This chapter provides procedures for implementing IPsec on your network. The procedures are described in the following task maps:Protecting Traffic With IPsec (Task Map) Protecting a VPN With IPsec (Task Map) For overview information about IPsec, see Chapter 19, IP Security Architecture (Overview). For reference information about IPsec, see Chapter 21, IP Security Architecture (Reference). The following table points to procedures that set up IPsec between one or more systems. The ipsecconf1M, ipseckey1M, and ifconfig1M man pages also describe useful procedures in their respective Examples sections.Task Description For Instructions Secure traffic between two systems Protects packets from one system to another system. How to Secure Traffic Between Two Systems With IPsec Secure a web server by using IPsec policy Requires non-web traffic to use IPsec. Web clients are identified by particular ports, which bypass IPsec checks. How to Secure a Web Server With IPsec Display IPsec policies Displays the IPsec policies that are currently being enforced, in the order in which the policies are enforced. How to Display IPsec Policies Generate random numbers Generates random numbers for keying material for manually created security associations. How to Generate Random Numbers on a Solaris System Create or replace security associations manually Provides the raw data for security associations:IPsec algorithm name and keying material Key for the security parameter index IP source and destination addresses How to Manually Create IPsec Security Associations Check that IPsec is protecting the packets Examines snoop output for specific headers that indicate how the IP datagrams are protected. How to Verify That Packets Are Protected With IPsec (Optional) Create a Network Security role Creates a role that can set up a secure network, but has fewer powers than superuser. How to Create a Role for Configuring Network Security Set up a secure virtual private network (VPN) Sets up IPsec between two systems that are separated by the Internet. Protecting a VPN With IPsec (Task Map) This section provides procedures that enable you to secure traffic between two systems, and to secure a web server. To protect a VPN, see Protecting a VPN With IPsec (Task Map). Additional procedures provide keying material, provide security associations, and verify that IPsec is working as configured.The following information applies to all IPsec configuration tasks:IPsec and zones – To manage IPsec policy and keys for a non-global zone, create the IPsec policy file in the global zone, and run the IPsec configuration commands from the global zone. Use the source address which corresponds to the non-global zone that is being configured. You can also configure IPsec policy and keys in the global zone for the global zone. In the Solaris Express, Developer Edition 2/07 release, you can use IKE to manage keys in a non-global zone. IPsec and RBAC – To use roles to administer IPsec, see Chapter 8, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services. For an example, see How to Create a Role for Configuring Network Security. IPsec and SCTP – IPsec can be used to protect Streams Control Transmission Protocol (SCTP) associations, but caution must be used. For more information, see IPsec and SCTP. You configure IPsec policy in the global zone. This procedure assumes the following setup:The two systems are named enigma and partym. Each system has two addresses, an IPv4 address and an IPv6 address. Each system invokes AH protection with the MD5 algorithm, which requires a key of 128 bits. Each system invokes ESP protections with the 3DES algorithm, which requires a key of 192 bits. Each system uses shared security associations.With shared SAs, only one pair of SAs is needed to protect the two systems. On the system console, assume the Primary Administrator role or become superuser.The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. On each system, add host entries to the /etc/inet/hosts file.On a system that is named partym, type the following in the hosts file:# Secure communication with enigma 192.168.116.16 enigma 2001::aaaa:6666:6666 enigma On a system that is named enigma, type the following in the hosts file:# Secure communication with partym 192.168.13.213 partym 2001::eeee:3333:3333 partym On each system, create the IPsec policy file.The file name is /etc/inet/ipsecinit.conf. For an example, see the /etc/inet/ipsecinit.sample file. Add an IPsec policy entry to the ipsecinit.conf file.On the enigma system, add the following policy:{laddr enigma raddr partym} ipsec {auth_algs any encr_algs any sa shared} On the partym system, add the identical policy:{laddr partym raddr enigma} ipsec {auth_algs any encr_algs any sa shared}For the syntax of IPsec policy entries, see the ipsecconf1M man page. On each system, add a pair of IPsec SAs between the two systems.You can configure Internet Key Exchange (IKE) to create the SAs automatically. You can also add the SAs manually.You should use IKE unless you have good reason to generate and maintain your keys manually. IKE key management is more secure than manual key management. Configure IKE by following one of the configuration procedures in Configuring IKE (Task Map). For the syntax of the IKE configuration file, see the ike.config4 man page. To add the SAs manually, see How to Manually Create IPsec Security Associations. Reboot each system.# init 6 Verify that packets are being protected.For the procedure, see How to Verify That Packets Are Protected With IPsec. The following example describes how to implement IPsec in a test environment. In a production environment, it is more secure to reboot than to run the ipsecconf command. For the security considerations, see the end of this example.Instead of rebooting at Step 6, choose one of the following options.If you used IKE to create keying material, stop and then restart the in.iked daemon.# pkill in.iked # /usr/lib/inet/in.iked If you added keys manually, use the ipseckey command to add the SAs to the database.# ipseckey -f /etc/inet/secret/ipseckeysThen activate the IPsec policy with the ipsecconf command.