The following procedure provides the IPsec keys for when you are not using only IKE for key management.
IPsec SAs that are added by using the ipseckey command are not persistent over system reboot. For persistent IPsec SAs, add entries to the /etc/inet/secret/ipseckeys file.
Caution - If you must use manual keying, take great care to ensure that the keys that you generate are secure. These are the actual keys used to secure the data. |
Before You Begin
You must be in the global zone to manually manage keying material in a shared-IP zone. For an exclusive-IP zone, you configure the keying material in that exclusive-IP zone.
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
The keys must support a specific policy in the ipsecinit.conf file. For example, you might use the policy from How to Secure Network Traffic Between Two Servers With IPsec:
{laddr host1 raddr host2} ipsec {encr_algs aes encr_auth_algs sha512 sa shared}
This policy uses the AES and SHA-2 algorithms.
You need to generate keys for aes, sha512, and the security parameter index (SPI) for the SA:
Two hexadecimal random numbers as the value for the SPI. One number is for outbound traffic. One number is for inbound traffic. Each number can be up to eight characters long.
Two hexadecimal random numbers for the SHA-2 authentication algorithm. Each number must be 512 characters long. One number is for dst host1. One number is for dst host2.
Two hexadecimal random numbers for the AES encryption algorithm. Each number must be 128 characters long. One number is for dst host1. One number is for dst host2.
If you have a random number generator at your site, use the generator.
Use the pktool command, as shown in How to Generate a Symmetric Key by Using the pktool Command in Managing Encryption and Certificates in Oracle Solaris 11.3 and the IPsec example in that section.
## ipseckeys - This file takes the file format documented in ## ipseckey(8). # Note that naming services might not be available when this file # loads, just like ipsecinit.conf. # # Backslashes indicate command continuation. # # for outbound packets on host1 add esp spi 0x8bcd1407 \ src 198.51.100.6 dst 198.51.100.33 \ encr_alg aes \ auth_alg sha512 \ encrkey abcdefabcdefabcdefabcdefabcdefab... \ authkey 12345678128456789123456789123456... # # for inbound packets add esp spi 0xnnnnnnnn \ src 198.51.100.33 dst 198.51.100.6 \ encr_alg aes \ auth_alg sha512 \ encrkey fedcbafedcbafedcbafedcbafedcbafe... \ authkey 98765432123456789876543212345678...
# chmod 400 /etc/inet/secret/ipseckeys
If you used the pfedit -s command to create the ipseckeys file, then the permissions are correctly set. For more information, see the pfedit(1M) man page.
# ipseckey -c /etc/inet/secret/ipseckeys
% svcs manual-key STATE STIME FMRI disabled Apr_10 svc:/network/ipsec/manual-key:default # svcadm enable ipsec/manual-key
# svcadm refresh ipsec/manual-key
Next Steps
If you have not completed establishing IPsec policy, return to the IPsec procedure to enable or refresh IPsec policy. For examples of IPsec policy protecting VPNs, see Protecting a VPN With IPsec. For other examples of IPsec policy, see How to Secure Network Traffic Between Two Servers With IPsec.