Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: September 2018
 
 

How to Manually Create IPsec Keys

The following procedure provides the IPsec keys for when you are not using only IKE for key management.

IPsec SAs that are added by using the ipseckey command are not persistent over system reboot. For persistent IPsec SAs, add entries to the /etc/inet/secret/ipseckeys file.


Caution

Caution  - If you must use manual keying, take great care to ensure that the keys that you generate are secure. These are the actual keys used to secure the data.


Before You Begin

You must be in the global zone to manually manage keying material in a shared-IP zone. For an exclusive-IP zone, you configure the keying material in that exclusive-IP zone.

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Generate the keys for the IPsec SAs.

    The keys must support a specific policy in the ipsecinit.conf file. For example, you might use the policy from How to Secure Network Traffic Between Two Servers With IPsec:

    {laddr host1 raddr host2} ipsec {encr_algs aes encr_auth_algs sha512 sa shared}

    This policy uses the AES and SHA-2 algorithms.

    1. Determine the keys that you require.

        You need to generate keys for aes, sha512, and the security parameter index (SPI) for the SA:

      • Two hexadecimal random numbers as the value for the SPI. One number is for outbound traffic. One number is for inbound traffic. Each number can be up to eight characters long.

      • Two hexadecimal random numbers for the SHA-2 authentication algorithm. Each number must be 512 characters long. One number is for dst host1. One number is for dst host2.

      • Two hexadecimal random numbers for the AES encryption algorithm. Each number must be 128 characters long. One number is for dst host1. One number is for dst host2.


      Note - The ipsecalgs -l command displays the key sizes of the algorithms. Follow this procedure when using manual keys, that is, use the SHA512 and AES algorithms. Do not use weak algorithms, the combined mode algorithms, or the GMAC algorithms for manual keys.
    2. Generate the required keys.
  2. Add the keys to the manual keys file for IPsec.
    1. Edit the /etc/inet/secret/ipseckeys file on the host1 system to appear similar to the following:
      ## ipseckeys - This file takes the file format documented in 
      ##  ipseckey(8).
      #   Note that naming services might not be available when this file
      #   loads, just like ipsecinit.conf.
      #
      #   Backslashes indicate command continuation.
      #
      # for outbound packets on host1
      add esp spi 0x8bcd1407 \
         src 198.51.100.6 dst 198.51.100.33  \
         encr_alg aes \
         auth_alg sha512  \
         encrkey  abcdefabcdefabcdefabcdefabcdefab... \
         authkey  12345678128456789123456789123456...
      #
      # for inbound packets
      add esp spi 0xnnnnnnnn \
         src 198.51.100.33 dst 198.51.100.6 \
         encr_alg aes \
         auth_alg sha512  \
         encrkey fedcbafedcbafedcbafedcbafedcbafe... \
         authkey 98765432123456789876543212345678...
    2. Protect the file with read-only permissions.
      # chmod 400 /etc/inet/secret/ipseckeys

      If you used the pfedit -s command to create the ipseckeys file, then the permissions are correctly set. For more information, see the pfedit(1M) man page.

    3. Verify the syntax of the file.
      # ipseckey -c /etc/inet/secret/ipseckeys

    Note - The keys on the two systems must be identical.
  3. Activate the keys for IPsec.
    • If the manual-key service is not enabled, enable it.
      % svcs manual-key
      STATE          STIME    FMRI
      disabled       Apr_10   svc:/network/ipsec/manual-key:default
      # svcadm enable ipsec/manual-key
    • If the manual-key service is enabled, refresh it.
      # svcadm refresh ipsec/manual-key

Next Steps

If you have not completed establishing IPsec policy, return to the IPsec procedure to enable or refresh IPsec policy. For examples of IPsec policy protecting VPNs, see Protecting a VPN With IPsec. For other examples of IPsec policy, see How to Secure Network Traffic Between Two Servers With IPsec.