The base configuration required for IPsec on the Sun Ray Client is
the IKE configuration file, which is derived from the
racoon.conf
file. The IKE configuration file
defines how to establish a secure connection between two hosts
using the racoon daemon. For Sun Ray Software,
only a subset of the directives and statements in the IKE
configuration file are required. The complete documentation for
the IKE configuration file is available in the
racoon.conf
man page.
The IKE configuration file contains a set of directives that each
consist of a keyword and a set of parameters. Some directives can
be followed by a set of nested statements. An IKE configuration
file must be stored in the firmware's security configuration
repository at /ike/default.conf
. The use of
the /ike
directory is consistent with the
strategy that the directory containing a file indicates its type
or format.
There are only two directives that are required for the Sun Ray IKE configuration file:
remote
- Specifies the parameters for IKE
negotiations.
sainfo
- Specifies the parameters for
protecting the actual IPsec traffic.
Normally, there can be multiple remote
and
sainfo
directives, tagged with either a name,
address, or the default anonymous
keyword. The
Sun Ray Software implementation allows for only one of each
directive.
The following directives are not required, but they are supported to provide more advanced configuration:
padding
- Specifies the padding parameters
for traffic.
timer
- Specifies the configuration timers.
Other parameters, such as the location of various ancillary files and ports, are fixed in value.
The remote
directive specifies the parameters
for IKE negotiations.
The following statements are supported. Specific notes and restrictions are provided where necessary.
ca_type
- Root certificate type (X509
only) and root certificate file name.
certificate_type
- Client certificate
type (X509 only), private key file name, and certificate
file name.
dpd
- Switch to enable Dead Peer
Detection (DPD). Default is on.
dpd_delay
- Time between liveness
requests. 0 disables checking. Default is 0.
dpd_maxfail
- If
dpd_delay
is set, this statement sets the
maximum number of proof of liveness to request (without
reply) before considering the peer is dead. The default
value is 5.
dpd_retry
- If
dpd_delay
is set, this statement sets the
delay (in seconds) to wait for a proof of liveness before
considering it as failed and sending another request. The
default value is 5.
exchange_mode
- Exchange mode to use as
the IKE initiator. Values: main
,
aggressive
, or base
.
The aggressive
mode is not supported on
Oracle Solaris.
ike_frag
- Switch to enable IKE
fragmentation.
lifetime
- IKE lifetime proposed.
my_identifier
- Type and value of the IKE
identifier for phase 1. The following identifier types are
allowed:
address
- IP address. This is the
default, although this is not appropriate for Sun Ray
Clients that get their addresses using DHCP.
asn1dn
- ASN.1 distinguished name.
This value is taken from the certificate Subject field
if a value is not specified.
fqdn
- Fully-qualified domain name.
keyid
- An arbitrary string.
subnet
- IP subnet.
user_fqdn
- User fully-qualified
name.
nat_traversal
- Switch to enable NAT
traversal.
nonce_size
- Size of the nonces used in
the IKE exchange. The default is 16 bytes.
peers_certfile
- Locally stored peer
certificate type (X509 only) and certificate file name.
peers_identifier
- Type and value of the
expected peer identifier. The following identifier types are
allowed:
address
- IP address. This is the
default.
asn1dn
- ASN.1 distinguished name.
This value is taken from the certificate Subject field
if a value is not specified.
fqdn
- Fully-qualified domain name.
keyid
- An arbitrary string.
subnet
- IP subnet.
user_fqdn
- User fully-qualified
name.
proposal
- List of proposal statements.
Only one proposal statement is allowed.
authentication_method
- Specify the
authentication method used. Values:
pre_shared_key
or
rsasig
.
The pre-shared key file is used when the authentication
mode is pre_shared_key
, and the file
must be stored in the firmware's security configuration
repository at /preshared/keys
file.
