In tunnel mode, the inner IP packet determines the IPsec policy that protects its contents.
This procedure extends the procedure How to Secure Network Traffic Between Two Servers With IPsec. The setup is described in Description of the Network Topology for the IPsec Tasks to Protect a VPN.
For a fuller description of the reasons for running particular commands, see the corresponding steps in How to Secure Network Traffic Between Two Servers With IPsec.
In addition to connecting two systems, you are connecting two intranets that connect to these two systems. The systems in this procedure function as gateways.
Before You Begin
Each system is either a global zone or an exclusive-IP zone. For more information, see IPsec and Oracle Solaris Zones.
A user with specific rights can run these commands without being root.
To run configuration commands, you must become an administrator who is assigned the Network IPsec Management rights profile.
To edit IPsec-related system files and create keys, you use the pfedit command.
To edit the hosts file, you must be in the root role or have explicit permission to edit that file.
For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
If you administer remotely, see Example 7–1 and How to Remotely Administer ZFS With Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.2 for secure remote login instructions.
# routeadm -d ipv4-routing # ipadm set-prop -p forwarding=off ipv4 # routeadm -u
Disabling IP forwarding prevents packets from being forwarded from one network to another network through this system. For a description of the routeadm command, see the routeadm(1M) man page.
# ipadm set-prop -p hostmodel=strong ipv4
Enabling IP strict multihoming requires that packets for one of the system's destination addresses arrive at the correct destination address.
When the hostmodel parameter is set to strong, packets that arrive on a particular interface must be addressed to one of the local IP addresses of that interface. All other packets, even packets that are addressed to other local addresses of the system, are dropped.
Verify that the ssh service is running.
% svcs | grep network … online Aug_09 svc:/network/ssh:default
For additional examples, see Examples of Protecting a VPN With IPsec by Using Tunnel Mode.
In this policy, IPsec protection is not required between systems on the local LAN and the internal IP address of the gateway, so a bypass statement is added.
# LAN traffic to and from this host can bypass IPsec.
{laddr 10.16.16.6 dir both} bypass {}
# WAN traffic uses ESP with AES and SHA-2.
{tunnel tun0 negotiate tunnel}
ipsec {encr_algs aes encr_auth_algs sha512 sa shared}
# LAN traffic to and from this host can bypass IPsec.
{laddr 10.1.3.3 dir both} bypass {}
# WAN traffic uses ESP with AES and SHA-2.
{tunnel tun0 negotiate tunnel}
ipsec {encr_algs aes encr_auth_algs sha512 sa shared}
Configure IKE by following one of the configuration procedures in Configuring IKEv2. For the syntax of the IKE configuration file, see the ikev2.config (4) man page. If you are communicating with a system that only supports the IKEv1 protocol, refer to Configuring IKEv1 and the ike.config(4) man page.
# ipsecconf -c /etc/inet/ipsecinit.conf
Fix any errors, verify the syntax of the file, and continue.
# svcadm refresh ipsec/policy
IPsec policy is enabled by default, so you refresh it. If you have the disabled IPsec policy, enable it.
# svcadm enable ipsec/policy
The following commands configure the internal and external interfaces, create the tun0 tunnel, and assign IP addresses to the tunnel.
# ipadm create-ip net1 # ipadm create-addr -T static -a local=10.1.3.3 net1/inside # dladm create-iptun -T ipv4 -a local=192.168.13.213,remote=192.168.116.16 tun0 # ipadm create-ip tun0 # ipadm create-addr -T static \ -a local=10.1.3.3,remote=10.16.16.6 tun0/v4tunaddr
The first command creates the IP interface net1. The second command adds addresses to net1. The third command creates the IP interface tun0. The fourth command adds IP addresses that are encapsulated in the tunnel link. For more information, see the dladm(1M) and ipadm(1M) man pages.
# ipadm create-ip net1 # ipadm create-addr -T static -a local=10.16.16.6 net1/inside # dladm create-iptun -T ipv4 -a local=192.168.116.16,remote=192.168.13.213 tun0 # ipadm create-ip tun0 # ipadm create-addr -T static \ -a local=10.16.16.6,remote=10.1.3.3 tun0/v4tunaddr
For information about these commands, see the dladm(1M) and ipadm(1M) man pages, and How to Configure an IPv4 Interface in Configuring and Administering Network Components in Oracle Solaris 11.2 . For information about customized names, see Network Devices and Datalink Naming in Oracle Solaris in Configuring and Administering Network Components in Oracle Solaris 11.2 .
# ipadm set-ifprop -m ipv4 -p forwarding=on net1 # ipadm set-ifprop -m ipv4 -p forwarding=on tun0 # ipadm set-ifprop -m ipv4 -p forwarding=off net0
IP forwarding means that packets that arrive from somewhere else can be forwarded. IP forwarding also means that packets that leave this interface might have originated somewhere else. To successfully forward a packet, both the receiving interface and the transmitting interface must have IP forwarding enabled.
Because the net1 interface is inside the intranet, IP forwarding must be enabled for net1. Because tun0 connects the two systems through the Internet, IP forwarding must be enabled for tun0. The net0 interface has its IP forwarding disabled off to prevent an outside adversary on the Internet from injecting packets into the protected intranet.
# ipadm set-addrprop -p private=on net0
Even if net0 has IP forwarding disabled, a routing protocol implementation might still advertise the interface. For example, the in.routed protocol might still advertise that net0 is available to forward packets to its peers inside the intranet. By setting the interface's private flag, these advertisements are prevented.
# svcadm restart svc:/network/initial:default
The default route must be a router with direct access to the Internet.
# route -p add net default 192.168.13.5
# route -p add net default 192.168.116.4
Even though the net0 interface is not part of the intranet, net0 does need to reach across the Internet to its peer system. To find its peer, net0 needs information about Internet routing. The VPN system appears to be a host, rather than a router, to the rest of the Internet. Therefore, you can use a default router or run the router discovery protocol to find a peer system. For more information, see the route(1M) and in.routed(1M) man pages.