeee:1113 inet6 private

# cat /etc/hostname6.hme1
## 
partym2001::eeee:3333:3333 inet6 router

Run a routing protocol.

# routeadm -e ipv6-routing
# routeadm -u

Example 20-17 Using Deprecated Syntax to Configure IPsec in Transport Mode Using IPv6

The administrator follows the procedure How to Protect a VPN With an IPsec Tunnel in Transport Mode Using IPv6 with the following changes in syntax.

For Step 4, the syntax of the ipsecinit.conf file is the following:

# IPv6 Neighbor Discovery messages bypass IPsec.
{ulp ipv6-icmp type 133-137 dir both} pass {}

# LAN traffic can bypass IPsec.
{laddr 6000:3333::eeee:1113 dir both} bypass {}

# WAN traffic uses ESP with AES and SHA-1.
{} ipsec {encr_algs aes encr_auth_algs sha1}

For Step 14 to Step 17, the syntax to configure a secure tunnel is the following:
```
# ifconfig ip6.tun0 inet6 plumb

# ifconfig ip6.tun0 inet6 6000:6666::aaaa:1116 6000:3333::eeee:1113 \
tsrc 2001::aaaa:6666:6666 tdst 2001::eeee:3333:3333 \
encr_algs aes encr_auth_algs sha1

# ifconfig ip6.tun0 inet6 router up
```
The IPsec policy that is passed to the ifconfig commands must be the same as the IPsec policy in the ipsecinit.conf file. Upon reboot, each system reads the ipsecinit.conf file for its policy.

For Step 20, the syntax of the hostname6.ip6.tun0 file is the following:

6000:6666::aaaa:1116  6000:3333::eeee:1113 \
tsrc 2001::aaaa:6666:6666   tdst 2001::eeee:3333:3333 \
encr_algs aes encr_auth_algs sha1 router up

How to Prevent IP Spoofing

To prevent the system from forwarding packets to another interface without trying to decrypt them, the system needs to check for IP spoofing. One method of prevention is to set the IP strict destination multihoming parameter by using the ndd command. When this parameter is set in an SMF manifest, the parameter is set when the system reboots.

Note - Perform the steps in this procedure on both systems.

On the system console, assume the Primary Administrator role or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in Oracle Solaris Administration: Basic Administration.

Create the site-specific SMF manifest to check for IP spoofing.

Use the following sample script, /var/svc/manifest/site/spoof_check.xml.

<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">

<service_bundle type='manifest' name='Custom:ip_spoof_checking'>

<!--    This is a custom smf(5) manifest for this system. Place this
        file in /var/svc/manifest/site, the directory for local
        system customizations. The exec method uses an unstable
        interface to provide a degree of protection against IP
        spoofing attacks when this system is acting as a router.

        IP spoof protection can also be achieved by using ipfilter(5).
        If ipfilter is configured, this service can be disabled.

        Note: Unstable interfaces might be removed in later
        releases.  See attributes(5).
-->

<service
        name='site/ip_spoofcheck'
        type='service'
        version='1'>

        <create_default_instance enabled='false' />
        <single_instance />

        <!--    Don't enable spoof protection until the
                network is up.
        -->
        <dependency
                name='basic_network'
                grouping='require_all'
                restart_on='none'
                type='service'>
        <service_fmri value='svc:/milestone/network' />
        </dependency>

        <exec_method
                type='method'
                name='start'
                exec='/usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 1'
<!--    
     For an IPv6 network, use the IPv6 version of this command, as in:
                exec='/usr/sbin/ndd -set /dev/ip ip6_strict_dst_multihoming 1
-->
                timeout_seconds='60'
        />

        <exec_method
                type='method'
                name='stop'
                exec=':true'
                timeout_seconds='3'
        />

        <property_group name='startd' type='framework'>
                <propval
                        name='duration'
                        type='astring'
                        value='transient'
                />
        </property_group>

        <stability value='Unstable' />

</service>
</service_bundle>

Import this manifest into the SMF repository.

# svccfg import /var/svc/manifest/site/spoof_check.xml

Enable the ip_spoofcheck service.
Use the name that is defined in the manifest, /site/ip_spoofcheck.
```
# svcadm enable /site/ip_spoofcheck
```
Verify that the ip_spoofcheck service is online.
```
# svcs /site/ip_spoofcheck
```

Skip Navigation Links
Exit Print View
	Oracle Solaris Administration: IP Services Oracle Solaris 10 1/13 Information Library