How to Protect a VPN With an IPsec Tunnel in Transport Mode Over IPv4

This procedure extends the procedure How to Secure Traffic Between Two Systems With IPsec. In addition to connecting two systems, you are connecting two intranets that connect to these two systems. The systems in this procedure function as gateways.

This procedure uses the setup that is described in Description of the Network Topology for the IPsec Tasks to Protect a VPN. For a fuller description of the reasons for running particular commands, see the corresponding steps in How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv4.

Perform the steps in this procedure on both systems.

1. On the system console, assume the Primary Administrator role or become superuser.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

   ---

   Note –

   Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Use the ssh command for secure remote login.

   ---

2. Control the flow of packets before configuring IPsec.

   1. Ensure that IP forwarding and IP dynamic routing are disabled.

      # routeadm Configuration Current Current Option Configuration System State -------------------------------------------------- IPv4 forwarding disabled disabled IPv4 routing default (enabled) enabled …

      If IP forwarding and IP dynamic routing are enabled, you can disable them by typing:

      # routeadm -d ipv4-routing -d ipv4-forwarding # routeadm -u

   2. Turn on IP strict destination multihoming.

      # ndd -set /dev/ip ip_strict_dst_multihoming 1

      ---

      Caution –

      The value of ip_strict_dst_multihoming reverts to the default when the system is booted. To make the changed value persistent, see How to Prevent IP Spoofing.

      ---

   3. Verify that most network services are disabled.

      Verify that loopback mounts and the ssh service are running.

      # svcs | grep network online Aug_02 svc:/network/loopback:default … online Aug_09 svc:/network/ssh:default

3. Add a pair of SAs between the two systems.

   Choose one of the following options:

   • Configure IKE to manage the keys for the SAs. Use one of the procedures in Configuring IKE (Task Map) to configure IKE for the VPN.

   • If you have an overriding reason to manually manage the keys, see How to Manually Create IPsec Security Associations.

4. Add IPsec policy.

   Edit the /etc/inet/ipsecinit.conf file to add the IPsec policy for the VPN. To strengthen the policy, see Example 19–14.

   1. On the enigma system, type the following entry into the ipsecinit.conf file:

      # LAN traffic to and from this host can bypass IPsec. {laddr 10.16.16.6 dir both} bypass {} # WAN traffic uses ESP with 3DES and MD5. {tunnel ip.tun0 negotiate transport} ipsec {encr_algs 3des encr_auth_algs md5 sa shared}

   2. On the partym system, type the following entry into the ipsecinit.conf file:

      # LAN traffic to and from this host can bypass IPsec. {laddr 10.1.3.3 dir both} bypass {} # WAN traffic uses ESP with 3DES and MD5. {tunnel ip.tun0 negotiate transport} ipsec {encr_algs 3des encr_auth_algs md5 sa shared}

5. (Optional) Verify the syntax of the IPsec policy file.

   # ipsecconf -c -f /etc/inet/ipsecinit.conf

6. Configure the tunnel, ip.tun0, in the /etc/hostname.ip.tun0 file.

   1. On the enigma system, add the following entry to the hostname.ip.tun0 file:

      10.16.16.6 10.1.3.3 tsrc 192.168.116.16 tdst 192.168.13.213 router up

   2. On the partym system, add the following entry to the hostname.ip.tun0 file:

      10.1.3.3 10.16.16.6 tsrc 192.168.13.213 tdst 192.168.116.16 router up

7. Protect the tunnel with the IPsec policy that you created.

   # svcadm refresh svc:/network/ipsec/policy:default

8. To read the contents of the hostname.ip.tun0 file into the kernel, restart the network services.

   # svcadm restart svc:/network/initial:default

9. Turn on IP forwarding for the hme1 interface.

   1. On the enigma system, add the router entry to the /etc/hostname.hme1 file.

      192.168.116.16 router

   2. On the partym system, add the router entry to the /etc/hostname.hme1 file.

      192.168.13.213 router

10. Ensure that routing protocols do not advertise the default route within the intranet.

    1. On the enigma system, add the private flag to the /etc/hostname.hme0 file.

       10.16.16.6 private

    2. On the partym system, add the private flag to the /etc/hostname.hme0 file.

       10.1.3.3 private

11. Manually add a default route over hme0.

    1. On the enigma system, add the following route:

       # route add default 192.168.116.4

    2. On the partym system, add the following route:

       # route add default 192.168.13.5

12. To complete the procedure, go to Step 13 to run a routing protocol.

13. Run a routing protocol.

    # routeadm -e ipv4-routing # routeadm -u

Example 19–14 Requiring IPsec Policy on All Systems in Transport Mode

In this example, the administrator comments out the bypass policy that was configured in Step 4, thereby strengthening the protection. With this policy configuration, each system on the LAN must activate IPsec to communicate with the router.

# LAN traffic must implement IPsec.
# {laddr 10.1.3.3 dir both} bypass {}

# WAN traffic uses ESP with 3DES and MD5.
{tunnel ip.tun0 negotiate transport} ipsec {encr_algs 3des encr_auth_algs md5}