Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices
The base configuration required for IPsec on the Sun Ray Client is the IKE configuration
file, which is derived from the racoon.conf file. The IKE configuration
file defines how to establish a secure connection between two hosts using the
racoon daemon. For Sun Ray Software, only a subset of the directives and
statements in the IKE configuration file are required. The complete documentation for the IKE
configuration file is available in the racoon.conf man page.
The IKE configuration file contains a set of directives that each consist of a keyword
and a set of parameters. Some directives can be followed by a set of nested statements. An IKE
configuration file must be stored in the firmware's security configuration repository at /ike/default.conf. The use of the
/ike directory is consistent with the strategy that the directory
containing a file indicates its type or format.
There are only two directives that are required for the Sun Ray IKE configuration file:
remote - Specifies the parameters for IKE
negotiations.
sainfo - Specifies the parameters for
protecting the actual IPsec traffic.
Normally, there can be multiple remote and
sainfo directives, tagged with either a name,
address, or the default anonymous keyword. The
Sun Ray Software implementation allows for only one of each
directive.
The following directives are not required, but they are supported to provide more advanced configuration:
padding - Specifies the padding parameters
for traffic.
timer - Specifies the configuration timers.
Other parameters, such as the location of various ancillary files and ports, are fixed in value.
The remote directive specifies the parameters
for IKE negotiations.
The following statements are supported. Specific notes and restrictions are provided where necessary.
ca_type - Root certificate type (X509
only) and root certificate file name.
certificate_type - Client certificate
type (X509 only), private key file name, and certificate file
name.
dpd - Switch to enable Dead Peer
Detection (DPD). Default is on.
dpd_delay - Time between liveness
requests. 0 disables checking. Default is 0.
dpd_maxfail - If
dpd_delay is set, this statement sets the
maximum number of proof of liveness to request (without
reply) before considering the peer is dead. The default
value is 5.
dpd_retry - If
dpd_delay is set, this statement sets the
delay (in seconds) to wait for a proof of liveness before
considering it as failed and sending another request. The
default value is 5.
exchange_mode - Exchange mode to use as
the IKE initiator. Values: main,
aggressive, or base.
The aggressive mode is not supported on
Oracle Solaris.
ike_frag - Switch to enable IKE
fragmentation.
lifetime - IKE lifetime proposed.
my_identifier - Type and value of the IKE
identifier for phase 1. The following identifier types are
allowed:
address - IP address. This is the
default, although this is not appropriate for Sun Ray
Clients that get their addresses using DHCP.
asn1dn - ASN.1 distinguished name.
This value is taken from the certificate Subject field
if a value is not specified.
fqdn - Fully-qualified domain name.
keyid - An arbitrary string.
subnet - IP subnet.
user_fqdn - User fully-qualified
name.
nat_traversal - Switch to enable NAT
traversal.
nonce_size - Size of the nonces used in
the IKE exchange. The default is 16 bytes.
peers_certfile - Locally stored peer
certificate type (X509 only) and certificate file name.
peers_identifier - Type and value of the expected peer identifier.
The following identifier types are allowed:
address - IP address. This is the
default.
asn1dn - ASN.1 distinguished name.
This value is taken from the certificate Subject field
if a value is not specified.
fqdn - Fully-qualified domain name.
keyid - An arbitrary string.
subnet - IP subnet.
user_fqdn - User fully-qualified
name.
proposal - List of proposal statements.
Only one proposal statement is allowed.
authentication_method - Specify the
authentication method used. Values:
pre_shared_key or
rsasig.
