How to Protect a VPN With an IPsec Tunnel in Transport Mode Over IPv4

In transport mode, the outer header determines the IPsec policy that protects the inner IP packet.

This procedure extends the procedure How to Secure Traffic Between Two Systems With IPsec. In addition to connecting two systems, you are connecting two intranets that connect to these two systems. The systems in this procedure function as gateways.

This procedure uses the setup that is described in Description of the Network Topology for the IPsec Tasks to Protect a VPN. For a fuller description of the reasons for running particular commands, see the corresponding steps in How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv4.

Perform the steps in this procedure on both systems.

1. On the system console, assume the Primary Administrator role or become superuser.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

   ---

   Note –

   Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Use the ssh command for secure remote login.

   ---

2. Control the flow of packets before configuring IPsec.

   1. Ensure that IP forwarding and IP dynamic routing are disabled.

      # routeadm Configuration Current Current Option Configuration System State -------------------------------------------------- IPv4 forwarding disabled disabled IPv4 routing default (enabled) enabled …

      If IP forwarding and IP dynamic routing are enabled, you can disable them by typing:

      # routeadm -d ipv4-routing -d ipv4-forwarding # routeadm -u

   2. Turn on IP strict destination multihoming.

      # ndd -set /dev/ip ip_strict_dst_multihoming 1

      ---

      Caution –

      The value of ip_strict_dst_multihoming reverts to the default when the system is booted. To make the changed value persistent, see How to Prevent IP Spoofing.

      ---

   3. Disable most network services, and possibly all network services.

      ---

      Note –

      If your system was installed with the “limited” SMF profile, then you can skip this step. Network services, with the exception of Solaris Secure Shell, are disabled.

      ---

      The disabling of network services prevents IP packets from doing any harm to the system. For example, an SNMP daemon, a telnet connection, or an rlogin connection could be exploited.

      Choose one of the following options:

      • If you are running the Solaris 10 11/06 release or a later release, run the “limited” SMF profile.

        # netservices limited

      • Otherwise, individually disable network services.

        # svcadm disable network/ftp:default # svcadm disable network/finger:default # svcadm disable network/login:rlogin # svcadm disable network/nfs/server:default # svcadm disable network/rpc/rstat:default # svcadm disable network/smtp:sendmail # svcadm disable network/telnet:default

   4. Verify that most network services are disabled.

      Verify that loopback mounts and the ssh service are running.

      # svcs | grep network online Aug_02 svc:/network/loopback:default … online Aug_09 svc:/network/ssh:default

3. Add a pair of SAs between the two systems.

   Choose one of the following options:

   • Configure IKE to manage the keys for the SAs. Use one of the procedures in Configuring IKE (Task Map) to configure IKE for the VPN.

   • If you have an overriding reason to manually manage the keys, see How to Manually Create IPsec Security Associations.

4. Add IPsec policy.

   Edit the /etc/inet/ipsecinit.conf file to add the IPsec policy for the VPN. To strengthen the policy, see Example 20–15.

   1. On the enigma system, type the following entry into the ipsecinit.conf file:

      # LAN traffic to and from this host can bypass IPsec. {laddr 10.16.16.6 dir both} bypass {} # WAN traffic uses ESP with AES and SHA-1. {tunnel ip.tun0 negotiate transport} ipsec {encr_algs aes encr_auth_algs sha1 sa shared}

   2. On the partym system, type the following entry into the ipsecinit.conf file:

      # LAN traffic to and from this host can bypass IPsec. {laddr 10.1.3.3 dir both} bypass {} # WAN traffic uses ESP with AES and SHA-1. {tunnel ip.tun0 negotiate transport} ipsec {encr_algs aes encr_auth_algs sha1 sa shared}

5. (Optional) Verify the syntax of the IPsec policy file.

   # ipsecconf -c -f /etc/inet/ipsecinit.conf

6. To configure the tunnel and protect it with IPsec, follow the steps according to the Solaris release:

   • Starting in the Solaris 10 4/09 release, follow the steps from Step 7 to Step 13, then run the routing protocol in Step 22.

   • If you are running a release prior to the Solaris 10 4/09 release, follow the steps from Step 14 to Step 22.

7. Configure the tunnel, ip.tun0, in the /etc/hostname.ip.tun0 file.

   1. On the enigma system, add the following entry to the hostname.ip.tun0 file:

      10.16.16.6 10.1.3.3 tsrc 192.168.116.16 tdst 192.168.13.213 router up

   2. On the partym system, add the following entry to the hostname.ip.tun0 file:

      10.1.3.3 10.16.16.6 tsrc 192.168.13.213 tdst 192.168.116.16 router up

8. Protect the tunnel with the IPsec policy that you created.

   # svcadm refresh svc:/network/ipsec/policy:default

9. To read the contents of the hostname.ip.tun0 file into the kernel, restartRestart the network services.

   # svcadm restart svc:/network/initial:default

10. Turn on IP forwarding for the hme1 interface.

    1. On the enigma system, add the router entry to the /etc/hostname.hme1 file.

       192.168.116.16 router

    2. On the partym system, add the router entry to the /etc/hostname.hme1 file.

       192.168.13.213 router

11. Ensure that routing protocols do not advertise the default route within the intranet.

    1. On the enigma system, add the private flag to the /etc/hostname.hme0 file.

       10.16.16.6 private

    2. On the partym system, add the private flag to the /etc/hostname.hme0 file.

       10.1.3.3 private

12. Manually add a default route over hme0.

    1. On the enigma system, add the following route:

       # route add default 192.168.116.4

    2. On the partym system, add the following route:

       # route add default 192.168.13.5

13. To complete the procedure, go to Step 22 to run a routing protocol.

14. Configure the tunnel, ip.tun0.

    ---

    Note –

    The following steps configure a tunnel on a system that is running a release prior to the Solaris 10 4/09 release.

