test

System Administration Guide: IP Services

ProcedureHow to Manually Create IPsec Security Associations

The following procedure provides the keying material for the procedure, How to Secure Traffic Between Two Systems With IPsec. You are generating keys for two systems, partym and enigma. You generate the keys on one system, and then use the keys from the first system on both systems.

Before You Begin

You must be in the global zone to manually manage keying material for a shared-IP zone.

  1. Generate the keying material for the SAs.

    You need three hexadecimal random numbers for outbound traffic and three hexadecimal random numbers for inbound traffic.

    Therefore, one system needs to generate the following numbers:

    • Two hexadecimal random numbers as the value for the spi keyword. One number is for outbound traffic. One number is for inbound traffic. Each number can be up to eight characters long.

    • Two hexadecimal random numbers for the SHA1 algorithm for authentication. For a 160–bit key, each number must be 40 characters long. One number is for dst enigma. One number is for dst partym.

    • Two hexadecimal random numbers for the AES algorithm for ESP encryption. For a 256-bit key, each number must be 64 characters long. One number is for dst enigma. One number is for dst partym.

    If you have a random number generator at your site, use the generator. You can also use the od command. See How to Generate Random Numbers on a Solaris System for the procedure.

  2. On the system console on one of the systems, assume the Primary Administrator role or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

    Note –

    Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Use the ssh command for a secure remote login.

  3. Create the SAs.

    • Starting in the Solaris 10 4/09 release, follow the steps from Step 8 to Step 10.

    • If you are running a release prior to the Solaris 10 4/09 release, follow the steps from Step 4 to Step 9.

  4. Enable the ipseckey command mode.


    # ipseckey

>

    The > prompt indicates that you are in ipseckey command mode.

  5. If you are replacing existing SAs, flush the current SAs.


    > flush
>

    To prevent an adversary from having time to break your SAs, you need to replace the keying material.

    Note –

    You must coordinate key replacement on communicating systems. When you replace the SAs on one system, the SAs must also be replaced on the remote system.

  6. To create SAs, type the following command.


    > add protocol spi random-hex-string \
src addr dst addr2 \
protocol-prefix_alg protocol-algorithm  \
protocol-prefixkey random-hex-string-of-algorithm-specified-length

    You also use this syntax to replace SAs that you have just flushed.

    protocol

    Specifies either esp or ah.

    random-hex-string

    Specifies a random number of up to eight characters in hexadecimal format. Precede the characters with 0x. If you enter more numbers than the security parameter index (SPI) accepts, the system ignores the extra numbers. If you enter fewer numbers than the SPI accepts, the system pads your entry.

    addr

    Specifies the IP address of one system.

    addr2

    Specifies the IP address of the peer system of addr.

    protocol-prefix

    Specifies one of encr or auth. The encr prefix is used with the esp protocol. The auth prefix is used with the ah protocol, and for authenticating the esp protocol.

    protocol-algorithm

    Specifies an algorithm for ESP or AH. Each algorithm requires a key of a specific length.

    Authentication algorithms include MD5 and SHA1. Starting in the Solaris 10 4/09 release, SHA256 and SHA512 are supported. Encryption algorithms include DES, 3DES, AES, and Blowfish.

    random-hex-string-of-algorithm-specified-length

    Specifies a random hexadecimal number of the length that is required by the algorithm. For example, the MD5 algorithm requires a 32-character string for its 128-bit key. The 3DES algorithm requires a 48-character string for its 192-bit key.

    1. For example, on the enigma system, protect outbound packets.

      Use the random numbers that you generated in Step 1.

      For Solaris 10 1/06:


      > add esp spi 0x8bcd1407 \
src 192.168.116.16 dst 192.168.13.213 \
encr_alg aes \
auth_alg sha1 \
encrkey c0c65b888c2ee301c84245c3da63127e92b2676105d5330e85327c1442f37d49 \
authkey 6fab07fec4f2895445500ed992ab48835b9286ff
>
      Note –

      The peer system must use the same keying material and the same SPI.

    2. Still in ipseckey command mode on the enigma system, protect inbound packets.

      Type the following commands to protect the packets:


      > add esp spi 0x122a43e4 \
src 192.168.13.213 dst 192.168.116.16 \
encr_alg aes \
auth_alg sha1 \
encrkey a2ea934cd62ca7fa14907cb2ad189b68e4d18c976c14f22b30829e4b1ea4d2ae \
authkey c80984bc4733cc0b7c228b9b74b988d2b7467745
>
      Note –

      The keys and SPI can be different for each SA. You should assign different keys and a different SPI for each SA.

  7. To exit ipseckey command mode, press Control-D or type quit.

  8. Add the keying material to the /etc/inet/secret/ipseckeys file.

    In releases prior to the Solaris 10 4/09 release, this step ensures that the keying material is available to IPsec at reboot.

    The lines of the /etc/inet/secret/ipseckeys file are identical to the ipseckey command line language.

    1. For example, the /etc/inet/secret/ipseckeys file on the enigma system would appear similar to the following:


      # ipseckeys - This file takes the file format documented in 
#   ipseckey(1m).
#   Note that naming services might not be available when this file
#   loads, just like ipsecinit.conf.
#
# for outbound packets on enigma
add esp spi 0x8bcd1407 \
   src 192.168.116.16 dst 192.168.13.213  \
   encr_alg aes \
   auth_alg sha1  \
   encrkey  c0c65b888c2ee301c84245c3da63127e92b2676105d5330e85327c1442f37d49 \
   authkey  6fab07fec4f2895445500ed992ab48835b9286ff
#
# for inbound packets
add esp spi 0x122a43e4 \
   src 192.168.13.213 dst 192.168.116.16 \
   encr_alg aes \
   auth_alg sha1  \
   encrkey a2ea934cd62ca7fa14907cb2ad189b68e4d18c976c14f22b30829e4b1ea4d2ae \
   authkey c80984bc4733cc0b7c228b9b74b988d2b7467745

    2. Protect the file with read-only permissions.


      # chmod 400 /etc/inet/secret/ipseckeys

  9. Repeat the procedure on the partym system.

    Use the same keying material that was used on enigma.

    The keying material on the two systems must be identical. As shown in the following example, only the comments in the ipseckeys file differ. The comments differ because dst enigma is inbound on the enigma system, and outbound on the partym system.


    # partym ipseckeys file
#
# for inbound packets
add esp spi 0x8bcd1407 \
   src 192.168.116.16 dst 192.168.13.213  \
   encr_alg aes \
   auth_alg sha1  \
   encrkey  c0c65b888c2ee301c84245c3da63127e92b2676105d5330e85327c1442f37d49 \
   authkey  6fab07fec4f2895445500ed992ab48835b9286ff
#
# for outbound packets
add esp spi 0x122a43e4 \
   src 192.168.13.213 dst 192.168.116.16 \
   encr_alg aes \
   auth_alg sha1  \
   encrkey a2ea934cd62ca7fa14907cb2ad189b68e4d18c976c14f22b30829e4b1ea4d2ae \
   authkey c80984bc4733cc0b7c228b9b74b988d2b7467745

  10. Enable the manual-key service.


    # svcadm enable svc:/network/ipsec/manual-key

    To replace keys in the current release, see Example 20–4.

Example 20–4 Replacing IPsec SAs

In this example, the administrator is configuring a system that is running the current Solaris 10 release. The administrator generates new keys, changes the keying information in the ipseckeys file, then restarts the service.