Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices
This sections provides examples show how to configure and enable IPsec on a Sun Ray server and a Sun Ray Client. For all of the examples, the following configuration information is used:
Sun Ray Client - 10.25.198.65
Sun Ray server - 10.213.21.168
sunray_ike.conf - Sun Ray IKE configuration file
ikeload - Remote configuration file
cacert.pem - root certificate file
mycert.pem - Certificate file
mykey.pem - Secret key file
The following example shows how to configure IPsec using a pre-shared key on a Sun Ray server running Oracle Linux 5 and prepare an IKE configuration file for the Sun Ray Client.
Become superuser on the Sun Ray server.
Edit the /etc/racoon/racoon.conf
file as follows:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous {
exchange_mode main;
proposal {
authentication_method pre_shared_key;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group modp1024;
}
lifetime time 24 hour;
proposal_check claim;
}
sainfo anonymous {
authentication_algorithm hmac_sha1;
encryption_algorithm 3des;
lifetime time 8 hour;
compression_algorithm deflate ;
}
Edit the /etc/racoon/psk.txt file
to include the pre-shared key.
<ip-address_of_Sun_Ray_Client> <key> 10.25.198.65 0x12345678
Configure the SPD.
# setkey -c << EOF spdadd 10.213.21.168 10.25.198.65 any -P out ipsec esp/transport//require; spdadd 10.25.198.65 10.213.21.168 any -P in ipsec esp/transport//require;
Note that 10.213.21.168 is the Sun Ray server IP address and 10.25.198.65 is the Sun Ray Client IP address.
Create a sunray_ike.conf file for the Sun Ray Client with
the following contents and save it to the /tftpboot directory.
remote anonymous {
exchange_mode main;
proposal {
authentication_method pre_shared_key;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group modp1024;
}
lifetime time 24 hour;
proposal_check claim;
}
sainfo anonymous {
authentication_algorithm hmac_sha1;
encryption_algorithm 3des;
lifetime time 8 hour;
}Enable IPsec on the server if necessary.
# racoon
This manual step may not be necessary if IPsec is already enabled on the server.
You can change the debug level by adding one or more -d options,
such as -ddd.
The following example shows how to configure IPsec using certificates on a Sun Ray server running Oracle Linux 5 and prepare an IKE configuration file for the Sun Ray Client.
Become superuser on the Sun Ray server.
Copy the cacert.pem,
mycert.pem, and
mykey.pem files to the
/etc/racoon/certs and
/tftpboot directories.
Edit the /etc/racoon/racoon.conf
file as follows:
path include "/etc/racoon";
path certificate "/etc/racoon/certs";
remote anonymous {
exchange_mode main;
generate_policy on;
passive on;
ca_type x509 "cacert.pem";
certificate_type x509 "mycert.pem" "mykey.pem";
my_identifier asn1dn;
peers_identifier asn1dn;
proposal_check claim;
lifetime time 24 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig;
dh_group modp1024;
}
}
sainfo anonymous {
pfs_group modp1024;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
lifetime time 8 hour;
compression_algorithm deflate;
} Create a sunray_ike.conf file for the Sun Ray Client with
the following contents and save it to the /tftpboot directory.
remote anonymous {
exchange_mode main;
my_identifier asn1dn;
ca_type x509 "cacert.pem";
certificate_type x509 "mycert.pem" "mykey.pem";
proposal {
authentication_method rsasig;
encryption_algorithm 3des;
hash_algorithm md5;
dh_group modp1024;
}
lifetime time 24 hour;
proposal_check claim;
}
sainfo anonymous {
pfs_group modp1024;
authentication_algorithm hmac_sha1;
encryption_algorithm 3des;
lifetime time 8 hour;
} Create a remote configuration file named ikeload with the
following contents and save it to the /tftpboot directory.
/certs/cacert.pem=cacert.pem /keys/mykey.pem=mykey.pem /certs/mycert.pem=mycert.pem /ike/default.conf=sunray_ike.conf
Enable IPsec on the server if necessary.
# racoon
This manual step may not be necessary if IPsec is already enabled on the server.
You can change the debug level by adding one or more -d options,
such as -ddd.
The following example shows how to configure IPsec using a pre-shared key on a Sun Ray server running Oracle Linux 6 and prepare an IKE configuration file for the Sun Ray Client..
Become superuser on the Sun Ray server.
If not already installed, install the
openswan-2.6.32-16.el6.x86_64.rpm
RPM.
