This sections provides examples show how to configure and enable IPsec on a Sun Ray server and a Sun Ray Client. For all of the examples, the following configuration information is used:
Sun Ray Client - 10.25.198.65
Sun Ray server - 10.213.21.168
sunray_ike.conf
- Sun Ray IKE
configuration file
ikeload
- Remote configuration file
cacert.pem
- root certificate file
mycert.pem
- Certificate file
mykey.pem
- Secret key file
The following example shows how to configure IPsec using a pre-shared key on a Sun Ray server running Oracle Linux 5 and prepare an IKE configuration file for the Sun Ray Client.
Become superuser on the Sun Ray server.
Edit the /etc/racoon/racoon.conf
file
as follows:
path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; remote anonymous { exchange_mode main; proposal { authentication_method pre_shared_key; encryption_algorithm 3des; hash_algorithm sha1; dh_group modp1024; } lifetime time 24 hour; proposal_check claim; } sainfo anonymous { authentication_algorithm hmac_sha1; encryption_algorithm 3des; lifetime time 8 hour; compression_algorithm deflate ; }
Edit the /etc/racoon/psk.txt
file to
include the pre-shared key.
<ip-address_of_Sun_Ray_Client> <key> 10.25.198.65 0x12345678
Configure the SPD.
# setkey -c << EOF spdadd 10.213.21.168 10.25.198.65 any -P out ipsec esp/transport//require; spdadd 10.25.198.65 10.213.21.168 any -P in ipsec esp/transport//require;
Note that 10.213.21.168 is the Sun Ray server IP address and 10.25.198.65 is the Sun Ray Client IP address.
Create a sunray_ike.conf
file for the
Sun Ray Client with the following contents and save it to
the /tftpboot
directory.
remote anonymous { exchange_mode main; proposal { authentication_method pre_shared_key; encryption_algorithm 3des; hash_algorithm sha1; dh_group modp1024; } lifetime time 24 hour; proposal_check claim; } sainfo anonymous { authentication_algorithm hmac_sha1; encryption_algorithm 3des; lifetime time 8 hour; }
Enable IPsec on the server if necessary.
# racoon
This manual step may not be necessary if IPsec is already
enabled on the server. You can change the debug level by
adding one or more -d
options, such as
-ddd
.
The following example shows how to configure IPsec using certificates on a Sun Ray server running Oracle Linux 5 and prepare an IKE configuration file for the Sun Ray Client.
Become superuser on the Sun Ray server.
Copy the cacert.pem
,
mycert.pem
, and
mykey.pem
files to the
/etc/racoon/certs
and
/tftpboot
directories.
Edit the /etc/racoon/racoon.conf
file
as follows:
path include "/etc/racoon"; path certificate "/etc/racoon/certs"; remote anonymous { exchange_mode main; generate_policy on; passive on; ca_type x509 "cacert.pem"; certificate_type x509 "mycert.pem" "mykey.pem"; my_identifier asn1dn; peers_identifier asn1dn; proposal_check claim; lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method rsasig; dh_group modp1024; } } sainfo anonymous { pfs_group modp1024; encryption_algorithm 3des; authentication_algorithm hmac_sha1; lifetime time 8 hour; compression_algorithm deflate; }
Create a sunray_ike.conf
file for the
Sun Ray Client with the following contents and save it to
the /tftpboot
directory.
remote anonymous { exchange_mode main; my_identifier asn1dn; ca_type x509 "cacert.pem"; certificate_type x509 "mycert.pem" "mykey.pem"; proposal { authentication_method rsasig; encryption_algorithm 3des; hash_algorithm md5; dh_group modp1024; } lifetime time 24 hour; proposal_check claim; } sainfo anonymous { pfs_group modp1024; authentication_algorithm hmac_sha1; encryption_algorithm 3des; lifetime time 8 hour; }
Create a remote configuration file named
ikeload
with the following contents and
save it to the /tftpboot
directory.
/certs/cacert.pem=cacert.pem /keys/mykey.pem=mykey.pem /certs/mycert.pem=mycert.pem /ike/default.conf=sunray_ike.conf
Enable IPsec on the server if necessary.
# racoon
This manual step may not be necessary if IPsec is already
enabled on the server. You can change the debug level by
adding one or more -d
options, such as
-ddd
.
The following example shows how to configure IPsec using a pre-shared key on a Sun Ray server running Oracle Linux 6 and prepare an IKE configuration file for the Sun Ray Client..
Become superuser on the Sun Ray server.
If not already installed, install the
openswan-2.6.32-16.el6.x86_64.rpm
RPM.
