How to Protect Oracle Solaris Cluster Interconnect with IPSec

1. Determine the cluster private network and its' prefix.

   # /usr/cluster/bin/cluster show-netprops 
    
   === Private Network === 
   
   private_netaddr:                                172.16.0.0 
   private_netmask:                                255.255.240.0

   The netmask of 255.255.240.0 indicates a prefix length of 20 bits. Thus the private network prefix to be used for the following IKE and IPsec configuration files is 172.16.0.0/20.

2. Add IKEv2 rules for the interconnect.

   For more information, see ikev2.config(5) man page.

   # pfedit /etc/inet/ike/ikev2.config 
    
       ikesa_xform { dh_group 21 auth_alg sha512 encr_alg aes } 
       ## Rules for cluster interconnect 
       { 
           label "cluster-foobar" 
           auth_method preshared 
           local_addr 172.16.0.0/20 
           remote_addr 172.16.0.0/20 
           cluster_interconnect yes 
       } 

   Note:

   You can configure IKEv2 to authenticate by using methods other than preshared keys. For more information, Consult <reference XXX> for more details.
3. Configure IKEv2 with preshared keys.

   For more information, see the ikev2.preshared(5) man page.

   # pfedit /etc/inet/ike/ikev2.preshared 
    
       ## label must match the rule that uses this key 
       { 
           label "cluster-foobar" 
           key 0001020304050607 
       }

   Note:

   The above sample key is an example. You must create an unique key for each cluster.
4. Add IPsec policies for interconnect.

   For more information, see the ipsecconf(8) man page.

   # pfedit /etc/inet/ipsecinit.conf 
    
            { laddr 172.16.0.0/20 raddr 172.16.0.0/20 } ipsec 
                { encr_algs aes encr_auth_algs sha256 }