Import the firewall Screen's certificate.
# ssadm certdb -I -a < /tmp/screen_cert |
Create certificate objects for the certificates.
# ssadm edit PolicyName edit> add certificate admin-cert SINGLE IKE "SUBJECT=C=US, O=SUN, CN=admin_DN" edit> add certificate screen-cert SINGLE IKE "SUBJECT=C=US, O=SUN, CN=screen_DN" |
Mark the imported certificate as trusted.
Using ssadm edit edit>add member certificate "IKE manually verified certificates" "screen_cert" |
The Group name "IKE manually verified certificates" is reserved for a trusted Certificate Group.
Create an address object for the Screen.
Using ssadm edit edit>add address nameofscreen ipaddressofscreen |
Add a packet filter rule like the following:
1 "remote administration" "admin_address" "screen_address" IPSEC ESP("DES-CBC", "MD5") AH("SHA1") IKE("DES-CBC", "MD5", 1, RSA-SIGNATURES, "admin_cert", "screen_cert") ALLOW |
See "Packet Filtering Rules" in the SunScreen 3.2 Administration Guide.
Activate the policies.
Import the firewall Screen's certificate.
# ikecert certdb -a < /tmp/screen_cert |
Set Up the IKE rules.
You have to edit the IKE configuration files to set up encrypted communication between the Administration Station and the Screen. For information on editing these files, see the Solaris 9 IKE documentation.
Edit the /etc/inet/ipsecinit.remote file.
The following file provides an example of how you would set up communication between an Administration Station with an IP address of 172.16.2.3 and a Screen's administrative interface with an address of 172.16.2.1
{sport 500} bypass {dir out} {dport 500} bypass {dir in} {saddr 172.16.2.3 daddr 172.16.2.1} apply {encr_algs des encr_auth_algs sha1 sa shared} {saddr 172.16.2.1 daddr 172.16.2.3} permit {encr_algs des encr_auth_algs sha1 sa shared} |
Edit the /etc/inet/config file.
This file contains instructions to amrk the Screens certificate as trusted as well as encryption parameters.
# Example remote admin config file # IKE manually verified self-signed certs cert_trust "SUBJECT=CN=DNofScreensCert-rsa-sha1-4096, O=Sun, C=US" # Outgoing IKE rule for remote admin {label "outgoing" local_id_type DN local_id "SUBJECT=CN=RemoteAdminCert-rsa-sha1-4096, O=Sun, C=US" remote_id "SUBJECT=CN=ScreenCert-rsa-sha1-4096, O=Sun, C=US" local_addr 172.16.2.3 remote_addr 172.16.2.1 p1_xform {auth_method rsa_sig oakley_group 1 auth_alg sha1 encr_alg des } } |
Reload IKE and it's associated components.
Issue commands similar to the following:
# pkill iked # ipsecconf -f # ipseckey flush # ipsecconf -a /etc/inet/ipsecinit.remote # /usr/lib/inet/in.iked -f /etc/inet/ike/config.remote
The remote Administration Station is now ready to communicate with the Screen.