    ---

    Use ifconfig commands to create the point-to-point interface:

    # ifconfig ip.tun0 plumb # ifconfig ip.tun0 system1-point system2-point \ tsrc system1-taddr tdst system2-taddr

    1. On the enigma system, type the following commands:

       # ifconfig ip.tun0 plumb # ifconfig ip.tun0 10.16.16.6 10.1.3.3 \ tsrc 192.168.116.16 tdst 192.168.13.213

    2. On the partym system, type the following commands:

       # ifconfig ip.tun0 plumb # ifconfig ip.tun0 10.1.3.3 10.16.16.6 \ tsrc 192.168.13.213 tdst 192.168.116.16

15. Protect the tunnel with the IPsec policy that you created.

    # ipsecconf

16. Bring up the router for the tunnel.

    # ifconfig ip.tun0 router up

17. Turn on IP forwarding for the hme1 interface.

    # ifconfig hme1 router

18. Ensure that routing protocols do not advertise the default route within the intranet.

    # ifconfig hme0 private

19. Manually add a default route over hme0.

    The default route must be a router with direct access to the Internet.

    # route add default router-on-hme0-subnet

    1. On the enigma system, add the following route:

       # route add default 192.168.116.4

    2. On the partym system, add the following route:

       # route add default 192.168.13.5

20. Ensure that the VPN starts after a reboot by adding an entry to the /etc/hostname.ip.tun0 file.

    system1-point system2-point tsrc system1-taddr \ tdst system2-taddr encr_algs aes encr_auth_algs sha1 router up

    1. On the enigma system, add the following entry to the hostname.ip.tun0 file:

       10.16.16.6 10.1.3.3 tsrc 192.168.116.16 \ tdst 192.168.13.213 router up

    2. On the partym system, add the following entry to the hostname.ip.tun0 file:

       10.1.3.3 10.16.16.6 tsrc 192.168.13.213 \ tdst 192.168.116.16 router up

21. Configure the interface files to pass the correct parameters to the routing daemon.

    1. On the enigma system, modify the /etc/hostname.interface files.

       # cat /etc/hostname.hme0 ## enigma 10.16.16.6 private

       # cat /etc/hostname.hme1 ## enigma 192.168.116.16 router

    2. On the partym system, modify the /etc/hostname.interface files.

       # cat /etc/hostname.hme0 ## partym 10.1.3.3 private

       # cat /etc/hostname.hme1 ## partym 192.168.13.213 router

22. Run a routing protocol.

    # routeadm -e ipv4-routing # routeadm -u

Example 20–15 Requiring IPsec Policy on All Systems in Transport Mode

In this example, the administrator comments out the bypass policy that was configured in Step 4, thereby strengthening the protection. With this policy configuration, each system on the LAN must activate IPsec to communicate with the router.

# LAN traffic must implement IPsec.
# {laddr 10.1.3.3 dir both} bypass {}

# WAN traffic uses ESP with AES and SHA-1.
{tunnel ip.tun0 negotiate transport} ipsec {encr_algs aes encr_auth_algs sha1}

Example 20–16 Using Deprecated Syntax to Configure an IPsec Tunnel in Transport Mode

In this example, the administrator is connecting a Solaris 10 7/07 system with a system that is running the Solaris 10 release. Therefore, the administrator uses Solaris 10 syntax in the configuration file and includes the IPsec algorithms in the ifconfig command.

The administrator follows the procedure How to Protect a VPN With an IPsec Tunnel in Transport Mode Over IPv4 with the following changes in syntax.

• For Step 4, the syntax of the ipsecinit.conf file is the following:

  # LAN traffic to and from this address can bypass IPsec. {laddr 10.1.3.3 dir both} bypass {} # WAN traffic uses ESP with AES and SHA-1. {} ipsec {encr_algs aes encr_auth_algs sha1}

• For Step 14 to Step 16, the syntax to configure a secure tunnel is the following:

  # ifconfig ip.tun0 plumb # ifconfig ip.tun0 10.16.16.6 10.1.3.3 \ tsrc 192.168.116.16 tdst 192.168.13.213 \ encr_algs aes encr_auth_algs sha1 # ifconfig ip.tun0 router up

  # ifconfig ip.tun0 plumb # ifconfig ip.tun0 10.16.16.6 10.1.3.3 \ tsrc 192.168.116.16 tdst 192.168.13.213 \ encr_algs aes encr_auth_algs sha1

  The IPsec policy that is passed to the ifconfig commands must be the same as the IPsec policy in the ipsecinit.conf file. Upon reboot, each system reads the ipsecinit.conf file for its policy.

• For Step 20, the syntax of the hostname.ip.tun0 file is the following:

  10.16.16.6 10.1.3.3 tsrc 192.168.116.16 \ tdst 192.168.13.213 encr_algs aes encr_auth_algs sha1 router up