SunScreen 3.2 Administration Guide

IKE Policy Rule Syntax

For tunneling mode, pre-shared key usage:

[SCREEN scrn] svc srcaddr dstaddr \
 IPSEC { AH(authalg1) | ESP(encralg1[, authalg2]) }+ \
IKE(encralg2, authalg3, oakleygroup, PRE-SHARED, pskey) \
 [SOURCE_SCREEN srcscrn] [DESTINATION_SCREEN dstscrn] \
[SOURCE_TUNNEL srctunaddr] [DESTINATION_TUNNEL dsttunaddr] \
ALLOW

For tunneling mode, certificate usage:

[SCREEN scrn] svc srcaddr dstaddr \
IPSEC { AH(authalg1) | ESP(encralg1[, authalg2]) }+ \
IKE(encralg2, authalg3, oakleygroup, authmethod, \
srccert, dstcert) \
[SOURCE_SCREEN srcscrn] [DESTINATION_SCREEN dstscrn] \
[SOURCE_TUNNEL srctunaddr] [DESTINATION_TUNNEL dsttunaddr] \
ALLOW

For tunneling mode, manual key usage:

[SCREEN ] \
IPSEC { AH(spi1, authalg, key1) \
| ESP(spi2, encralg2, key2 [, spi3, authalg3, key3]) } \
[SOURCE_SCREEN srcscrn] [DESTINATION_SCREEN dstscrn] \
[SOURCE_TUNNEL srctunaddr] [DESTINATION_TUNNEL dsttunaddr] \
ALLOW

An alternative syntax follows:

[SCREEN scrn] svc srcaddr dstaddr \
IPSEC { AH(spi1, authalg, key1) | ESP(spi2, encralg2, \
key2 [, add key "key_des" SINGLE "1234567812345678" 
edit> add key "key_ah" SINGLE "1234567890abcdef1234567890abcdef"

To Add Rules Using Keys Added on Both Screens

Note -

See the SunScreen 3.2 Configuration Examples manual for an example of how to use the GUI to perform this same function.

On Screen 1:

1 "telnet" "screen1_host" "screen2_host" IPSEC ESP(0x123, 
"DES", "key_des") AH(0x345, "MD5", "key_ah") SOURCE_SCREEN 
"screen1" ALLOW 2 "telnet" "screen2_host" "screen1_host" 
IPSEC ESP(0x123, "DES", "key_des") AH(0x345, "MD5", "key_ah") 
DESTINATION_SCREEN "screen1" ALLOW

On Screen 2:

1 "telnet" "screen2_host" "screen_host1" IPSEC ESP(0x123, 
"DES", "key_des")  AH(0x345, "MD5", "key_ah") SOURCE_SCREEN 
"screen2" ALLOW 2 "telnet" "screen1_host" "screen2_host" 
IPSEC ESP(0x123, "DES", "key_des") AH(0x345, "MD5", "key_ah") 
DESTINATION_SCREEN "screen2" ALLOW

Note -

The hex values 0x123, 0x345 are SPI values and must be between 0x000 and 0xFFF.

If you choose different algorithms, like 3DES or SHA1, define manual keys of the proper length.

In hex strings, the lengths are respectively.
- CBC 16
- 3DES 48
- MD5 32
- SHA1 40

Save and activate the policy.

To Work with IKE Rules with Pre-Shared Key

Note -

See the SunScreen 3.2 Configuration Examples manual for an example of how to use the GUI to perform this same function.

Add the pre-shared secret key on both Screens

edit> add key "shared-secret" SINGLE "shared_secret"

Add rules like the following using keys added on both Screens.

On Screen1:

1 "telnet" "screen1_host" "screen2_host" IPSEC ESP("DES") 
IKE("DES", "MD5", 2, PRE-SHARED, "shared-secret") 
SOURCE_SCREEN "screen1" ALLOW 2 "telnet" "screen2_host" 
"screen1_host" IPSEC IPSEC ESP("DES") IKE("DES", 
"MD5", 2, PRE-SHARED, "shared-secret") DESTINATION_SCREEN 
"screen1" ALLOW

On Screen2:

1 "telnet" "screen2_host" "screen1_host" IPSEC ESP("DES") 
IKE("DES", "MD5", 2, PRE-SHARED, "shared-secret") 
SOURCE_SCREEN "screen2" ALLOW 2 "telnet" "screen1_host" 
"screen2_host" IPSEC IPSEC ESP("DES") IKE("DES", 
"MD5", 2, PRE-SHARED, "shared-secret") DESTINATION_SCREEN 
"screen2" ALLOW

Save and activate policy.

To Work with IKE Rules with Self-Signed Certificates

Note -

See the SunScreen 3.2 Configuration Examples manual for an example of how to use the GUI to perform this same function.

Generate certificates or private keys on both Screens using ssadm certlocal:

On Screen1:

# ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US,\
O=YourOrg, CN=screen1_name"

On Screen2:

# ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US,\
O=YourOrg, CN=screen2_name"

Export the certificates to the other Screen.

On Screen1:

# ssadm certdb -I -e "SUBJECT=C=US, \
O=YourOrg, CN=screen1_name" > /tmp/cert1

On Screen2:

# ssadm certdb -I -e "SUBJECT=C=US, \
O=YourOrg, CN=screen2_name" > /tmp/cert2

Securely transport the file /tmp/cert1 to the Screen1 and /tmp/cert2 to Screen 2.

Import the exported certificate to the Screen certificate database.
1. On Screen2:
  # ssadm certdb -I -a < /tmp/cert1
2. On Screen1:
  # ssadm certdb -I -a < /tmp/cert2

Add certificate objects on both systems:

edit> add certificate "screen1_cert" SINGLE IKE "C=US, 
O=YourOrg,CN=screen1_name" 
edit> add certificate "screen2_cert" SINGLE IKE "C=US, 
O=YourOrg,CN=screen2_name"

Mark the certificate you imported in Steps 3 and 4 as trusted on both systems using ssadm edit:
1. On Screen 1:
  edit> add member certificate "IKE manually verified certificates" "screen2_cert"
2. On Screen 2:
  edit> >add member certificate "IKE manually verified certificates" "screen1_cert"
  The group name "IKE manually verified certificates" is reserved for a trusted Certificate Group.

Add packet filtering rules on both Screens.

On Screen1:

1."telnet" "screen1_host" "screen2_host" IPSEC ESP("DES") 
IKE("DES", "MD5", 2, RSA-SIGNATURES, "screen1_cert", 
"screen2_cert") ALLOW 2 "telnet" "screen2_host" "screen1_host" 
IPSEC IPSEC ESP("DES") IKE("DES", "MD5", 2, RSA-SIGNATURES, 
"screen2_cert", "screen1_cert") ALLOW

On Screen2:

1."telnet" "screen2_host" "screen1_host" IPSEC ESP("DES") 
IKE("DES", "MD5", 2, RSA-SIGNATURES, "screen2_cert", 
"screen1_cert") ALLOW 2 "telnet" "screen1_host" "screen2_host" 
IPSEC IPSEC ESP("DES") IKE("DES", "MD5", 2, RSA-SIGNATURES, 
"screen1_cert", "screen2_cert") ALLOW

Refer to the man page of ssadm-certlocal(1M) and ssadm-certdb(1M) for more information.

Save and activate the policy.

To Work with IKE Rules with Issued Certificates

Note -

See the SunScreen 3.2 Configuration Examples manual for an example of how to use the GUI to perform this same function.

Generate keys and certificate requests on each Screen.

On Screen1:

# ssadm certlocal -Ikc -m 512 -t rsa-md5 -D "C=US, \
O=YourOrg,CN=screen1_issued"

On Screen2:

# ssadm certlocal -Ikc -m 512 -t rsa-md5 -D "C=US, \
O=YourOrg,CN=screen2_issued"

Bring the requests to a certificate server and have them signed and you should get three files from the CA:
screen1_issued.cert: screen1's cert. screen2_issued.cert: screen2 's cert root.cert: the CA's cert
Further detailed instructions on this step depends on your certificate server.

Securely transport the files to each system under /tmp and import them.

Import three certificates on each Screen:

# ssadm certdb -I -a < /tmp/screen1_issued.cert
# ssadm certdb -I -a < /tmp/screen2_issued.cert
# ssadm certdb -I -a < /tmp/root.cert

In this example, it is assumed you are using a certificate server with CA's subject

DN = "C=US, O=YourOrg.com, OU=sunscreen, CN=Certificate Manager"

Add certificate objects for each Screen and mark the root CA as trusted. On each Screen:

edit> add certificate root_cert SINGLE IKE "C=US, 
O=YourOrg.com, OU=sunscreen, CN=Certificate Manager"
edit> add certificate screen2_issued_cert SINGLE IKE "C=US, 
O=YourOrg, CN=screen2_issued" 
edit> add certificate screen1_issued_cert SINGLE IKE "C=US, 
O=YourOrg, CN=screen1_issued" 
edit> add_member certificate "IKE root CA certificates" root_cert

The group name "IKE root CA certificates" is reserved for a trusted Certificate Group.

Add packet filtering rules on both Screens.

On Screen1:

1."telnet" "screen1_host" "screen2_host" IPSEC ESP("DES") 
IKE("DES", "MD5", 2, RSA-SIGNATURES, "screen1_issued_cert", 
"screen2_issued_cert") ALLOW 2 "telnet" "screen2_host" "screen1_host" 
IPSEC IPSEC ESP("DES") IKE("DES", "MD5", 2, RSA-SIGNATURES, 
"screen2_issued_cert", "screen1_issued_cert") ALLOW

On Screen2:

1."telnet" "screen2_host" "screen1_host" IPSEC ESP("DES")
IKE("DES", "MD5", 2, RSA-SIGNATURES, "screen1_issued_cert",
"screen2_issued_cert") ALLOW 2 "telnet" "screen1_host" "screen2_host" 
IPSEC IPSEC ESP("DES") IKE("DES", "MD5", 2, RSA-SIGNATURES, 
"screen2_issued_cert", "screen1_issued_cert") ALLOW

Save and activate the policy.