This sections provides examples show how to configure and enable IPsec on a Sun Ray server and a Sun Ray Client. For all of the examples, the following configuration information is used:
Sun Ray Client - 10.25.198.65
Sun Ray server - 10.213.21.168
sunray_ike.conf
- Sun Ray IKE configuration file
ikeload
- Remote configuration file
cacert.pem
- root certificate file
mycert.pem
- Certificate file
mykey.pem
- Secret key file
The following example shows how to configure IPsec using a pre-shared key on a Sun Ray server running Oracle Linux 5 and prepare an IKE configuration file for the Sun Ray Client.
Become superuser on the Sun Ray server.
Edit the /etc/racoon/racoon.conf
file as follows:
path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; remote anonymous { exchange_mode main; proposal { authentication_method pre_shared_key; encryption_algorithm 3des; hash_algorithm sha1; dh_group modp1024; } lifetime time 24 hour; proposal_check claim; } sainfo anonymous { authentication_algorithm hmac_sha1; encryption_algorithm 3des; lifetime time 8 hour; compression_algorithm deflate ; }
Edit the /etc/racoon/psk.txt
file
to include the pre-shared key.
<ip-address_of_Sun_Ray_Client> <key> 10.25.198.65 0x12345678
Configure the SPD.
# setkey -c << EOF spdadd 10.213.21.168 10.25.198.65 any -P out ipsec esp/transport//require; spdadd 10.25.198.65 10.213.21.168 any -P in ipsec esp/transport//require;
Note that 10.213.21.168 is the Sun Ray server IP address and 10.25.198.65 is the Sun Ray Client IP address.
Create a sunray_ike.conf
file for the Sun Ray Client with
the following contents and save it to the /tftpboot
directory.
remote anonymous { exchange_mode main; proposal { authentication_method pre_shared_key; encryption_algorithm 3des; hash_algorithm sha1; dh_group modp1024; } lifetime time 24 hour; proposal_check claim; } sainfo anonymous { authentication_algorithm hmac_sha1; encryption_algorithm 3des; lifetime time 8 hour; }
Enable IPsec on the server if necessary.
# racoon
This manual step may not be necessary if IPsec is already enabled on the server.
You can change the debug level by adding one or more -d
options,
such as -ddd
.
The following example shows how to configure IPsec using certificates on a Sun Ray server running Oracle Linux 5 and prepare an IKE configuration file for the Sun Ray Client.
Become superuser on the Sun Ray server.
Copy the cacert.pem
,
mycert.pem
, and
mykey.pem
files to the
/etc/racoon/certs
and
/tftpboot
directories.
Edit the /etc/racoon/racoon.conf
file as follows:
path include "/etc/racoon"; path certificate "/etc/racoon/certs"; remote anonymous { exchange_mode main; generate_policy on; passive on; ca_type x509 "cacert.pem"; certificate_type x509 "mycert.pem" "mykey.pem"; my_identifier asn1dn; peers_identifier asn1dn; proposal_check claim; lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method rsasig; dh_group modp1024; } } sainfo anonymous { pfs_group modp1024; encryption_algorithm 3des; authentication_algorithm hmac_sha1; lifetime time 8 hour; compression_algorithm deflate; }
Create a sunray_ike.conf
file for the Sun Ray Client with
the following contents and save it to the /tftpboot
directory.
remote anonymous { exchange_mode main; my_identifier asn1dn; ca_type x509 "cacert.pem"; certificate_type x509 "mycert.pem" "mykey.pem"; proposal { authentication_method rsasig; encryption_algorithm 3des; hash_algorithm md5; dh_group modp1024; } lifetime time 24 hour; proposal_check claim; } sainfo anonymous { pfs_group modp1024; authentication_algorithm hmac_sha1; encryption_algorithm 3des; lifetime time 8 hour; }
Create a remote configuration file named ikeload
with the
following contents and save it to the /tftpboot
directory.
/certs/cacert.pem=cacert.pem /keys/mykey.pem=mykey.pem /certs/mycert.pem=mycert.pem /ike/default.conf=sunray_ike.conf
Enable IPsec on the server if necessary.
# racoon
This manual step may not be necessary if IPsec is already enabled on the server.
You can change the debug level by adding one or more -d
options,
such as -ddd
.
The following example shows how to configure IPsec using a pre-shared key on a Sun Ray server running Oracle Linux 6 and prepare an IKE configuration file for the Sun Ray Client..
Become superuser on the Sun Ray server.
If not already installed, install the
openswan-2.6.32-16.el6.x86_64.rpm
RPM.