Uncomment the following line in the
/etc/ipsec.conf file:
include /etc/ipsec.d/*.conf
Make sure the /etc/ipsec.secrets
file contains only the following line:
include /etc/ipsec.d/*.secrets
Create the /etc/ipsec.d/shared.conf file with the
following contents, which includes the Sun Ray server and the Sun Ray Client IP
addresses for the left and right entries,
respectively:
conn new
left=10.213.21.168
right=10.25.198.65
authby=secret
type=transport
ike=3des-md5;modp1024
esp=3des-md5
keyexchange=ike
pfs=no
rekey=no
aggrmode=no
phase2=esp
salifetime=8h
auto=add
Create the /etc/ipsec.d/shared.secrets file with the
following contents, which includes an entry containing the Sun Ray server and Sun
Ray Client IP addresses and the pre-shared key:
10.213.21.168 10.25.198.65: PSK "12345678"
Create a sunray_ike.conf file for the Sun Ray Client with
the following contents and save it to the /tftpboot directory.
remote anonymous {
exchange_mode main;
proposal {
authentication_method pre_shared_key;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group modp1024;
}
lifetime time 24 hour;
proposal_check claim;
}
sainfo anonymous {
authentication_algorithm hmac_sha1;
encryption_algorithm 3des;
lifetime time 8 hour;
}Start the IPsec services.
# /etc/init.d/ipsec start
The following example shows how to configure IPsec using certificates on a Sun Ray server running Oracle Linux 6 and prepare an IKE configuration file for the Sun Ray Client.
Become superuser on the Sun Ray server.
If not already installed, install the
openswan-2.6.32-16.el6.x86_64.rpm
RPM.
Uncomment the following line in the
/etc/ipsec.conf file:
include /etc/ipsec.d/*.conf
Make sure the /etc/ipsec.secrets
file contains only the following line:
include /etc/ipsec.d/*.secrets
Create the /etc/ipsec.d/certs.conf file with the following
contents:
conn new1
left=10.213.21.168
right=%any
leftcert="server_certificate"
rightcert="client_certificate"
leftid=%fromcert
rightid=%fromcert
authby=rsasig
leftrsasigkey=%cert
type=transport
ike=aes-sha2_256;modp1024
phase2alg=aes-sha2_256
keyexchange=ike
keyingtries=3
pfs=no
rekey=no
aggrmode=no
phase2=esp
salifetime=8h
auto=add
The right=%any entry enables any client to connect with the proper certificate.
Create the /etc/ipsec.d/certs.secrets file with the
following contents, which includes the Sun Ray server:
%any : RSA 10.213.21.168
Create a sunray_ike.conf file for the Sun Ray Client with
the following contents and save it to the /tftpboot directory.
remote anonymous {
exchange_mode main;
my_identifier asn1dn;
ca_type x509 "cacert.pem";
certificate_type x509 "mycert.pem" "mykey.pem";
proposal {
authentication_method rsasig;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group modp1024;
}
lifetime time 24 hour;
proposal_check claim;
}
sainfo anonymous {
authentication_algorithm hmac_sha1;
encryption_algorithm 3des;
lifetime time 8 hour;
} Create a remote configuration file named ikeload with the
following contents and save it to the /tftpboot directory.
/certs/cacert.pem=cacert.pem /keys/mykey.pem=mykey.pem /certs/mycert.pem=mycert.pem /ike/default.conf=sunray_ike.conf
Start the IPsec services.
# /etc/init.d/ipsec start
The following example shows how to configure IPsec using a pre-shared key on a Sun Ray server running Oracle Solaris 10 or Oracle Solaris 11 and prepare an IKE configuration file for the Sun Ray Client.
Become superuser on the Sun Ray server.
Edit the /etc/inet/ike/config
file as follows:
p1_lifetime_secs 86400
p1_nonce_len 16
p2_lifetime_secs 28800
## Parameters that may also show up in rules.
p1_xform { auth_method preshared oakley_group 2 auth_alg sha1 encr_alg aes }
p2_pfs 0
### Now some rules...
{
label "SRSS Rule"
# Use whatever "host" (e.g. IP address) identity is appropriate
local_addr 0.0.0.0/0
remote_addr 0.0.0.0/0
p1_xform
{ auth_method preshared oakley_group 2 auth_alg sha encr_alg aes }
p2_pfs 0
} Edit the /etc/inet/secret/ike.preshared file to include
the pre-shared key.
{
localidtype IP
localid 10.213.21.168
remoteidtype IP
remoteid 10.25.198.65
key 12345678
}Configure the IPsec policy by adding the following line to the
/etc/inet/ipsecinit.conf file:
{ laddr 10.213.21.168 raddr 10.25.198.65 } ipsec {encr_algs aes encr_auth_algs sha1}Create a sunray_ike.conf file for the Sun Ray Client with
the following contents and save it to the /tftpboot directory.
remote anonymous {
exchange_mode main;
proposal {
authentication_method pre_shared_key;
encryption_algorithm aes;
hash_algorithm sha1;
dh_group 2;
}
lifetime time 24 hour;
proposal_check claim;
}
sainfo anonymous {
authentication_algorithm hmac_sha1;
encryption_algorithm aes;
lifetime time 8 hour;
}Enable IPsec on the server.
