If you add IPsec policy entries while IPsec and IKE are running, you restart the policy service and refresh the ike service after you add the new keys.
This procedure assumes the following:
The enigma system is set up as described in How to Configure IKE With Preshared Keys.
The enigma system is going to protect its traffic with a new system, ada.
The in.iked daemon is running on both systems.
The systems' interfaces are included as entries in the /etc/hosts file on both systems. The following entry is an example.
192.168.15.7 ada 192.168.116.16 enigma |
This procedure also works with an IPv6 address. In Solaris Express Community Edition, IPv6 addresses are placed in the /etc/hosts file.
You have added a new policy entry to the /etc/inet/ipsecinit.conf file on both systems. The entries appear similar to the following:
# ipsecinit.conf file for enigma {laddr enigma raddr ada} ipsec {auth_algs any encr_algs any sa shared} |
# ipsecinit.conf file for ada {laddr ada raddr enigma} ipsec {auth_algs any encr_algs any sa shared} |
You have verified the syntax of the /etc/inet/ipsecinit.conf file on both systems by using the following:
# ipsecconf -c -f /etc/inet/ipsecinit.conf |
On the system console, assume the Primary Administrator role or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Use the ssh command for secure remote login.
On this system, generate random numbers and construct a key of 64 to 448 bits.
For details, see How to Generate Random Numbers on a Solaris System. If you are generating a preshared key for a Solaris system that is communicating with an operating system that requires ASCII, see Example 22–1.
By some means, send the key to the administrator of the remote system.
You both need to add the same preshared key at the same time. Your key is only as safe as the safety of your transmission mechanism. An out-of-band mechanism, such as registered mail or a protected fax machine, is best. You can also use an ssh session to administer both systems.
Create a rule for IKE to manage the keys for enigma and ada.
On the enigma system, add the following rule to the /etc/inet/ike/config file:
### ike/config file on enigma, 192.168.116.16 ## The rule to communicate with ada {label "enigma-to-ada" local_addr 192.168.116.16 remote_addr 192.168.15.7 p1_xform {auth_method preshared oakley_group 5 auth_alg md5 encr_alg blowfish} p2_pfs 5 } |
On the ada system, add the following rule:
### ike/config file on ada, 192.168.15.7 ## The rule to communicate with enigma {label "ada-to-enigma" local_addr 192.168.15.7 remote_addr 192.168.116.16 p1_xform {auth_method preshared oakley_group 5 auth_alg md5 encr_alg blowfish} p2_pfs 5 } |
Ensure that IKE preshared keys are available at reboot.
On the enigma system, add the following information to the /etc/inet/secret/ike.preshared file:
# ike.preshared on enigma for the ada interface # { localidtype IP localid 192.168.116.16 remoteidtype IP remoteid 192.168.15.7 # enigma and ada's shared key in hex (32 - 448 bits required) key 8d1fb4ee500e2bea071deb2e781cb48374411af5a9671714672bb1749ad9364d } |
On the ada system, add the following information to the ike.preshared file:
# ike.preshared on ada for the enigma interface # { localidtype IP localid 192.168.15.7 remoteidtype IP remoteid 192.168.116.16 # ada and enigma's shared key in hex (32 - 448 bits required) key 8d1fb4ee500e2bea071deb2e781cb48374411af5a9671714672bb1749ad9364d } |
On each system, restart the IPsec policy service to secure the added interface.
# svcadm restart policy |
On each system, refresh the ike service.
# svcadm refresh ike |
Verify that the systems can communicate.
In the following example, the administrator is adding preshared key to a Solaris system that is not running the current Solaris release. The administrator follows the preceding procedure to modify the ike/config and ike.preshared files, and to generate keys and contact the remote system. The administrator uses different commands to read the new IPsec policy and IKE rules into the kernel.
Before generating the new key, the administrator sets the privilege level of the in.iked daemon to 2.
# pkill in.iked # /usr/lib/inet/in.iked -p 2 Setting privilege level to 2 |
After sending the key to the other system and adding the new key to the system, the administrator lowers the privilege level.
# ikeadm set priv base |
Then, the administrator reads the new IPsec policy into the kernel.
# ipsecconf -a /etc/inet/ipsecinit.conf |
Finally, the administrator reads the new IKE rules into the kernel.
# ikeadm read rules |