Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: April 2019

Protecting Network Traffic With IPsec

The procedures in this section enable you to secure traffic between two systems and to secure a web server. To protect a VPN, see Protecting a VPN With IPsec. For additional procedures to manage IPsec and to use SMF commands with IPsec and IKE, see Additional IPsec Tasks.

    The following information applies to all IPsec configuration tasks:

  • IPsec and zones – Each system is either a global zone or an exclusive-IP zone. For more information, see IPsec and Oracle Solaris Zones.

  • IPsec and FIPS 140-2 mode – As the IPsec administrator, you are responsible for choosing algorithms that are FIPS 140-2 approved for Oracle Solaris. The procedures and examples in this chapter use FIPS 140-2 approved algorithms except when the algorithm "any" is specified.

  • IPsec and RBAC – To use roles to administer IPsec, see Chapter 3, Assigning Rights in Oracle Solaris in Securing Users and Processes in Oracle Solaris 11.3. For an example, see How to Configure a Role for Network Security.

  • IPsec and SCTP – You can use IPsec to protect Streams Control Transmission Protocol (SCTP) associations, but caution must be used. For more information, see IPsec and SCTP.

  • IPsec and Trusted Extensions labels – On systems that are configured with the Trusted Extensions feature of Oracle Solaris, labels can be added to IPsec packets. For more information, see Administration of Labeled IPsec in Trusted Extensions Configuration and Administration.

  • IPv4 and IPv6 addresses – The IPsec examples in this guide use IPv4 addresses. Oracle Solaris supports IPv6 addresses as well. To configure IPsec for an IPv6 network, substitute IPv6 addresses in the examples. When protecting tunnels with IPsec, you can mix IPv4 and IPv6 addresses for the inner and outer addresses. This type of a configuration enables you to tunnel IPv6 over an IPv4 network, for example.

The following task map lists procedures that set up IPsec between one or more systems. The ipsecconf(1M), ipseckey(1M), and ipadm(1M) man pages also describe useful procedures in their respective Examples sections.

Table 11  Protecting Network Traffic With IPsec Task Map
For Instructions
Secure traffic between two systems.
Protects packets from one system to another system.
Configure IPsec remotely.
Uses the ssh command to reach remote systems and configure them with IPsec.
Configure IPsec for a system that is running in FIPS 140-2 mode.
Selects only FIPS 140-2 algorithms for IPsec.
Specify the IKE protocol version to use for an IPsec rule.
Helps in transitioning to an all-IKEv2 network.
Use the –or pass action in an IPsec rule.
Helps when transitioning to a network where all systems are protected by IPsec.
Secure a web server by using IPsec policy.
Requires non-web traffic to use IPsec. Web clients are identified by particular ports that bypass IPsec checks.
Use IKE to automatically create keying material for IPsec SAs.
Recommended method of creating IPsec SAs.
Set up a secure virtual private network (VPN).
Sets up IPsec between two systems across the Internet.
Set up manual key management.
Provides the raw data for IPsec SAs without using IKE.