System Administration Guide: IP Services

How to Protect a VPN With an IPsec Tunnel in Transport Mode Over IPv6

To set up a VPN on an IPv6 network, you follow the same steps as for an IPv4 network. However, the syntax of the commands is slightly different. For a fuller description of the reasons for running particular commands, see the corresponding steps in How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv4.

Note –

Perform the steps in this procedure on both systems.

This procedure uses the following configuration parameters.

Parameter

Europe

California

System name

enigma

partym

System intranet interface

hme1

hme1

System Internet interface

hme0

hme0

System intranet address

6000:6666::aaaa:1116

6000:3333::eeee:1113

System Internet address

2001::aaaa:6666:6666

2001::eeee:3333:3333

Name of Internet router

router-E

router-C

Address of Internet router

2001::aaaa:0:4

2001::eeee:0:1

Tunnel name

ip6.tun0

ip6.tun0

On the system console, assume the Primary Administrator role or become superuser.

The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

Note –
Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Use the ssh command for secure remote login.

Control the flow of packets before configuring IPsec.

Ensure that IP forwarding and IP dynamic routing are disabled.

# routeadm
Configuration       Current         Current
       Option       Configuration  System State
--------------------------------------------------
…
IPv6 forwarding     disabled          disabled
   IPv6 routing     disabled          disabled

If IP forwarding and IP dynamic routing are enabled, you can disable them by typing:

# routeadm -d ipv6-forwarding -d ipv6-routing
# routeadm -u

Turn on IP strict destination multihoming.
# ndd -set /dev/ip ip6_strict_dst_multihoming 1
Caution –
The value of ip6_strict_dst_multihoming reverts to the default when the system is booted. To make the changed value persistent, see How to Prevent IP Spoofing.

Verify that most network services are disabled.

Verify that loopback mounts and the ssh service are running.

# svcs | grep network
online         Aug_02   svc:/network/loopback:default
…
online         Aug_09   svc:/network/ssh:default

Add a pair of SAs between the two systems.

Choose one of the following options:
- Configure IKE to manage the keys for the SAs. Use one of the procedures in Configuring IKE (Task Map) to configure IKE for the VPN.
- If you have an overriding reason to manually manage the keys, see How to Manually Create IPsec Security Associations.

Add IPsec policy.

Edit the /etc/inet/ipsecinit.conf file to add the IPsec policy for the VPN.

On the enigma system, type the following entry into the ipsecinit.conf file:

# IPv6 Neighbor Discovery messages bypass IPsec.
{ulp ipv6-icmp type 133-137 dir both} pass {}

# LAN traffic can bypass IPsec.
{laddr 6000:6666::aaaa:1116 dir both} bypass {}

# WAN traffic uses ESP with AES and SHA-1.
{tunnel ip6.tun0 negotiate transport} 
 ipsec {encr_algs aes encr_auth_algs sha1}

On the partym system, type the following entry into the ipsecinit.conf file:

# IPv6 Neighbor Discovery messages bypass IPsec.
{ulp ipv6-icmp type 133-137 dir both} pass {}

# LAN traffic can bypass IPsec.
{laddr 6000:3333::eeee:1113 dir both} bypass {}

# WAN traffic uses ESP with AES and SHA-1.
{tunnel ip6.tun0 negotiate transport} 
 ipsec {encr_algs aes encr_auth_algs sha1}

(Optional) Verify the syntax of the IPsec policy file.
# ipsecconf -c -f /etc/inet/ipsecinit.conf

To configure the tunnel and protect it with IPsec, follow the steps according to the Solaris release:
- Starting in the Solaris 10 4/09 release, follow the steps from Step 7 to Step 13, then run the routing protocol in Step 22.
- If you are running a release prior to the Solaris 10 4/09 release, follow the steps from Step 14 to Step 22.

Configure the tunnel, ip6.tun0, in the /etc/hostname.ip6.tun0 file.
1. On the enigma system, add the following entry to the hostname.ip6.tun0 file:
  6000:6666::aaaa:1116 6000:3333::eeee:1113 tsrc 2001::aaaa:6666:6666 tdst 2001::eeee:3333:3333 router up
2. On the partym system, add the following entry to the hostname.ip6.tun0 file:
  6000:3333::eeee:1113 6000:6666::aaaa:1116 tsrc 2001::eeee:3333:3333 tdst 2001::aaaa:6666:6666 router up

Protect the tunnel with the IPsec policy that you created.
# svcadm refresh svc:/network/ipsec/policy:default

To read the contents of the hostname.ip6.tun0 file into the kernel, restart the network services.
# svcadm restart svc:/network/initial:default

Turn on IP forwarding for the hme1 interface.
1. On the enigma system, add the router entry to the /etc/hostname6.hme1 file.
  2001::aaaa:6666:6666 inet6 router
2. On the partym system, add the router entry to the /etc/hostname6.hme1 file.
  2001::eeee:3333:3333 inet6 router

Ensure that routing protocols do not advertise the default route within the intranet.
1. On the enigma system, add the private flag to the /etc/hostname6.hme0 file.
  6000:6666::aaaa:1116 inet6 private
2. On the partym system, add the private flag to the /etc/hostname6.hme0 file.
  6000:3333::eeee:1113 inet6 private

Manually add a default route over hme0.
1. On the enigma system, add the following route:
  # route add -inet6 default 2001::aaaa:0:4
2. On the partym system, add the following route:
  # route add -inet6 default 2001::eeee:0:1

To complete the procedure, go to Step 22 to run a routing protocol.

