To set up a VPN on an IPv6 network, you follow the same steps as for an IPv4 network. However, the syntax of the commands is slightly different. For a fuller description of the reasons for running particular commands, see the corresponding steps in How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv4.
Perform the steps in this procedure on both systems.
This procedure uses the following configuration parameters.
Parameter |
Europe |
California |
||
---|---|---|---|---|
System name |
|
|
||
System intranet interface |
|
|
||
System Internet interface |
|
|
||
System intranet address |
|
|
||
System Internet address |
|
2001::eeee:3333:3333 |
||
Name of Internet router |
|
|
||
Address of Internet router |
|
|
||
Tunnel name |
|
|
On the system console, assume the Primary Administrator role or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Use the ssh command for secure remote login.
Control the flow of packets before configuring IPsec.
For the effects of these commands, see Step 2 in How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv4.
Ensure that IP forwarding and IP dynamic routing are disabled.
# routeadm Configuration Current Current Option Configuration System State -------------------------------------------------- … IPv6 forwarding disabled disabled IPv6 routing disabled disabled |
If IP forwarding and IP dynamic routing are enabled, you can disable them by typing:
# routeadm -d ipv6-forwarding -d ipv6-routing # routeadm -u |
Turn on IP strict destination multihoming.
# ndd -set /dev/ip ip6_strict_dst_multihoming 1 |
The value of ip6_strict_dst_multihoming reverts to the default when the system is booted. To make the changed value persistent, see How to Prevent IP Spoofing.
Verify that most network services are disabled.
Verify that loopback mounts and the ssh service are running.
# svcs | grep network online Aug_02 svc:/network/loopback:default ... online Aug_09 svc:/network/ssh:default |
Add a pair of SAs between the two systems.
Choose one of the following options:
Configure IKE to manage the keys for the SAs. Use one of the procedures in Configuring IKE (Task Map) to configure IKE for the VPN.
If you have an overriding reason to manually manage the keys, see How to Manually Create IPsec Security Associations.
Edit the /etc/inet/ipsecinit.conf file to add the IPsec policy for the VPN.
On the enigma system, type the following entry into the ipsecinit.conf file:
# IPv6 Neighbor Discovery messages bypass IPsec. {ulp ipv6-icmp type 133-137 dir both} pass {} # LAN traffic to and from this host can bypass IPsec. {laddr 6000:6666::aaaa:1116 dir both} bypass {} # WAN traffic uses ESP with 3DES and MD5. {tunnel ip6.tun0 negotiate tunnel} ipsec {encr_algs 3des encr_auth_algs md5 sa shared} |
On the partym system, type the following entry into the ipsecinit.conf file:
# IPv6 Neighbor Discovery messages bypass IPsec. {ulp ipv6-icmp type 133-137 dir both} pass {} # LAN traffic to and from this host can bypass IPsec. {laddr 6000:3333::eeee:1113 dir both} bypass {} # WAN traffic uses ESP with 3DES and MD5. {tunnel ip6.tun0 negotiate tunnel} ipsec {encr_algs 3des encr_auth_algs md5 sa shared} |
(Optional) Verify the syntax of the IPsec policy file.
# ipsecconf -c -f /etc/inet/ipsecinit.conf |
Configure the tunnel, ip6.tun0, in the /etc/hostname.ip6.tun0 file.
On the enigma system, add the following entry to the hostname.ip6.tun0 file:
6000:6666::aaaa:1116 6000:3333::eeee:1113 tsrc 2001::aaaa:6666:6666 tdst 2001::eeee:3333:3333 router up |
On the partym system, add the following entry to the hostname.ip6.tun0 file:
6000:3333::eeee:1113 6000:6666::aaaa:1116 tsrc 2001::eeee:3333:3333 tdst 2001::aaaa:6666:6666 router up |
Protect the tunnel with the IPsec policy that you created.
# svcadm refresh svc:/network/ipsec/policy:default |
To read the contents of the hostname.ip6.tun0 file into the kernel, restart the network services.
# svcadm restart svc:/network/initial:default |
Ensure that routing protocols do not advertise the default route within the intranet.
Manually add a default route over hme0.
To complete the procedure, go to Step 13 to run a routing protocol.
Run a routing protocol.
# routeadm -e ipv6-routing # routeadm -u |
You might need to configure the routing protocol before running the routing protocol. For more information, see Routing Protocols in the Solaris OS. For a procedure, see Configuring an IPv6 Router.