ipsecinit.conf 文件

要在启动 Oracle Solaris 时启用 IPsec 安全策略，请创建一个配置文件以通过特定的 IPsec 策略项来初始化 IPsec。此文件的缺省名称为 /etc/inet/ipsecinit.conf。有关策略项及其格式的详细信息，请参见 ipsecconf(1M) 手册页。在配置策略后，可以使用 svcadm refresh ipsec/policy 命令刷新该策略。

ipsecinit.conf 文件样例

Oracle Solaris 软件中包括样例 IPsec 策略文件 ipsecinit.sample。您可以使用此文件作为模板来创建自己的 ipsecinit.conf 文件。ipsecinit.sample 文件包含以下示例：

...
# In the following simple example, outbound network traffic between the local
# host and a remote host will be encrypted. Inbound network traffic between
# these addresses is required to be encrypted as well.
#
# This example assumes that 10.0.0.1 is the IPv4 address of this host (laddr)
# and 10.0.0.2 is the IPv4 address of the remote host (raddr).
#

{laddr 10.0.0.1 raddr 10.0.0.2} ipsec
    {encr_algs aes encr_auth_algs sha256 sa shared}

# The policy syntax supports IPv4 and IPv6 addresses as well as symbolic names.
# Refer to the ipsecconf(1M) man page for warnings on using symbolic names and
# many more examples, configuration options and supported algorithms.
#
# This example assumes that 10.0.0.1 is the IPv4 address of this host (laddr)
# and 10.0.0.2 is the IPv4 address of the remote host (raddr).
#
# The remote host will also need an IPsec (and IKE) configuration that mirrors
# this one.
#
# The following line will allow ssh(1) traffic to pass without IPsec protection:

{lport 22 dir both} bypass {}

#
# {laddr 10.0.0.1 dir in} drop {}
#
# Uncommenting the above line will drop all network traffic to this host unless
# it matches the rules above. Leaving this rule commented out will allow
# network packets that does not match the above rules to pass up the IP
# network stack. ,,,

ipsecinit.conf 和 ipsecconf 的安全注意事项

无法更改已建立连接的 IPsec 策略。其策略不能更改的套接字称为锁定的套接字。新策略项不保护已锁定的套接字。有关更多信息，请参见 connect(3SOCKET) 和 accept(3SOCKET) 手册页。如果有疑虑，请重新启动连接。

保护您的名称系统。如果发生以下两种情况，则您的主机名不再值得信任：

• 您的源地址是可以在网络中查找到的主机。

• 您的名称系统受到威胁。

安全漏洞通常是由工具使用不当造成的，而并非由工具本身引起。应慎用 ipsecconf 命令。请将 ssh、控制台或其他硬连接的 TTY 用作最安全的操作模式。