The pre-shared key file is used when the authentication mode is
pre_shared_key, and the file must be stored in the firmware's
security configuration repository at
/preshared/keys file. The pre-shared key file consists of
lines containing pairs of ids and keys, separated by some number of blanks or tab
characters. Keys starting with "0x" are interpreted as hexadecimal strings. Any
referenced certificate files must be stored in the /certs
directory, and public/private key pairs provided in files must be stored in the
/keys directory.
dh_group - Specify the group used for
Diffie-Hellman exponentiation. Values:
modp768, modp1024,
modp1536,
modp2048,
modp3072,
modp4096,
modp6144, or the corresponding DH
group number, 1, 2, 5, 14, 15, 16, 17, or 18.
encryption_algorithm - Specify the encryption algorithm used for
the phase 1 negotiation. Values: aes, 3des, or
null. aes may be followed by a key size of
128, 192, or 256,
separated by a space.
hash_algorithm - Specify the hash algorithm used for phase 1
negotiation. Values: md5 (deprecated), sha1,
sha256, sha384, or
sha512. Oracle Linux 5.8 and Oracle Linux 6.3 does not support
the sha384 or sha512 hash algorithm.
lifetime - Specify IKE lifetime.
remote_address - Remote IP address of the
other end of the connection.
proposal_check - Type of proposal
checking. Values: claim,
exact, obey, or
strict.
send_cert - Switch to enable sending
client certificate. Default is on.
send_cr - Switch to enable sending
certificate request. Default is on.
verify_cert - Switch to verify the peer's
certificate. Defaults is on.
verify_identifier - Switch to enable
verification of identity between ID and certificate. Default
is off.
The sainfo directive is used to specify the security parameters for
creating an IPsec Security Association (SA) used to protect associated traffic. For Sun Ray
Software, only the Encapsulating Security Payload (ESP) is supported, and the Authentication
Header (AH) protocol is not supported.
A full implementation of the Security Policy Database (SPD) for Sun Ray Software is not required, because the communication between the Sun Ray Client and other peers requires only a few switch selections, which have been incorporated into the IPsec configuration menu in the firmware Configuration GUI.
The following statements are supported. Specific notes and restrictions are provided where necessary.
authentication_algorithm - Specify the
comma-separated list of authentication algorithms. Values
include hmac forms of the hash_algorithm
values, such as hmac_md5,
hmac_sha1,
hmac_sha256,
hmac_sha384, or
hmac_sha512.
encryption_algorithm - Specify the
comma-separated set of encryption algorithms that can be
used in a phase 2 proposal. Values: aes
or 3des. The aes value
may be followed by a key size, for example, aes
256.
lifetime - Define how long an IPsec SA
will be used.
pfs_group - Define the group used for
Perfect Forward Secrecy (PFS) in phase 2. The same values
are used as dh_group. If omitted, PFS is
not used.
sha2_trunc - Switch that sets the truncation of SHA-2 hashes to 96
bits, rather than the 128 specified in RFC 4868. This allows interoperation with some
Oracle Linux systems that exhibit this behavior. This must be set on when using the
sha256 hash algorithm for Oracle Linux.
The proposals generated during the phase 2 negotiation consist
of all of the possible combinations of
encryption_algorithm and
authentication_algorithm.
Here is an example of a Sun Ray IKE configuration file used to specify the connection between a Sun Ray Client with a fixed IP address (10.213.25.230) and a Sun Ray server (10.213.21.43) using a pre-shared key.
remote address 10.213.21.43 {
my_identifier address 10.213.25.230;
exchange_mode main;
proposal {
authentication_method pre_shared_key;
encryption_algorithm aes;
hash_algorithm sha1;
dh_group 2;
}
proposal_check claim;
}
sainfo address 10.213.25.230 address 10.213.21.43 {
lifetime time 12 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
} If you specify main for the exchange_mode
statement, the identifiers for the IKE connection must be IP addresses when using
pre-shared keys.
Here is another example of a Sun Ray IKE configuration file for certificate-based authentication
remote anonymous {
exchange_mode main;
my_identifier asn1dn;
ca_type x509 "cacert.pem";
certificate_type x509 "mycert.pem" "mykey.pem";
proposal {
authentication_method rsasig;
encryption_algorithm 3des;
hash_algorithm md5;
dh_group modp1024;
}
lifetime time 24 hour;
proposal_check claim;
}
sainfo anonymous {
authentication_algorithm hmac_sha1;
encryption_algorithm aes;
lifetime time 8 hour;
}Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices