You can optionally configure IPsec to protect traffic on the interconnect, which carries traffic both for internal cluster operations as well as user data for global filesystems.
The following requirements have to be met while configuring IPsec and IKE for Oracle Solaris Cluster interconnect:
Configure IKEv2 to automatically manage keys for IPsec on the interconnect.
Use the cluster private network address and prefix the same in IKE and IPsec configuration files. The cluster command provides this information. For more information, see the cluster(1CL) man page.
The network/prefix identifier allows the same IKE rule and IPsec policy to be added identically to all cluster nodes irrespective of the local address assignment on the interconnect.
IKEv2 rules pertaining to the interconnect must be tagged with "cluster_interconnect" attribute and with value "yes". This ensures proper handling of cluster interconnect traffic during system shutdown.
IKEv2 and IPsec configuration files on all cluster nodes must contain the same IKEv2 rule and IPsec policy that pertain to the interconnect. When new nodes are added to the cluster, you must ensure that it contains the same IKEv2 rules and IPsec policies as the other nodes in the existing cluster.
# /usr/cluster/bin/cluster show-netprops === Private Network === private_netaddr: 172.16.0.0 private_netmask: 255.255.240.0
The netmask of 255.255.240.0 indicates a prefix length of 20 bits. Thus the private network prefix to be used for the following IKE and IPsec configuration files is 172.16.0.0/20.
# pfedit /etc/inet/ike/ikev2.config ikesa_xform { dh_group 21 auth_alg sha512 encr_alg aes } ## Rules for cluster interconnect { label "cluster-foobar" auth_method preshared local_addr 172.16.0.0/20 remote_addr 172.16.0.0/20 cluster_interconnect yes }
# pfedit /etc/inet/ike/ikev2.preshared ## label must match the rule that uses this key { label "cluster-foobar" key 0001020304050607 }
# pfedit /etc/inet/ipsecinit.conf { laddr 172.16.0.0/20 raddr 172.16.0.0/20 } ipsec { encr_algs aes encr_auth_algs sha256 }