Uncomment the following line in the
/etc/ipsec.conf
file:
include /etc/ipsec.d/*.conf
Make sure the /etc/ipsec.secrets
file contains only the following line:
include /etc/ipsec.d/*.secrets
Create the /etc/ipsec.d/shared.conf
file with the
following contents, which includes the Sun Ray server and the Sun Ray Client IP
addresses for the left
and right
entries,
respectively:
conn new left=10.213.21.168 right=10.25.198.65 authby=secret type=transport ike=3des-md5;modp1024 esp=3des-md5 keyexchange=ike pfs=no rekey=no aggrmode=no phase2=esp salifetime=8h auto=add
Create the /etc/ipsec.d/shared.secrets
file with the
following contents, which includes an entry containing the Sun Ray server and Sun
Ray Client IP addresses and the pre-shared key:
10.213.21.168 10.25.198.65: PSK "12345678"
Create a sunray_ike.conf
file for the Sun Ray Client with
the following contents and save it to the /tftpboot
directory.
remote anonymous { exchange_mode main; proposal { authentication_method pre_shared_key; encryption_algorithm 3des; hash_algorithm sha1; dh_group modp1024; } lifetime time 24 hour; proposal_check claim; } sainfo anonymous { authentication_algorithm hmac_sha1; encryption_algorithm 3des; lifetime time 8 hour; }
Start the IPsec services.
# /etc/init.d/ipsec start
The following example shows how to configure IPsec using certificates on a Sun Ray server running Oracle Linux 6 and prepare an IKE configuration file for the Sun Ray Client.
Become superuser on the Sun Ray server.
If not already installed, install the
openswan-2.6.32-16.el6.x86_64.rpm
RPM.
Uncomment the following line in the
/etc/ipsec.conf
file:
include /etc/ipsec.d/*.conf
Make sure the /etc/ipsec.secrets
file contains only the following line:
include /etc/ipsec.d/*.secrets
Create the /etc/ipsec.d/certs.conf
file with the following
contents:
conn new1 left=10.213.21.168 right=%any leftcert="server_certificate
" rightcert="client_certificate
" leftid=%fromcert rightid=%fromcert authby=rsasig leftrsasigkey=%cert type=transport ike=aes-sha2_256;modp1024 phase2alg=aes-sha2_256 keyexchange=ike keyingtries=3 pfs=no rekey=no aggrmode=no phase2=esp salifetime=8h auto=add
The right=%any
entry enables any client to connect with the proper certificate.
Create the /etc/ipsec.d/certs.secrets
file with the
following contents, which includes the Sun Ray server:
%any : RSA 10.213.21.168
Create a sunray_ike.conf
file for the Sun Ray Client with
the following contents and save it to the /tftpboot
directory.
remote anonymous { exchange_mode main; my_identifier asn1dn; ca_type x509 "cacert.pem"; certificate_type x509 "mycert.pem" "mykey.pem"; proposal { authentication_method rsasig; encryption_algorithm 3des; hash_algorithm sha1; dh_group modp1024; } lifetime time 24 hour; proposal_check claim; } sainfo anonymous { authentication_algorithm hmac_sha1; encryption_algorithm 3des; lifetime time 8 hour; }
Create a remote configuration file named ikeload
with the
following contents and save it to the /tftpboot
directory.
/certs/cacert.pem=cacert.pem /keys/mykey.pem=mykey.pem /certs/mycert.pem=mycert.pem /ike/default.conf=sunray_ike.conf
Start the IPsec services.
# /etc/init.d/ipsec start
The following example shows how to configure IPsec using a pre-shared key on a Sun Ray server running Oracle Solaris 10 or Oracle Solaris 11 and prepare an IKE configuration file for the Sun Ray Client.
Become superuser on the Sun Ray server.
Edit the /etc/inet/ike/config
file as follows:
p1_lifetime_secs 86400 p1_nonce_len 16 p2_lifetime_secs 28800 ## Parameters that may also show up in rules. p1_xform { auth_method preshared oakley_group 2 auth_alg sha1 encr_alg aes } p2_pfs 0 ### Now some rules... { label "SRSS Rule" # Use whatever "host" (e.g. IP address) identity is appropriate local_addr 0.0.0.0/0 remote_addr 0.0.0.0/0 p1_xform { auth_method preshared oakley_group 2 auth_alg sha encr_alg aes } p2_pfs 0 }
Edit the /etc/inet/secret/ike.preshared
file to include
the pre-shared key.
{ localidtype IP localid 10.213.21.168 remoteidtype IP remoteid 10.25.198.65 key 12345678 }
Configure the IPsec policy by adding the following line to the
/etc/inet/ipsecinit.conf
file:
{ laddr 10.213.21.168 raddr 10.25.198.65 } ipsec {encr_algs aes encr_auth_algs sha1}
Create a sunray_ike.conf
file for the Sun Ray Client with
the following contents and save it to the /tftpboot
directory.
remote anonymous { exchange_mode main; proposal { authentication_method pre_shared_key; encryption_algorithm aes; hash_algorithm sha1; dh_group 2; } lifetime time 24 hour; proposal_check claim; } sainfo anonymous { authentication_algorithm hmac_sha1; encryption_algorithm aes; lifetime time 8 hour; }
Enable IPsec on the server.
# svcadm restart svc:/network/ipsec/ipsecalgs:default # svcadm restart svc:/network/ipsec/policy:default # /usr/lib/inet/in.iked
You can use the svcs | grep ipsec command to verify that
IPsec is enabled. You can use the -d
option of the
in.iked command to keep it in the foreground and produce
debugging output.
The following example shows how to configure IPsec using certificates on a Sun Ray server running Oracle Solaris 10 or Oracle Solaris 11 and prepare an IKE configuration file for the Sun Ray Client..
Become superuser on the Sun Ray server.
Copy the cacert.pem
,
mycert.pem
, and
mykey.pem
files to the
/etc/racoon/certs
and
/tftpboot
directories.
Edit the /etc/inet/ike/config
file as follows:
####
cert_root "C=US, L=Redwood Shores, ST=CA, O=Company, OU=Sun Ray,
CN=First Last, MAILTO=first.last@company.com"
ignore_crls
p1_lifetime_secs 86400
p1_nonce_len 16
p2_lifetime_secs 28800
p1_xform { auth_method rsa_sig oakley_group 2 auth_alg sha encr_alg 3des }
p2_pfs 0
{
label "SRSS Rule"
local_id_type dn
local_id "C=US, L=Redwood Shores, ST=CA, O=Company, OU=Sun Ray, CN=server-fqdn
"
remote_id ""
local_addr 0.0.0.0/0
remote_addr 0.0.0.0/0
p1_xform
{ auth_method rsa_sig oakley_group 2 auth_alg md5 encr_alg 3des }
p2_pfs 0
}
####
Configure the IPsec policy by adding the following line to the
/etc/inet/ipsecinit.conf
file:
{ laddr 10.213.21.168 raddr 10.25.198.65 } ipsec {encr_algs 3des encr_auth_algs sha1}
Create a sunray_ike.conf
file for the Sun Ray Client with
the following contents and save it to the /tftpboot
directory.
remote anonymous { exchange_mode main; my_identifier asn1dn; ca_type x509 "cacert.pem"; certificate_type x509 "mycert.pem" "mykey.pem"; proposal { authentication_method rsasig; encryption_algorithm 3des; hash_algorithm md5; dh_group 2; } lifetime time 24 hour; proposal_check claim; } sainfo anonymous { pfs_group modp1024; authentication_algorithm hmac_sha1; encryption_algorithm 3des; lifetime time 8 hour; }
Create a remote configuration file named ikeload
with the
following contents and save it to the /tftpboot
directory.
/certs/cacert.pem=cacert.pem /keys/mykey.pem=mykey.pem /certs/mycert.pem=mycert.pem /ike/default.conf=sunray_ike.conf
Enable IPsec on the server.
# svcadm restart svc:/network/ipsec/ipsecalgs:default # svcadm restart svc:/network/ipsec/policy:default # /usr/lib/inet/in.iked
You can use the svcs | grep ipsec command to verify that
IPsec is enabled. You can use the -d
option of the
in.iked command to keep it in the foreground and produce
debugging output.
Once you configure IPsec on the Sun Ray server, including the adding the appropriate Sun
Ray IKE configuration file and certificates to the /tftpboot
directory,
there are only a few steps remaining to configure IPsec on the Sun Ray Client using the
Configuration GUI. The following steps continue the previous Sun Ray server configuration
examples.
Open the Configuration GUI on the Sun Ray Client.
See Section 14.5.2, “Configuration GUI Menu Descriptions” for details.
Load the configuration files on Sun Ray Client from the server's
/tftpboot
directory:
If you have only a Sun Ray IKE configuration file to load, choose
Server/IPsec > Download Configuration
and specify the server
and the IKE configuration file. For the pre-shared examples in this section, you
would enter 10.213.21.168/sunray_ike.conf
to populate the
/ike/default.conf
file in the Sun Ray Client's
firmware.
If you are using a remote configuration file to load a number of files, choose
Advanced > Download Configuration
and enter the server and
the remote configuration file. For the certificate examples in this section, you
would enter 10.213.21.168/ikeload
to populate the IKE
configuration file and the certificate files in the Sun Ray Client's
firmware.
Choose Server/IPsec
.
For the pre-shared key examples in this section, choose Manage Preshared Keys
to
create the pre-shared key:
10.25.198.65 0x12345678
You can also use the remote configuration file to load a pre-shared key.
Choose IPsec Enable
and enable IPsec.
Exit the Configuration GUI.
After configuring IPsec on the Sun Ray server and Sun Ray Client, you can verify if IPsec is working by rebooting the Sun Ray Client with the OSD icons enabled. If the IPsec OSD network status icons is displayed with the up arrow, IPsec should be working.
To verify if the traffic is being encrypted between the server and the Sun Ray, use a network monitoring tool (for example, snoop or tcpdump) and confirm that the packets seen are using the ESP protocol.