# svcadm restart svc:/network/ipsec/ipsecalgs:default # svcadm restart svc:/network/ipsec/policy:default # /usr/lib/inet/in.iked
You can use the svcs | grep ipsec command to verify that
IPsec is enabled. You can use the -d option of the
in.iked command to keep it in the foreground and produce
debugging output.
The following example shows how to configure IPsec using certificates on a Sun Ray server running Oracle Solaris 10 or Oracle Solaris 11 and prepare an IKE configuration file for the Sun Ray Client..
Become superuser on the Sun Ray server.
Copy the cacert.pem,
mycert.pem, and
mykey.pem files to the
/etc/racoon/certs and
/tftpboot directories.
Edit the /etc/inet/ike/config
file as follows:
####
cert_root "C=US, L=Redwood Shores, ST=CA, O=Company, OU=Sun Ray,
CN=First Last, MAILTO=first.last@company.com"
ignore_crls
p1_lifetime_secs 86400
p1_nonce_len 16
p2_lifetime_secs 28800
p1_xform { auth_method rsa_sig oakley_group 2 auth_alg sha encr_alg 3des }
p2_pfs 0
{
label "SRSS Rule"
local_id_type dn
local_id "C=US, L=Redwood Shores, ST=CA, O=Company, OU=Sun Ray, CN=server-fqdn"
remote_id ""
local_addr 0.0.0.0/0
remote_addr 0.0.0.0/0
p1_xform
{ auth_method rsa_sig oakley_group 2 auth_alg md5 encr_alg 3des }
p2_pfs 0
}
####
Configure the IPsec policy by adding the following line to the
/etc/inet/ipsecinit.conf file:
{ laddr 10.213.21.168 raddr 10.25.198.65 } ipsec {encr_algs 3des encr_auth_algs sha1}Create a sunray_ike.conf file for the Sun Ray Client with
the following contents and save it to the /tftpboot directory.
remote anonymous {
exchange_mode main;
my_identifier asn1dn;
ca_type x509 "cacert.pem";
certificate_type x509 "mycert.pem" "mykey.pem";
proposal {
authentication_method rsasig;
encryption_algorithm 3des;
hash_algorithm md5;
dh_group 2;
}
lifetime time 24 hour;
proposal_check claim;
}
sainfo anonymous {
pfs_group modp1024;
authentication_algorithm hmac_sha1;
encryption_algorithm 3des;
lifetime time 8 hour;
} Create a remote configuration file named ikeload with the
following contents and save it to the /tftpboot directory.
/certs/cacert.pem=cacert.pem /keys/mykey.pem=mykey.pem /certs/mycert.pem=mycert.pem /ike/default.conf=sunray_ike.conf
Enable IPsec on the server.
# svcadm restart svc:/network/ipsec/ipsecalgs:default # svcadm restart svc:/network/ipsec/policy:default # /usr/lib/inet/in.iked
You can use the svcs | grep ipsec command to verify that
IPsec is enabled. You can use the -d option of the
in.iked command to keep it in the foreground and produce
debugging output.
Once you configure IPsec on the Sun Ray server, including the adding the appropriate Sun
Ray IKE configuration file and certificates to the /tftpboot directory,
there are only a few steps remaining to configure IPsec on the Sun Ray Client using the
Configuration GUI. The following steps continue the previous Sun Ray server configuration
examples.
Open the Configuration GUI on the Sun Ray Client.
See Section 14.5.2, “Configuration GUI Menu Descriptions” for details.
Load the configuration files on Sun Ray Client from the server's
/tftpboot directory:
If you have only a Sun Ray IKE configuration file to load, choose
Server/IPsec > Download Configuration and specify the server
and the IKE configuration file. For the pre-shared examples in this section, you
would enter 10.213.21.168/sunray_ike.conf to populate the
/ike/default.conf file in the Sun Ray Client's
firmware.
If you are using a remote configuration file to load a number of files, choose
Advanced > Download Configuration and enter the server and
the remote configuration file. For the certificate examples in this section, you
would enter 10.213.21.168/ikeload to populate the IKE
configuration file and the certificate files in the Sun Ray Client's
firmware.
Choose Server/IPsec.
For the pre-shared key examples in this section, choose Manage Preshared Keys to
create the pre-shared key:
10.25.198.65 0x12345678
You can also use the remote configuration file to load a pre-shared key.
Choose IPsec Enable and enable IPsec.
Exit the Configuration GUI.
After configuring IPsec on the Sun Ray server and Sun Ray Client, you can verify if IPsec is working by rebooting the Sun Ray Client with the OSD icons enabled. If the IPsec OSD network status icons is displayed with the up arrow, IPsec should be working.
To verify if the traffic is being encrypted between the server and the Sun Ray, use a network monitoring tool (for example, snoop or tcpdump) and confirm that the packets seen are using the ESP protocol.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices