Before you can configure IPsec, you must define the specific host names or IP addresses that are used between communicating peers.
In this procedure, the IP addresses of 10.1.1.1 and 10.1.1.2 are used to designate two Solaris non-global zones being operated by a single tenant. Communication between these two addresses will be protected using IPsec. The example is from the perspective of the non-global zone associated with IP address 10.1.1.1.
Use the following procedure to configure and use IPsec and IKE between a pair of designated (VMs) non-global zones.
Define the security policy that will be enforced between the pair of communicating zones.
In this example, all network communications between 10.1.1.1 and 10.1.1.2 will be encrypted:
{laddr 10.1.1.1 raddr 10.1.1.2}
ipsec{encr_algs aes encr_auth_algs sha256 sa shared}
For example:
# ipsecconf –c –f ipsecinit.conf
Configure the service following the host and algorithm settings in the /etc/inet/ike/config file.
{ label "ipsec"
local_id_type ip
remote_addr 10.1.1.2
p1_xform { auth_method preshared oakley_group 5
auth_alg sha256 encr_alg aes } }
Before IPsec can be enabled, you must share key material with both peer nodes so that they can authenticate to one another.
The Oracle Solaris IKE implementation supports a variety of key types including pre-shared keys and certificates. For simplicity, this example uses pre-shared keys that are stored in the /etc/inet/secret/ike.preshared file. However, organizations can use stronger forms of authentication.
Edit the /etc/inet/secret/ike.preshared file, and enter the preshared key information. For example:
{
localidtype IP
localid 10.1.1.1
remoteid type IP
key "This is an ASCII phrAz, use strOng p@sswords"
}
You must enable the services on both communicating peers before encrypted communication is possible.
For example:
# svcadm enable svc:/network/ipsec/policy:default # svcadm enable svc:/network/ipsec/ike:default