X

News, tips, partners, and perspectives for the Oracle Solaris operating system

Configure IPSec with IKE on Solaris 11.4

Arunkumar Ravindranath
Principal Software Engineer

IPSec is a secure protocol used to encrypt data packets between systems that are configured with IPSec. In this article, we shall see how we can configure and enable IPSec between two Solaris servers

The Solaris version used in this article is - Solaris 11.4

Also, this article assumes all the below configuration are done with root privileges.

Steps to Configure IPsec using IKE are ad follows:

  1. Setting up IKE( Internet Key Exchange) with Pre-shared  keys
  2. Configuring IPSec between HostA and HostB
  3. Verify the Packets are protected by IPSec

Host Names and IP Addresses Assumed in this article

  • HostA  - 192.168.1.5
  • HostB – 192.168.1.6

Note: Both Systems are either accessible via DNS Names or the entries have been added to /etc/hosts

Setting up IKE( Internet Key Exchange) with Pre-shared  keys

a. Set up the /etc/inet/ike/config files

HostA:

### ike/config file on HostA, 192.168.1.5
## Global parameters
#
## Defaults that individual rules can override.
p1_xform
  { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
p2_pfs 2
#
## The rule to communicate with HostB
# Label must be unique
{
        label "HostA"
        local_addr 192.168.1.5
        remote_addr 192.168.1.6
        p1_xform { auth_method preshared oakley_group 5 auth_alg sha256 encr_alg aes }
        p2_pfs 5
}

 

HostB:

### ike/config file on HostB, 192.168.1.6
## Global parameters
#
## Defaults that individual rules can override.
p1_xform
  { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
p2_pfs 2
#
## The rule to communicate with HostA
# Label must be unique
{
        label "HostB"
        local_addr 192.168.1.6
        remote_addr 192.168.1.5
        p1_xform { auth_method preshared oakley_group 5 auth_alg sha256 encr_alg aes }
        p2_pfs 5
}

 

b. Verify the syntax of the files using the following command on both systems

/usr/lib/inet/in.iked -c  /etc/inet/ike/config

c. Create “/etc/inet/secret/ike.preshared” on each system

HostA:

# ike.preshared on server HostA, 192.168.1.5
#...
{ localidtype IP
    localid 192.168.1.5
    remoteidtype IP
    remoteid 192.168.1.6
# The preshared key can also be represented in hex
# as in 0xf47cb0f432e14480951095f82b
    key "My$3cretPass"
}

HostB:

# ike.preshared on HostB, 192.168.1.6
#...
{ localidtype IP
    localid 192.168.1.6
    remoteidtype IP
    remoteid 192.168.1.5
    # The preshared key can also be represented in hex
# as in 0xf47cb0f432e14480951095f82b
    key "My$3cretPass"
}

 

d. Enable IKE service

# svcadm enable ipsec/ike

 

Configuring IPSec between HostA and HostB

a.    Create the config file  “/etc/inet/ipsecinit.conf”

       ( you can see the example “/etc/inet/ipsecinit.sample”)

{laddr HostA raddr HostB}
    ipsec {encr_algs aes encr_auth_algs sha512 sa shared}

{laddr HostB raddr HostA}
    ipsec {encr_algs aes encr_auth_algs sha512 sa shared}

 

b.    Verify the syntax of the IPSec Policy file on both systems

ipsecconf -c /etc/inet/ipsecinit.conf

 

c.    Refresh the IPsec policy.

# svcadm refresh svc:/network/ipsec/policy:default

 

d.    Restart the IKE Service

# svcadm restart svc:/network/ipsec/ike:default

 

Verify the Packets are protected by IPSec

i)    On HostB, start a snoop command for HostA
        # snoop -v HostA
ii)    Login to HostA and ping HostB
        #  ping HostB
iii)    Verify that the snoop output has AH and/or ESP (Encapsulating Security Payload) information:
ETHER:
ETHER:  Packet 12 arrived at 11:20:0.55532
ETHER:  Packet size = 170 bytes
ETHER:  Destination = 22:89:5d:77:4a:2,
ETHER:  Source      = 22:51:71:d2:e4:44,
ETHER:  Ethertype = 0800 (IP)
ETHER:
IP:   ----- IP Header -----
IP:
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:         .... ..0. = not ECN capable transport
IP:         .... ...0 = no ECN congestion experienced
IP:   Total length = 156 bytes
IP:   Identification = 59149
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 255 seconds/hops
IP:   Protocol = 50 (ESP)
IP:   Header checksum = d08b
IP:   Source address = 192.168.1.5, HostA
IP:   Destination address = 192.168.1.6, HostB
IP:   No options
IP:
ESP:  ----- Encapsulating Security Payload -----
ESP:
ESP:  SPI = 0xd25789ae
ESP:  Replay = 1
ESP:     ....ENCRYPTED DATA....

 

Join the discussion

Comments ( 1 )
  • Volker A. Brandt Sunday, May 17, 2020
    Hello Arinkumar!

    Thanks for this article. You might want to fix /etc/inet/ike/config for HostB; it seems to be a copy of HostA. :-)

    Regards -- Volker
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.