The pre-shared key file consists of lines containing
pairs of ids and keys, separated by some number of
blanks or tab characters. Keys starting with "0x" are
interpreted as hexadecimal strings. Any referenced
certificate files must be stored in the
/certs
directory, and
public/private key pairs provided in files must be
stored in the /keys
directory.
dh_group
- Specify the group used for
Diffie-Hellman exponentiation. Values:
modp768
, modp1024
,
modp1536
,
modp2048
,
modp3072
,
modp4096
,
modp6144
, or the corresponding DH
group number, 1, 2, 5, 14, 15, 16, 17, or 18.
encryption_algorithm
- Specify the
encryption algorithm used for the phase 1 negotiation.
Values: aes
, 3des
,
or null
. aes
may
be followed by a key size of 128
,
192
, or 256
,
separated by a space.
hash_algorithm
- Specify the hash
algorithm used for phase 1 negotiation. Values:
md5
(deprecated),
sha1
, sha256
,
sha384
, or sha512
.
Oracle Linux 5.8 and Oracle Linux 6.3 does not support
the sha384
or
sha512
hash algorithm.
lifetime
- Specify IKE lifetime.
remote_address
- Remote IP address of the
other end of the connection.
proposal_check
- Type of proposal
checking. Values: claim
,
exact
, obey
, or
strict
.
send_cert
- Switch to enable sending
client certificate. Default is on.
send_cr
- Switch to enable sending
certificate request. Default is on.
verify_cert
- Switch to verify the peer's
certificate. Defaults is on.
verify_identifier
- Switch to enable
verification of identity between ID and certificate. Default
is off.
The sainfo
directive is used to specify the
security parameters for creating an IPsec Security Association
(SA) used to protect associated traffic. For Sun Ray Software,
only the Encapsulating Security Payload (ESP) is supported, and
the Authentication Header (AH) protocol is not supported.
A full implementation of the Security Policy Database (SPD) for Sun Ray Software is not required, because the communication between the Sun Ray Client and other peers requires only a few switch selections, which have been incorporated into the IPsec configuration menu in the firmware Configuration GUI.
The following statements are supported. Specific notes and restrictions are provided where necessary.
authentication_algorithm
- Specify the
comma-separated list of authentication algorithms. Values
include hmac forms of the hash_algorithm
values, such as hmac_md5
,
hmac_sha1
,
hmac_sha256
,
hmac_sha384
, or
hmac_sha512
.
encryption_algorithm
- Specify the
comma-separated set of encryption algorithms that can be
used in a phase 2 proposal. Values: aes
or 3des
. The aes
value
may be followed by a key size, for example, aes
256
.
lifetime
- Define how long an IPsec SA
will be used.
pfs_group
- Define the group used for
Perfect Forward Secrecy (PFS) in phase 2. The same values
are used as dh_group
. If omitted, PFS is
not used.
sha2_trunc
- Switch that sets the
truncation of SHA-2 hashes to 96 bits, rather than the 128
specified in RFC 4868. This allows interoperation with some
Oracle Linux systems that exhibit this behavior. This must
be set on when using the sha256
hash
algorithm for Oracle Linux.
The proposals generated during the phase 2 negotiation consist
of all of the possible combinations of
encryption_algorithm
and
authentication_algorithm
.
Here is an example of a Sun Ray IKE configuration file used to specify the connection between a Sun Ray Client with a fixed IP address (10.213.25.230) and a Sun Ray server (10.213.21.43) using a pre-shared key.
remote address 10.213.21.43 { my_identifier address 10.213.25.230; exchange_mode main; proposal { authentication_method pre_shared_key; encryption_algorithm aes; hash_algorithm sha1; dh_group 2; } proposal_check claim; } sainfo address 10.213.25.230 address 10.213.21.43 { lifetime time 12 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; }
If you specify main
for the
exchange_mode
statement, the identifiers
for the IKE connection must be IP addresses when using
pre-shared keys.
Here is another example of a Sun Ray IKE configuration file for certificate-based authentication
remote anonymous { exchange_mode main; my_identifier asn1dn; ca_type x509 "cacert.pem"; certificate_type x509 "mycert.pem" "mykey.pem"; proposal { authentication_method rsasig; encryption_algorithm 3des; hash_algorithm md5; dh_group modp1024; } lifetime time 24 hour; proposal_check claim; } sainfo anonymous { authentication_algorithm hmac_sha1; encryption_algorithm aes; lifetime time 8 hour; }