How to Configure a Tunnel Across an Untrusted Network

This procedure configures an IPsec tunnel across a public network between two Trusted Extensions VPN gateway systems. The example that is used in this procedure is based on the configuration that is illustrated in Description of the Network Topology for the IPsec Tasks to Protect a VPN in Securing the Network in Oracle Solaris 11.2 .

Assume the following modifications to the illustration:

• The 10 subnets are multilevel trusted networks. CALIPSO or CIPSO IP option security labels are visible on these LANs.

• The 192.168 subnets are single-label untrusted networks that operate at the PUBLIC label. These networks do not support CALIPSO or CIPSO IP options.

• Labeled traffic between euro-vpn and calif-vpn is protected against unauthorized changes.

Before You Begin

You are in the root role in the global zone.

1. Follow the procedures in Labeling Hosts and Networks to define the following:
   1. Add 10.0.0.0/8 IP addresses to a labeled security template.

      Use a template with a cipso host type. Retain the default label range, ADMIN_LOW to ADMIN_HIGH.

   2. Add 192.168.0.0/16 IP addresses to an unlabeled security template at label PUBLIC.

      Use a template with an Unlabeled host type. Set the default label to be PUBLIC. Retain the default label range, ADMIN_LOW to ADMIN_HIGH.

   3. Add the Calif-vpn and Euro-vpn Internet-facing addresses, 192.168.13.213 and 192.168.116.16, to a cipso template.

      Retain the default label range.

2. Create an IPsec tunnel.

   Follow the procedure in How to Protect the Connection Between Two LANs With IPsec in Tunnel Mode in Securing the Network in Oracle Solaris 11.2 . Use IKE for key management, as described in the following step.

3. Add labels to IKE negotiations.

   Follow the procedure in How to Configure IKEv2 With Preshared Keys in Securing the Network in Oracle Solaris 11.2 , then modify the ike/config file as follows:

   1. Add the keywords label_aware, multi_label, and wire_label none PUBLIC to the euro-vpn system's /etc/inet/ike/config file.

      The resulting file appears similar to the following. The label additions are highlighted.

              ### ike/config file on euro-vpn, 192.168.116.16
      ## Global parameters
      #
      ## Use IKE to exchange security labels.
      label_aware
      #
      ## Defaults that individual rules can override.
      p1_xform
      { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
      p2_pfs 2
      #
      ## The rule to communicate with calif-vpn
      # Label must be unique
      { label "eurovpn-califvpn"
      local_addr 192.168.116.16
      remote_addr 192.168.13.213
      multi_label
      wire_label none PUBLIC
      p1_xform
      { auth_method preshared oakley_group 5 auth_alg sha1 encr_alg aes }
      p2_pfs 5
      }

   2. Add the same keywords to the ike/config file on the calif-vpn system.

      	### ike/config file on calif-vpn, 192.168.13.213
      ## Global Parameters
      #
      ## Use IKE to exchange security labels.
      label_aware
      #
      p1_xform
      { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
      p2_pfs 2
      ## The rule to communicate with euro-vpn
      # Label must be unique
      { label "califvpn-eurovpn"
      local_addr 192.168.13.213
      remote_addr 192.168.116.16
      multi_label
      wire_label none PUBLIC
      p1_xform
      { auth_method preshared oakley_group 5 auth_alg sha1 encr_alg aes }
      p2_pfs 5
      }

   ---

   Note - You can also add labels to systems that are protected by certificates. Modify the ike/config files similarly when completing the procedures in Configuring IKEv2 With Public Key Certificates in Securing the Network in Oracle Solaris 11.2 .

   ---