Protecting Network Traffic With IPsec

Language:

The procedures in this section enable you to secure traffic between two systems and to secure a web server. To protect a VPN, see Protecting a VPN With IPsec. For additional procedures to manage IPsec and to use SMF commands with IPsec and IKE, see Additional IPsec Tasks.

The following information applies to all IPsec configuration tasks:

IPsec and zones – Each system is either a global zone or an exclusive-IP zone. For more information, see IPsec and Oracle Solaris Zones.
IPsec and FIPS 140-2 mode – As the IPsec administrator, you are responsible for choosing algorithms that are FIPS 140-2 approved for Oracle Solaris. The procedures and examples in this chapter use FIPS 140-2 approved algorithms except when the algorithm "any" is specified.
IPsec and RBAC – To use roles to administer IPsec, see Chapter 3, Assigning Rights in Oracle Solaris in Securing Users and Processes in Oracle Solaris 11.4. For an example, see How to Configure a Role for Network Security.
IPsec and SCTP – You can use IPsec to protect Streams Control Transmission Protocol (SCTP) associations, but caution must be used. For more information, see IPsec and SCTP.
IPsec and Trusted Extensions labels – On systems that are configured with the Trusted Extensions feature of Oracle Solaris, labels can be added to IPsec packets. For more information, see Administration of Labeled IPsec in Trusted Extensions Configuration and Administration.
IPv4 and IPv6 addresses – The IPsec examples in this guide use IPv4 addresses. Oracle Solaris supports IPv6 addresses as well. To configure IPsec for an IPv6 network, substitute IPv6 addresses in the examples. When protecting tunnels with IPsec, you can mix IPv4 and IPv6 addresses for the inner and outer addresses. This type of a configuration enables you to tunnel IPv6 over an IPv4 network, for example.

The following task map lists procedures that set up IPsec between one or more systems. The ipsecconf(8), ipseckey(8), and ipadm(8) man pages also describe useful procedures in their respective Examples sections.

Table 7 Protecting Network Traffic With IPsec Task Map

Task	Description	For Instructions
Secure traffic between two systems.	Protects packets from one system to another system.	How to Secure Network Traffic Between Two Servers With IPsec
Configure IPsec remotely.	Uses the `ssh` command to reach remote systems and configure them with IPsec.	Example 19, Configuring IPsec Policy Remotely by Using an ssh Connection
Configure IPsec for a system that is running in FIPS 140-2 mode.	Selects only FIPS 140-2 algorithms for IPsec.	Example 20, Configuring IPsec Policy With FIPS 140-2 Approved Algorithms
Specify the IKE protocol version to use for an IPsec rule.	Helps in transitioning to an all-IKEv2 network.	Example 21, Configuring IPsec Policy to Use the IKEv2 Protocol Only
Use the `–or pass` action in an IPsec rule.	Helps when transitioning to a network where all systems are protected by IPsec.	Example 22, Transitioning Client Systems to Use IPsec by Using the or pass Action on the Server
Secure a web server by using IPsec policy.	Requires non-web traffic to use IPsec. Web clients are identified by particular ports that bypass IPsec checks.	How to Use IPsec to Protect Web Server Communication With Other Servers
Use IKE to automatically create keying material for IPsec SAs.	Recommended method of creating IPsec SAs.	Configuring IKEv2 and Configuring IKEv1
Set up a secure virtual private network (VPN).	Sets up IPsec between two systems across the Internet.	Protecting a VPN With IPsec
Set up manual key management.	Provides the raw data for IPsec SAs without using IKE.	How to Manually Create IPsec Keys