Configure a secure tunnel, ip6.tun0.

Note –

The following steps configure a tunnel on a system that is running a release prior to the Solaris 10 4/09 release.

On the enigma system, type the following commands:

# ifconfig ip6.tun0 inet6 plumb

# ifconfig ip6.tun0 inet6 6000:6666::aaaa:1116 6000:3333::eeee:1113 \
tsrc 2001::aaaa:6666:6666   tdst 2001::eeee:3333:3333

On the partym system, type the following commands:

# ifconfig ip6.tun0 inet6 plumb

# ifconfig ip6.tun0 inet6  6000:3333::eeee:1113  6000:6666::aaaa:1116 \
tsrc 2001::eeee:3333:3333   tdst 2001::aaaa:6666:6666

Protect the tunnel with the IPsec policy that you created.
# ipsecconf

Bring up the router for the tunnel.
# ifconfig ip6.tun0 router up

Turn on IP forwarding for the hme1 interface.
# ifconfig hme1 router

Ensure that routing protocols do not advertise the default route within the intranet.
# ifconfig hme0 private

On each system, manually add a default route over hme0.

The default route must be a router with direct access to the Internet.
1. On the enigma system, add the following route:
  # route add -inet6 default 2001::aaaa:0:4
2. On the partym system, add the following route:
  # route add -inet6 default 2001::eeee:0:1

On each system, ensure that the VPN starts after a reboot by adding an entry to the /etc/hostname6.ip6.tun0 file.

The entry replicates the parameters that were passed to the ifconfig command in Step 14.
1. On the enigma system, add the following entry to the hostname6.ip6.tun0 file:
  6000:6666::aaaa:1116 6000:3333::eeee:1113 \ tsrc 2001::aaaa:6666:6666 tdst 2001::eeee:3333:3333 router up
2. On the partym system, add the following entry to the hostname6.ip6.tun0 file:
  6000:3333::eeee:1113 6000:6666::aaaa:1116 \ tsrc 2001::eeee:3333:3333 tdst 2001::aaaa:6666:6666 router up

Configure the interface files to pass the correct parameters to the routing daemon.

On the enigma system, modify the /etc/hostname6.interface files.

# cat /etc/hostname6.hme0
## enigma
6000:6666::aaaa:1116 inet6 private

#  cat /etc/hostname6.hme1
## enigma
2001::aaaa:6666:6666 inet6 router

On the partym system, modify the /etc/hostname6.interface files.

# cat /etc/hostname6.hme0
## partym
6000:3333::eeee:1113 inet6 private

# cat /etc/hostname6.hme1
## 
partym2001::eeee:3333:3333 inet6 router

Run a routing protocol.

# routeadm -e ipv6-routing
# routeadm -u

Example 20–17 Using Deprecated Syntax to Configure IPsec in Transport Mode Over IPv6

In this example, the administrator is connecting a Solaris 10 7/07 system with a system that is running the Solaris 10 release. Therefore, the administrator uses Solaris 10 syntax in the configuration file and includes the IPsec algorithms in the ifconfig command.

The administrator follows the procedure How to Protect a VPN With an IPsec Tunnel in Transport Mode Over IPv6 with the following changes in syntax.

For Step 4, the syntax of the ipsecinit.conf file is the following:

# IPv6 Neighbor Discovery messages bypass IPsec.
{ulp ipv6-icmp type 133-137 dir both} pass {}

# LAN traffic can bypass IPsec.
{laddr 6000:3333::eeee:1113 dir both} bypass {}

# WAN traffic uses ESP with AES and SHA-1.
{} ipsec {encr_algs aes encr_auth_algs sha1}

For Step 14 to Step 17, the syntax to configure a secure tunnel is the following:

# ifconfig ip6.tun0 inet6 plumb

# ifconfig ip6.tun0 inet6 6000:6666::aaaa:1116 6000:3333::eeee:1113 \
tsrc 2001::aaaa:6666:6666 tdst 2001::eeee:3333:3333 \
encr_algs aes encr_auth_algs sha1

# ifconfig ip6.tun0 inet6 router up

The IPsec policy that is passed to the ifconfig commands must be the same as the IPsec policy in the ipsecinit.conf file. Upon reboot, each system reads the ipsecinit.conf file for its policy.

For Step 20, the syntax of the hostname6.ip6.tun0 file is the following:

6000:6666::aaaa:1116  6000:3333::eeee:1113 \
tsrc 2001::aaaa:6666:6666   tdst 2001::eeee:3333:3333 \
encr_algs aes encr_auth_algs sha1 router up