test

IPsec and IKE Administration Guide

How to Configure IKE With Self-Signed Public Certificates

  1. On the system console, become superuser or assume an equivalent role.

    Note –

    Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the total security of the system is reduced to the security of the remote login session.

  2. Use the ikecert certlocal -ks command to add a self-signed certificate to the ike.privatekeys database. 


    # ikecert certlocal -ks -m keysize -t keytype \
-D dname -A altname[ ... ] [-f output]

    -ks

    Creates a self-signed certificate 

    keysize

    The size of the key. keysize can be 512, 1024, 2048, 3072, or 4096.

    keytype

    The type of algorithm to use. keytype can be rsa-sha1, rsa-md5, or dsa-sha1.

    dname

    The X.509 distinguished name for the certificate subject. dname typically has the form: C=country, O=organization, OU=organizational unit, CN=common name. Valid tags are C, O, OU, and CN.

    altname

    The alternate name for the certificate. altname should be in the form of tag=value. Valid tags are IP, DNS, EMAIL, URI, DN, and RID.

    output

    The format of the encoding output. The possible values are pem for PEM Base64, and ber for ASN.1 BER. If -f is not specified, pem is assumed.

    For example,


    # ikecert certlocal -ks -m 1024 -t rsa-md5 \
> -D "C=US, O=ExampleCompany, OU=US-Example, CN=Example" \
> -A IP=192.168.116.16
Generating, please wait...
Certificate: 
Certificate generated.
Certificate added to database.
-----BEGIN X509 CERTIFICATE-----
MIICLTCCAZagAwIBAgIBATANBgkqhkiG9w0BAQQFADBNMQswCQYDVQQGEwJVUzEX
…
6sKTxpg4GP3GkQGcd0r1rhW/3yaWBkDwOdFCqEUyffzU
-----END X509 CERTIFICATE-----

  3. Send the certificate to the communicating system's administrator.

    You can cut-and-paste the certificate into an email, as in:


    To: root@us.example.com
From: root@un.example.com
Message: -----BEGIN X509 CERTIFICATE-----
MIICLTCCAZagAwIBAgIBATANBgkqhkiG9w0BAQQFADBNMQswCQYDVQQGEwJVUzEX
…
6sKTxpg4GP3GkQGcd0r1rhW/3yaWBkDwOdFCqEUyffzU
-----END X509 CERTIFICATE-----

  4. On the sending system, edit the /etc/inet/ike/config file to recognize the public keys from a communicating system. For example,


    # Explicitly trust the following self-signed certs
# Use the Subject Alternate Name to identify the cert

cert_trust "192.168.116.16"
cert_trust "192.168.13.213"

## Parameters that may also show up in rules.

p1_xform 
  { auth_method preshared oakley_group 5 auth_alg sha encr_alg des }
p2_pfs 5

{
 label "UN-Example to US-Example"
 local_id_type dn
 local_id "C=US, O=ExampleCompany, OU=UN-Example, CN=Example"
 remote_id "C=US, O=ExampleCompany, OU=US-Example, CN=Example"

 local_addr 192.168.116.16
 remote_addr 192.168.13.213

 p1_xform
  { auth_method rsa_encrypt oakley_group 2 auth_alg md5 encr_alg 3des }
}

  5. Do the following substeps to add the communicating system's public key.

    1. Copy the public key from the administrator's email.

    2. Type the ikecert certdb –a command and type <Return>.

      No prompts display when you type the <Return> key.


      # ikecert certdb -a <Type the Return key>

    3. Paste the public key. Then type <Return>.


      -----BEGIN X509 CERTIFICATE-----
MIICL…
…
KgDid/nxWPlWQU5vMAiwJXfa0sw/A12w448JVkVmEWaf
-----END X509 CERTIFICATE-----<Type the Return key>

    4. End the entry by typing <Control-D>.


      <Control-D>

  6. Verify with the other administrator that the keys have not been tampered with.

    For example, you can phone the other administrator to compare the values of the public key hash. The public key hash on one system should be identical to the public key hash on the communicating system.

    1. For example, on enigma, type the ikecert certdb -l command.


      enigma # ikecert certdb -l
        Certificate Slot Name: 0   Type: if-modn
        Subject Name: <C=US, O=ExampleCo, OU=UN-Example, CN=Example>
        Key Size: 1024
        Public key hash: 2239A6A127F88EE0CB40F7C24A65B818

    2. On partym, type theikecert certlocal -l command.


      partym # ikecert certlocal -l
Local ID Slot Name: 1   Type: if-modn
        Key Size: 1024
        Public key hash: 2239A6A127F88EE0CB40F7C24A65B818
    Note –

    The public key hash in this example is different from the public key hash that your systems generate.