Securing the Interconnect for Oracle Solaris Cluster with IPSec

Language:

You can optionally configure IPsec to protect traffic on the interconnect, which carries traffic both for internal cluster operations as well as user data for global filesystems.

The following requirements have to be met while configuring IPsec and IKE for Oracle Solaris Cluster interconnect:

Configure IKEv2 to automatically manage keys for IPsec on the interconnect.

Note - You can also configure IKEv1 and/or IKEv2 for traffic on the public network.
Use the cluster private network address and prefix the same in IKE and IPsec configuration files. The cluster command provides this information. For more information, see the cluster(1CL) man page.

The network/prefix identifier allows the same IKE rule and IPsec policy to be added identically to all cluster nodes irrespective of the local address assignment on the interconnect.
IKEv2 rules pertaining to the interconnect must be tagged with "cluster_interconnect" attribute and with value "yes". This ensures proper handling of cluster interconnect traffic during system shutdown.
IKEv2 and IPsec configuration files on all cluster nodes must contain the same IKEv2 rule and IPsec policy that pertain to the interconnect. When new nodes are added to the cluster, you must ensure that it contains the same IKEv2 rules and IPsec policies as the other nodes in the existing cluster.

Note - IKEv2 service should be enabled on the private network either in non-cluster mode or simultaneously on all the nodes of the cluster when in cluster mode. Enabling IPSec on a subset of nodes can lead to disconnects in the cluster private network paths and nodes could go down due to loss of quorum.

How to Protect Oracle Solaris Cluster Interconnect with IPSec

Determine the cluster private network and its' prefix.
```
# /usr/cluster/bin/cluster show-netprops 
 
=== Private Network === 

private_netaddr:                                172.16.0.0 
private_netmask:                                255.255.240.0
```
The netmask of 255.255.240.0 indicates a prefix length of 20 bits. Thus the private network prefix to be used for the following IKE and IPsec configuration files is 172.16.0.0/20.

Add IKEv2 rules for the interconnect. For more information, see ikev2.config(4) man page.

# pfedit /etc/inet/ike/ikev2.config 
 
    ikesa_xform { dh_group 21 auth_alg sha512 encr_alg aes } 
    ## Rules for cluster interconnect 
    { 
        label "cluster-foobar" 
        auth_method preshared 
        local_addr 172.16.0.0/20 
        remote_addr 172.16.0.0/20 
        cluster_interconnect yes 
    }

Note - You can configure IKEv2 to authenticate by using methods other than preshared keys. For more information, Consult <reference XXX> for more details.

Configure IKEv2 with preshared keys. For more information, see the ikev2.preshared(4) man page.
```
# pfedit /etc/inet/ike/ikev2.preshared 
 
    ## label must match the rule that uses this key 
    { 
        label "cluster-foobar" 
        key 0001020304050607 
    }
```
Note - The above sample key is an example. You must create an unique key for each cluster.

Add IPsec policies for interconnect. For more information, see ipsecconf(1M) man page.

# pfedit /etc/inet/ipsecinit.conf 
 
         { laddr 172.16.0.0/20 raddr 172.16.0.0/20 } ipsec 
             { encr_algs aes encr_auth_algs sha256 }