How to Secure Traffic Between Two Systems

This procedure assumes that you are invoking AH protections using any algorithm. It also assumes you want security associations shared (that is, only one pair of SAs are needed to protect the two systems) and that each system has only one IP address.

1. Become superuser on the system console.

   ---

   Note -

   Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the total security of the system is reduced to the security of the remote login session.

   ---

2. On each system, add the address and host name for the other system in the /etc/hosts file. You can do this using the following command:

   1. On System 1:

      # echo "system2_addr system2_name" >> /etc/hosts

   2. On System 2:

      # echo "system1_addr system1_name" >> /etc/hosts

   This enables the boot scripts to use the system names without depending on non-existent naming services.

3. On each system, edit the /etc/inet/ipsecinit.conf file by adding the following lines:

   1. On System 1:

      {saddr system1_name daddr system2_name} apply {auth_algs any sa shared} {saddr system2_name daddr system1_name} permit {auth_algs any}

   2. On System 2:

      {saddr system2_name daddr system1_name} apply {auth_algs any sa shared} {saddr system1_name daddr system2_name} permit {auth_algs any}

4. Add Security Associations using the following substeps:

   1. On each system, create a read-only (600 permissions) keyfile, using the file name of your choice, say MyKeyfile, and type the following lines in this file:

      add ah spi random-number dst system1_name authalg algorithm_name \ authkey random-hex-string-of-algorithm-specified-length add ah spi random-number dst system2_name authalg algorithm_name \ authkey random-hex-string-of-algorithm-specified-length

   2. On each system, enable the security associations by typing the following command:

      # ipseckey -f keyfile

5. On each system, do one of the following steps:

   1. Invoke the ipsecinit.conf file by typing the following command:

      # ipsecconf -a /etc/inet/ipsecinit.conf

   2. Or reboot both systems.

      If you reboot both systems, you must first insert the following command (used in step 4) in a boot script:

      ipseckey -f keyfile

      To do so, continue with the following steps.

   3. Change the keyfile name to ipseckey by typing the following command:

      # cp keyfile /etc/inet/ipseckey

   4. Make the ipseckey file read-only by typing the following command:

      # chmod 600 /etc/inet/ipseckey

   5. Create a boot script, /etc/rc3.d/s99ipsec_setup, which contains the following code:

      if [ -f /etc/inet/ipseckeys -a -f /etc/inet/ipsecinit.conf ]; then /usr/sbin/ipseckey -f /etc/inet/ipseckeys fi

      On subsequent reboots the /etc/inet/ipseckeys file will be read before booting completes. If you change keys, make sure the file gets changed on both systems.