The following procedure provides the keying material for the procedure, How to Secure Traffic Between Two Systems With IPsec. You are generating keys for two systems, partym and enigma. You generate the keys on one system, and then use the keys from the first system on both systems.
You must be in the global zone to manually manage keying material for a shared-IP zone.
Generate the keying material for the SAs.
You need three hexadecimal random numbers for outbound traffic and three hexadecimal random numbers for inbound traffic.
Therefore, one system needs to generate the following numbers:
Two hexadecimal random numbers as the value for the spi keyword. One number is for outbound traffic. One number is for inbound traffic. Each number can be up to eight characters long.
Two hexadecimal random numbers for the SHA1 algorithm for authentication. For a 160–bit key, each number must be 40 characters long. One number is for dst enigma. One number is for dst partym.
Two hexadecimal random numbers for the AES algorithm for ESP encryption. For a 256-bit key, each number must be 64 characters long. One number is for dst enigma. One number is for dst partym.
If you have a random number generator at your site, use the generator. You can also use the od command. See How to Generate Random Numbers on a Solaris System for the procedure.
On the system console on one of the systems, assume the Primary Administrator role or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Use the ssh command for a secure remote login.
Create the SAs.
Enable the ipseckey command mode.
# ipseckey > |
The > prompt indicates that you are in ipseckey command mode.
If you are replacing existing SAs, flush the current SAs.
> flush > |
To prevent an adversary from having time to break your SAs, you need to replace the keying material.
You must coordinate key replacement on communicating systems. When you replace the SAs on one system, the SAs must also be replaced on the remote system.
To create SAs, type the following command.
> add protocol spi random-hex-string \ src addr dst addr2 \ protocol-prefix_alg protocol-algorithm \ protocol-prefixkey random-hex-string-of-algorithm-specified-length |
You also use this syntax to replace SAs that you have just flushed.
Specifies either esp or ah.
Specifies a random number of up to eight characters in hexadecimal format. Precede the characters with 0x. If you enter more numbers than the security parameter index (SPI) accepts, the system ignores the extra numbers. If you enter fewer numbers than the SPI accepts, the system pads your entry.
Specifies the IP address of one system.
Specifies the IP address of the peer system of addr.
Specifies one of encr or auth. The encr prefix is used with the esp protocol. The auth prefix is used with the ah protocol, and for authenticating the esp protocol.
Specifies an algorithm for ESP or AH. Each algorithm requires a key of a specific length.
Authentication algorithms include MD5 and SHA1. Starting in the Solaris 10 4/09 release, SHA256 and SHA512 are supported. Encryption algorithms include DES, 3DES, AES, and Blowfish.
Specifies a random hexadecimal number of the length that is required by the algorithm. For example, the MD5 algorithm requires a 32-character string for its 128-bit key. The 3DES algorithm requires a 48-character string for its 192-bit key.
For example, on the enigma system, protect outbound packets.
Use the random numbers that you generated in Step 1.
For Solaris 10 1/06:
> add esp spi 0x8bcd1407 \ src 192.168.116.16 dst 192.168.13.213 \ encr_alg aes \ auth_alg sha1 \ encrkey c0c65b888c2ee301c84245c3da63127e92b2676105d5330e85327c1442f37d49 \ authkey 6fab07fec4f2895445500ed992ab48835b9286ff > |
The peer system must use the same keying material and the same SPI.
Still in ipseckey command mode on the enigma system, protect inbound packets.
Type the following commands to protect the packets:
> add esp spi 0x122a43e4 \ src 192.168.13.213 dst 192.168.116.16 \ encr_alg aes \ auth_alg sha1 \ encrkey a2ea934cd62ca7fa14907cb2ad189b68e4d18c976c14f22b30829e4b1ea4d2ae \ authkey c80984bc4733cc0b7c228b9b74b988d2b7467745 > |
The keys and SPI can be different for each SA. You should assign different keys and a different SPI for each SA.
To exit ipseckey command mode, press Control-D or type quit.
Add the keying material to the /etc/inet/secret/ipseckeys file.
In releases prior to the Solaris 10 4/09 release, this step ensures that the keying material is available to IPsec at reboot.
The lines of the /etc/inet/secret/ipseckeys file are identical to the ipseckey command line language.
For example, the /etc/inet/secret/ipseckeys file on the enigma system would appear similar to the following:
# ipseckeys - This file takes the file format documented in # ipseckey(1m). # Note that naming services might not be available when this file # loads, just like ipsecinit.conf. # # for outbound packets on enigma add esp spi 0x8bcd1407 \ src 192.168.116.16 dst 192.168.13.213 \ encr_alg aes \ auth_alg sha1 \ encrkey c0c65b888c2ee301c84245c3da63127e92b2676105d5330e85327c1442f37d49 \ authkey 6fab07fec4f2895445500ed992ab48835b9286ff # # for inbound packets add esp spi 0x122a43e4 \ src 192.168.13.213 dst 192.168.116.16 \ encr_alg aes \ auth_alg sha1 \ encrkey a2ea934cd62ca7fa14907cb2ad189b68e4d18c976c14f22b30829e4b1ea4d2ae \ authkey c80984bc4733cc0b7c228b9b74b988d2b7467745 |
Protect the file with read-only permissions.
# chmod 400 /etc/inet/secret/ipseckeys |
Repeat the procedure on the partym system.
Use the same keying material that was used on enigma.
The keying material on the two systems must be identical. As shown in the following example, only the comments in the ipseckeys file differ. The comments differ because dst enigma is inbound on the enigma system, and outbound on the partym system.
# partym ipseckeys file # # for inbound packets add esp spi 0x8bcd1407 \ src 192.168.116.16 dst 192.168.13.213 \ encr_alg aes \ auth_alg sha1 \ encrkey c0c65b888c2ee301c84245c3da63127e92b2676105d5330e85327c1442f37d49 \ authkey 6fab07fec4f2895445500ed992ab48835b9286ff # # for outbound packets add esp spi 0x122a43e4 \ src 192.168.13.213 dst 192.168.116.16 \ encr_alg aes \ auth_alg sha1 \ encrkey a2ea934cd62ca7fa14907cb2ad189b68e4d18c976c14f22b30829e4b1ea4d2ae \ authkey c80984bc4733cc0b7c228b9b74b988d2b7467745 |
Enable the manual-key service.
# svcadm enable svc:/network/ipsec/manual-key |
To replace keys in the current release, see Example 20–4.
In this example, the administrator is configuring a system that is running the current Solaris 10 release. The administrator generates new keys, changes the keying information in the ipseckeys file, then restarts the service.
First, the administrator generates the keys by completing How to Generate Random Numbers on a Solaris System.
Then, the administrator uses the generated keys in the /etc/inet/secret/ipseckeys file.
The administrator used the same algorithms. Therefore, the administrator changes the values of SPI, encrkey and authkey only:
add esp spi 0x8xzy1492 \ src 192.168.116.16 dst 192.168.13.213 \ encr_alg aes \ auth_alg sha1 \ encrkey 0a1f3886b06ebd7d39f6f89e4c29c93f2741c6fa598a38af969907a29ab1b42a \ authkey a7230aabf513f35785da73e33b064608be41f69a # # add esp spi 0x177xce34\ src 192.168.13.213 dst 192.168.116.16 \ encr_alg aes \ auth_alg sha1 \ encrkey 4ef5be40bf93498017b2151d788bb37e372f091add9b11149fba42435fefe328 \ authkey 0e1875d9ff8e42ab652766a5cad49f38c9152821 |
Finally, the administrator restarts the manual-key service. The restart command flushes the old keys before adding the new keys.
# svcadm restart manual-key |