Uncomment the following line in the
/etc/ipsec.conf
file:
include /etc/ipsec.d/*.conf
Make sure the /etc/ipsec.secrets
file
contains only the following line:
include /etc/ipsec.d/*.secrets
Create the /etc/ipsec.d/shared.conf
file with the following contents, which includes the Sun Ray
server and the Sun Ray Client IP addresses for the
left
and right
entries, respectively:
conn new left=10.213.21.168 right=10.25.198.65 authby=secret type=transport ike=3des-md5;modp1024 esp=3des-md5 keyexchange=ike pfs=no rekey=no aggrmode=no phase2=esp salifetime=8h auto=add
Create the /etc/ipsec.d/shared.secrets
file with the following contents, which includes an entry
containing the Sun Ray server and Sun Ray Client IP
addresses and the pre-shared key:
10.213.21.168 10.25.198.65: PSK "12345678"
Create a sunray_ike.conf
file for the
Sun Ray Client with the following contents and save it to
the /tftpboot
directory.
remote anonymous { exchange_mode main; proposal { authentication_method pre_shared_key; encryption_algorithm 3des; hash_algorithm sha1; dh_group modp1024; } lifetime time 24 hour; proposal_check claim; } sainfo anonymous { authentication_algorithm hmac_sha1; encryption_algorithm 3des; lifetime time 8 hour; }
Start the IPsec services.
# /etc/init.d/ipsec start
The following example shows how to configure IPsec using certificates on a Sun Ray server running Oracle Linux 6 and prepare an IKE configuration file for the Sun Ray Client.
Become superuser on the Sun Ray server.
If not already installed, install the
openswan-2.6.32-16.el6.x86_64.rpm
RPM.
Uncomment the following line in the
/etc/ipsec.conf
file:
include /etc/ipsec.d/*.conf
Make sure the /etc/ipsec.secrets
file
contains only the following line:
include /etc/ipsec.d/*.secrets
Create the /etc/ipsec.d/certs.conf
file
with the following contents:
conn new1 left=10.213.21.168 right=%any leftcert="server_certificate
" rightcert="client_certificate
" leftid=%fromcert rightid=%fromcert authby=rsasig leftrsasigkey=%cert type=transport ike=aes-sha2_256;modp1024 phase2alg=aes-sha2_256 keyexchange=ike keyingtries=3 pfs=no rekey=no aggrmode=no phase2=esp salifetime=8h auto=add
The right=%any
entry enables any client
to connect with the proper certificate.
Create the /etc/ipsec.d/certs.secrets
file with the following contents, which includes the Sun Ray
server:
%any : RSA 10.213.21.168
Create a sunray_ike.conf
file for the
Sun Ray Client with the following contents and save it to
the /tftpboot
directory.
remote anonymous { exchange_mode main; my_identifier asn1dn; ca_type x509 "cacert.pem"; certificate_type x509 "mycert.pem" "mykey.pem"; proposal { authentication_method rsasig; encryption_algorithm 3des; hash_algorithm sha1; dh_group modp1024; } lifetime time 24 hour; proposal_check claim; } sainfo anonymous { authentication_algorithm hmac_sha1; encryption_algorithm 3des; lifetime time 8 hour; }
Create a remote configuration file named
ikeload
with the following contents and
save it to the /tftpboot
directory.
/certs/cacert.pem=cacert.pem /keys/mykey.pem=mykey.pem /certs/mycert.pem=mycert.pem /ike/default.conf=sunray_ike.conf
Start the IPsec services.
# /etc/init.d/ipsec start
The following example shows how to configure IPsec using a pre-shared key on a Sun Ray server running Oracle Solaris 10 or Oracle Solaris 11 and prepare an IKE configuration file for the Sun Ray Client.
Become superuser on the Sun Ray server.
Edit the /etc/inet/ike/config
file as
follows:
p1_lifetime_secs 86400 p1_nonce_len 16 p2_lifetime_secs 28800 ## Parameters that may also show up in rules. p1_xform { auth_method preshared oakley_group 2 auth_alg sha1 encr_alg aes } p2_pfs 0 ### Now some rules... { label "SRSS Rule" # Use whatever "host" (e.g. IP address) identity is appropriate local_addr 0.0.0.0/0 remote_addr 0.0.0.0/0 p1_xform { auth_method preshared oakley_group 2 auth_alg sha encr_alg aes } p2_pfs 0 }
Edit the /etc/inet/secret/ike.preshared
file to include the pre-shared key.
{ localidtype IP localid 10.213.21.168 remoteidtype IP remoteid 10.25.198.65 key 12345678 }
Configure the IPsec policy by adding the following line to
the /etc/inet/ipsecinit.conf
file:
{ laddr 10.213.21.168 raddr 10.25.198.65 } ipsec {encr_algs aes encr_auth_algs sha1}
Create a sunray_ike.conf
file for the
Sun Ray Client with the following contents and save it to
the /tftpboot
directory.
remote anonymous { exchange_mode main; proposal { authentication_method pre_shared_key; encryption_algorithm aes; hash_algorithm sha1; dh_group 2; } lifetime time 24 hour; proposal_check claim; } sainfo anonymous { authentication_algorithm hmac_sha1; encryption_algorithm aes; lifetime time 8 hour; }
Enable IPsec on the server.
