How to Create IPsec Security Associations Manually
If the systems are using IPv6 addresses, you must manually create IPsec security associations.
Note –
If you are running an IPv4 network, use IKE to manage security associations. For how to use IKE to manage SAs, see Implementing IKE Task Map.
-
On the system console on one of the systems, become superuser or assume an equivalent role.
Note –Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the total security of the system is reduced to the security of the remote login session.
-
Enable the ipseckey command mode:
# ipseckey >
The > prompt indicates that you are in ipseckey command mode.
-
To create security associations, or to replace the security associations that you just flushed, type the following command.
> add protocol spi random-hex-string \ src addr dst addr2 \ protocol_alg protocol-algorithm \ protocolkey random-hex-string-of-algorithm-specified-length
random-hex-string
A random hexadecimal number of up to eight characters long. If you enter more numbers than the SPI accepts, the system ignores the extra numbers. If you enter fewer numbers than the SPI accepts, the system pads your entry.
protocol
One of esp or ah.
addr
The IP address of one system.
addr2
The IP address of the peer system of addr.
protocol-algorithm
An algorithm for ESP or AH. Each algorithm requires a key of a specific length.
Authentication algorithms include MD5 and SHA. Encryption algorithms include 3DES and AES.
random-hex-string-of-algorithm-specified-length
A random hexadecimal number of the length that is required by the algorithm. For example, the MD5 algorithm requires a 32–character string for its 128–bit key. The 3DES algorithm requires a 48–character string for its 192–bit key.
-
For example, on enigma type the following commands to protect outbound packets. Use random numbers that you generate.
> add esp spi 8bcd1407 src 192.168.116.16 dst 192.168.13.213 \ encr_alg 3DES \ encrkey d41fb74470271826a8e7a80d343cc5aae9e2a7f05f13730d > add ah spi 18907dae src 192.168.116.16 dst 192.168.13.213 \ auth_alg MD5 \ authkey e896f8df7f78d6cab36c94ccf293f031 >
Note –The peer system must use the same keying material.
-
Still in ipseckey mode on enigma, type the following commands to protect inbound packets. Use random numbers that you generate.
> add esp spi 122a43e4 src 192.168.13.213 dst 192.168.116.16 \ encr_alg 3des \ encrkey dd325c5c137fb4739a55c9b3a1747baa06359826a5e4358e > add ah spi 91825a77 src 192.168.13.213 dst 192.168.116.16 \ auth_alg md5 \ authkey ad9ced7ad5f255c9a8605fba5eb4d2fd >
Note –The keys and SPI can be different for each security association. You should assign different keys and a different SPI for each security association.
-
-
Type Control-D or quit to exit ipseckey command mode.
-
To ensure that the keying material is available to IPsec at reboot, add the keying material to the /etc/inet/secret/ipseckeys file on enigma.
add esp spi 8bcd1407 dst partym encr_alg 3DES \ encrkey d41fb74470271826a8e7a80d343cc5aae9e2a7f05f13730d # add ah spi 18907dae dst partym auth_alg MD5 \ authkey e896f8df7f78d6cab36c94ccf293f031 # # add esp spi 122a43e4 dst enigma encr_alg 3DES \ encrkey 137fb4739a55c9b3a1747baa06359826a5e4358e # add ah spi 91825a77 dst enigma auth_alg MD5 \ authkey ad9ced7ad5f255c9a8605fba5eb4d2fd -
Repeat Step 1 through Step 5 on partym.
The keying material on the two systems must be identical.
Example—Replacing IPsec Security Associations
To prevent an adversary from having time to break your cryptosystem, you need to refresh your keying material. When you replace the SAs on one system, the SAs must also be replaced on the communicating system.
When replacing security associations, remove the old keys before you add new keys. Use the flush command in ipseckey command mode to remove the old keys. Then add the new keying information.
# ipseckey > flush > add esp spi … |
- © 2010, Oracle Corporation and/or its affiliates