How to Manually Create IPsec Security Associations

The following procedure provides the keying material for Step 5 in How to Secure Traffic Between Two Systems With IPsec. You are generating keys for two systems, partym and enigma. You generate the keys on one system, and then use the keys from the first system on both systems.

Before You Begin

You must be in the global zone to manually manage keying material for a non-global zone.

1. Generate the keying material for the SAs.

   1. Determine the keys that you require.

      You need three hexadecimal random numbers for outbound traffic and three hexadecimal random numbers for inbound traffic. Therefore, one system needs to generate the following numbers:

      • Two hexadecimal random numbers as the value for the spi keyword. One number is for outbound traffic. One number is for inbound traffic. Each number can be up to eight characters long.

      • Two hexadecimal random numbers for the MD5 algorithm for AH. Each number must be 32 characters long. One number is for dst enigma. One number is for dst partym.

      • Two hexadecimal random numbers for the 3DES algorithm for ESP. For a 192-bit key, each number must be 48 characters long. One number is for dst enigma. One number is for dst partym.

   2. Decide on your method of key generation.

      • If you have a random number generator at your site, use the generator.

      • To use the pktool command, see How to Generate a Symmetric Key by Using the pktool Command in System Administration Guide: Security Services.

      • To use the od command, see How to Generate Random Numbers on a Solaris System.

2. On each system, perform the following steps:

   1. On the system console, assume the Primary Administrator role or become superuser.

      The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

      ---

      Note –

      Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Use the ssh command for secure remote login.

      ---

   2. Add the keys to the manual keys file for IPsec.

      1. Edit the /etc/inet/secret/ipseckeys file on the enigma system to appear similar to the following:

         # ipseckeys - This file takes the file format documented in # ipseckey(1m). # Note that naming services might not be available when this file # loads, just like ipsecinit.conf. # # Backslashes indicate command continuation. # # for outbound packets on enigma add esp spi 0x8bcd1407 \ src 192.168.116.16 dst 192.168.13.213 \ encr_alg 3des \ auth_alg md5 \ encrkey d41fb74470271826a8e7a80d343cc5aae9e2a7f05f13730d \ authkey e896f8df7f78d6cab36c94ccf293f031 # # for inbound packets add esp spi 0x122a43e4 \ src 192.168.13.213 dst 192.168.116.16 \ encr_alg 3des \ auth_alg md5 \ encrkey dd325c5c137fb4739a55c9b3a1747baa06359826a5e4358e \ authkey ad9ced7ad5f255c9a8605fba5eb4d2fd

      2. Protect the manual keys file for IPsec with read-only permissions.

         # chmod 400 /etc/inet/secret/ipseckeys

      3. Verify the syntax of the manual keys file.

         # ipseckey -c -f /etc/inet/secret/ipseckeys

   ---

   Note –

   The keying material on the two systems must be identical.

   ---

Example 19–3 Manually Creating Temporary IPsec Security Associations

In this example, the administrator tests various keys. Later, the administrator will type the permanent keys in the ipseckeys file.

During testing, the administrator creates keys by using the ipseckey command in interactive mode. When the ipseckey command is typed, the > prompt indicates interactive mode.

# ipseckey
>

To replace existing SAs, the administrator flushes the current SAs.

> flush
> 

To create SAs for outbound packets, the administrator types the following command:

> add esp spi 0x8bcd1407 \
src 192.168.116.16 dst 192.168.13.213 \
encr_alg 3des \
auth_alg md5 \
encrkey d41fb74470271826a8e7a80d343cc5aae9e2a7f05f13730d \
authkey e896f8df7f78d6cab36c94ccf293f031
>

The administrator types the following command for inbound packets:

> add esp spi 0x122a43e4 \
src 192.168.13.213 dst 192.168.116.16 \
encr_alg 3des \
auth_alg md5 \
encrkey dd325c5c137fb4739a55c9b3a1747baa06359826a5e4358e \
authkey ad9ced7ad5f255c9a8605fba5eb4d2fd
>

To exit ipseckey interactive mode, the administrator types the quit command.

> quit
#

To change keys on the communicating system, the administrator follows the same steps. On that system, the first set of keys protects inbound packets and the second set of keys protects outbound packets.