# svcadm restart svc:/network/ipsec/ipsecalgs:default # svcadm restart svc:/network/ipsec/policy:default # /usr/lib/inet/in.iked
You can use the svcs | grep ipsec command
to verify that IPsec is enabled. You can use the
-d
option of the in.iked
command to keep it in the foreground and produce debugging
output.
The following example shows how to configure IPsec using certificates on a Sun Ray server running Oracle Solaris 10 or Oracle Solaris 11 and prepare an IKE configuration file for the Sun Ray Client..
Become superuser on the Sun Ray server.
Copy the cacert.pem
,
mycert.pem
, and
mykey.pem
files to the
/etc/racoon/certs
and
/tftpboot
directories.
Edit the /etc/inet/ike/config
file as
follows:
####
cert_root "C=US, L=Redwood Shores, ST=CA, O=Company, OU=Sun Ray,
CN=First Last, MAILTO=first.last@company.com"
ignore_crls
p1_lifetime_secs 86400
p1_nonce_len 16
p2_lifetime_secs 28800
p1_xform { auth_method rsa_sig oakley_group 2 auth_alg sha encr_alg 3des }
p2_pfs 0
{
label "SRSS Rule"
local_id_type dn
local_id "C=US, L=Redwood Shores, ST=CA, O=Company, OU=Sun Ray, CN=server-fqdn
"
remote_id ""
local_addr 0.0.0.0/0
remote_addr 0.0.0.0/0
p1_xform
{ auth_method rsa_sig oakley_group 2 auth_alg md5 encr_alg 3des }
p2_pfs 0
}
####
Configure the IPsec policy by adding the following line to
the /etc/inet/ipsecinit.conf
file:
{ laddr 10.213.21.168 raddr 10.25.198.65 } ipsec {encr_algs 3des encr_auth_algs sha1}
Create a sunray_ike.conf
file for the
Sun Ray Client with the following contents and save it to
the /tftpboot
directory.
remote anonymous { exchange_mode main; my_identifier asn1dn; ca_type x509 "cacert.pem"; certificate_type x509 "mycert.pem" "mykey.pem"; proposal { authentication_method rsasig; encryption_algorithm 3des; hash_algorithm md5; dh_group 2; } lifetime time 24 hour; proposal_check claim; } sainfo anonymous { pfs_group modp1024; authentication_algorithm hmac_sha1; encryption_algorithm 3des; lifetime time 8 hour; }
Create a remote configuration file named
ikeload
with the following contents and
save it to the /tftpboot
directory.
/certs/cacert.pem=cacert.pem /keys/mykey.pem=mykey.pem /certs/mycert.pem=mycert.pem /ike/default.conf=sunray_ike.conf
Enable IPsec on the server.
# svcadm restart svc:/network/ipsec/ipsecalgs:default # svcadm restart svc:/network/ipsec/policy:default # /usr/lib/inet/in.iked
You can use the svcs | grep ipsec command
to verify that IPsec is enabled. You can use the
-d
option of the in.iked
command to keep it in the foreground and produce debugging
output.
Once you configure IPsec on the Sun Ray server, including the
adding the appropriate Sun Ray IKE configuration file and
certificates to the /tftpboot
directory,
there are only a few steps remaining to configure IPsec on the
Sun Ray Client using the Configuration GUI. The following steps
continue the previous Sun Ray server configuration examples.
Open the Configuration GUI on the Sun Ray Client.
See Section 14.5.2, “Configuration GUI Menu Descriptions” for details.
Load the configuration files on Sun Ray Client from the
server's /tftpboot
directory:
If you have only a Sun Ray IKE configuration file to
load, choose Server/IPsec > Download
Configuration
and specify the server and the
IKE configuration file. For the pre-shared examples in
this section, you would enter
10.213.21.168/sunray_ike.conf
to
populate the /ike/default.conf
file in the Sun Ray Client's firmware.
If you are using a remote configuration file to load a
number of files, choose Advanced > Download
Configuration
and enter the server and the
remote configuration file. For the certificate
examples in this section, you would enter
10.213.21.168/ikeload
to populate
the IKE configuration file and the certificate files
in the Sun Ray Client's firmware.
Choose Server/IPsec
.
For the pre-shared key examples in this section, choose
Manage Preshared Keys
to create the
pre-shared key:
10.25.198.65 0x12345678
You can also use the remote configuration file to load a pre-shared key.
Choose IPsec Enable
and enable IPsec.
Exit the Configuration GUI.
After configuring IPsec on the Sun Ray server and Sun Ray Client, you can verify if IPsec is working by rebooting the Sun Ray Client with the OSD icons enabled. If the IPsec OSD network status icons is displayed with the up arrow, IPsec should be working.
To verify if the traffic is being encrypted between the server and the Sun Ray, use a network monitoring tool (for example, snoop or tcpdump) and confirm that the packets seen are using the ESP protocol.