IPSec is a secure protocol used to encrypt data packets between systems that are configured with IPSec. In this article, we shall see how we can configure and enable IPSec between two Solaris servers
The Solaris version used in this article is – Solaris 11.4
Also, this article assumes all the below configuration are done with root privileges.
Steps to Configure IPsec using IKE are ad follows:
- Setting up IKE( Internet Key Exchange) with Pre-shared keys
- Configuring IPSec between HostA and HostB
- Verify the Packets are protected by IPSec
Host Names and IP Addresses Assumed in this article
- HostA – 192.168.1.5
- HostB – 192.168.1.6
Note: Both Systems are either accessible via DNS Names or the entries have been added to /etc/hosts
Setting up IKE( Internet Key Exchange) with Pre-shared keys
a. Set up the /etc/inet/ike/config files
HostA:
| ### ike/config file on HostA, 192.168.1.5
## Global parameters
#
## Defaults that individual rules can override.
p1_xform
{ auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
p2_pfs 2
#
## The rule to communicate with HostB
# Label must be unique
{
label “HostA”
local_addr 192.168.1.5
remote_addr 192.168.1.6
p1_xform { auth_method preshared oakley_group 5 auth_alg sha256 encr_alg aes }
p2_pfs 5
} |
HostB:
| ### ike/config file on HostB, 192.168.1.6
## Global parameters
#
## Defaults that individual rules can override.
p1_xform
{ auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
p2_pfs 2
#
## The rule to communicate with HostA
# Label must be unique
{
label “HostB”
local_addr 192.168.1.6
remote_addr 192.168.1.5
p1_xform { auth_method preshared oakley_group 5 auth_alg sha256 encr_alg aes }
p2_pfs 5
} |
b. Verify the syntax of the files using the following command on both systems
| /usr/lib/inet/in.iked -c /etc/inet/ike/config |
c. Create “/etc/inet/secret/ike.preshared” on each system
HostA:
| # ike.preshared on server HostA, 192.168.1.5
#…
{ localidtype IP
localid 192.168.1.5
remoteidtype IP
remoteid 192.168.1.6
# The preshared key can also be represented in hex
# as in 0xf47cb0f432e14480951095f82b
key “My$3cretPass”
} |
HostB:
| # ike.preshared on HostB, 192.168.1.6
#…
{ localidtype IP
localid 192.168.1.6
remoteidtype IP
remoteid 192.168.1.5
# The preshared key can also be represented in hex
# as in 0xf47cb0f432e14480951095f82b
key “My$3cretPass”
} |
d. Enable IKE service
| # svcadm enable ipsec/ike |
Configuring IPSec between HostA and HostB
a. Create the config file “/etc/inet/ipsecinit.conf”
( you can see the example “/etc/inet/ipsecinit.sample”)
| {laddr HostA raddr HostB}
ipsec {encr_algs aes encr_auth_algs sha512 sa shared} {laddr HostB raddr HostA}
ipsec {encr_algs aes encr_auth_algs sha512 sa shared} |
b. Verify the syntax of the IPSec Policy file on both systems
| ipsecconf -c /etc/inet/ipsecinit.conf |
c. Refresh the IPsec policy.
| # svcadm refresh svc:/network/ipsec/policy:default |
d. Restart the IKE Service
| # svcadm restart svc:/network/ipsec/ike:default |
Verify the Packets are protected by IPSec
| i) On HostB, start a snoop command for HostA
# snoop -v HostA
ii) Login to HostA and ping HostB
# ping HostB
iii) Verify that the snoop output has AH and/or ESP (Encapsulating Security Payload) information:
ETHER:
ETHER: Packet 12 arrived at 11:20:0.55532
ETHER: Packet size = 170 bytes
ETHER: Destination = 22:89:5d:77:4a:2,
ETHER: Source = 22:51:71:d2:e4:44,
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: —– IP Header —–
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. …. = 0 (precedence)
IP: …0 …. = normal delay
IP: …. 0… = normal throughput
IP: …. .0.. = normal reliability
IP: …. ..0. = not ECN capable transport
IP: …. …0 = no ECN congestion experienced
IP: Total length = 156 bytes
IP: Identification = 59149
IP: Flags = 0x4
IP: .1.. …. = do not fragment
IP: ..0. …. = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 255 seconds/hops
IP: Protocol = 50 (ESP)
IP: Header checksum = d08b
IP: Source address = 192.168.1.5, HostA
IP: Destination address = 192.168.1.6, HostB
IP: No options
IP:
ESP: —– Encapsulating Security Payload —–
ESP:
ESP: SPI = 0xd25789ae
ESP: Replay = 1
ESP: ….ENCRYPTED DATA…. |