# ipsecconf -a /etc/inet/ipsecinit.conf Security Considerations – Read the warning when you execute the ipsecconf command. A socket that is already latched, that is, a socket that is already in use, provides an unsecured back door into the system. For more extensive discussion, see Security Considerations for ipsecinit.conf and ipsecconf. A secure web server allows web clients to talk to the web service. On a secure web server, traffic that is not web traffic must pass security checks. The following procedure includes bypasses for web traffic. In addition, this web server can make nonsecured DNS client requests. All other traffic requires ESP with AES and SHA-1 algorithms.You configure IPsec policy in the global zone. On the system console, assume the Primary Administrator role or become superuser.The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Determine which services need to bypass security policy checks.For a web server, these services include TCP ports 80 (HTTP) and 443 (Secure HTTP). If the web server provides DNS name lookups, the server might also need to include port 53 for both TCP and UDP. Create a file in the /etc/inet directory for the web server policy.Give the file a name that indicates its purpose, for example IPsecWebInitFile. Type the following lines in this file:# Web traffic that web server should bypass. {lport 80 ulp tcp dir both} bypass {} {lport 443 ulp tcp dir both} bypass {} # Outbound DNS lookups should also be bypassed. {rport 53 dir both} bypass {} # Require all other traffic to use ESP with AES and SHA-1. # Use a unique SA for outbound traffic from the port {} ipsec {encr_algs aes encr_auth_algs sha1 sa shared}This configuration allows only secure traffic to access the system, with the bypass exceptions that are described in Step 2. Copy the contents of the file that you created in Step 3 into the /etc/inet/ipsecinit.conf file. Protect the IPsecWebInitFile file with read-only permissions.# chmod 400 IPsecWebInitFile Secure the web server without rebooting. Choose one of the following options.If you are using IKE for key management, stop and restart the in.iked daemon.# pkill in.iked # /usr/lib/inet/in.iked If you are manually managing keys, use the ipseckey and ipsecconf commands.Use the IPsecWebInitFile as the argument to the ipsecconf command. If you use the ipsecinit.conf file as the argument, the ipsecconf command generates errors when policies in the file are already implemented on the system.# ipseckey -f /etc/inet/secret/ipseckeys # ipsecconf -a /etc/inet/IPsecWebInitFile Read the warning when you execute the ipsecconf command. A socket that is already latched, that is, a socket that is already in use, provides an unsecured back door into the system. For more extensive discussion, see Security Considerations for ipsecinit.conf and ipsecconf. The same warning applies to restarting the in.iked daemon. You can also reboot. Rebooting ensures that the IPsec policy is in effect on all TCP connections. At reboot, the TCP connections use the policy in the IPsec policy file. Enable a remote system to communicate with the web server for nonweb traffic.Type the following policy in a remote system's ipsecinit.conf file.# Communicate with web server about nonweb stuff # {laddr webserver} ipsec {encr_algs aes encr_auth_algs sha1 sa shared}A remote system can communicate securely with the web server for nonweb traffic only when the systems' IPsec policies match. You can see the policies that are configured in the system when you issue the ipsecconf command without any arguments. The command must be run from the global zone. Assume a role that includes the Network Security profile, or become superuser.To create a role that includes the Network Security profile and assign that role to a user, see How to Create a Role for Configuring Network Security. Display the global IPsec policy entries in the order that the entries were added.$ ipsecconfThe command displays each entry with an index followed by a number. Display the IPsec policy entries in the order in which a match occurs.$ ipsecconf -l Display the IPsec policy entries, including per-tunnel entries, in the order in which a match occurs.$ ipsecconf -L If you are entering keys manually, the keying material should be random. The format for keying material for a Solaris system is hexadecimal. Other operating systems can require ASCII keying material. To generate keying material for a Solaris system that is communicating with an operating system that requires ASCII, see Example 23–1.If your site has a random number generator, use that generator. Otherwise, you can use the od command with the /dev/random Solaris device as input. For more information, see the od1 man page. Generate random numbers in hexadecimal format.% od -x|-X -A n file | head -nxDisplays the octal dump in hexadecimal format. Hexadecimal format is useful for keying material. The hexadecimal is printed in 4-character chunks. XDisplays the octal dump in hexadecimal format. The hexadecimal is printed in 8-character chunks. A nRemoves the input offset base from the display. fileServes as a source for random numbers. head -nRestricts the display to the first n lines of output. Combine the output to create a key of the appropriate length.Remove the spaces between the numbers on one line to create a 32-character key. A 32-character key is 128 bits. For a security parameter index (SPI), you should use an 8-character key. The key should use the 0x prefix. The following example displays two lines of keys in groups of eight hexadecimal characters each.% od -X -A n /dev/random | head -2 d54d1536 4a3e0352 0faf93bd 24fd6cad 8ecc2670 f3447465 20db0b0c c83f5a4bBy combining the four numbers on the first line, you can create a 32-character key. An 8-character number that is preceded by 0x provides a suitable SPI value, for example, 0xf3447465.The following example displays two lines of keys in groups of four hexadecimal characters each.% od -x -A n /dev/random | head -2 34ce 56b2 8b1b 3677 9231 42e9 80b0 c673 2f74 2817 8026 df68 12f4 905a db3d ef27By combining the eight numbers on the first line, you can create a 32-character key. You manually manage keying material for a non-global zone from the global zone. The following procedure provides the keying material for the procedure, How to Secure Traffic Between Two Systems With IPsec. Generate the keying material for the SAs. You need three hexadecimal random numbers for outbound traffic and three hexadecimal random numbers for inbound traffic.Therefore, one system needs to generate the following numbers:Two hexadecimal random numbers as the value for the spi keyword. One number is for outbound traffic. One number is for inbound traffic. Each number can be up to eight characters long. Two hexadecimal random numbers for the MD5 algorithm for AH. Each number must be 32 characters long. One number is for dst enigma. One number is for dst partym. Two hexadecimal random numbers for the 3DES algorithm for ESP. For a 192-bit key, each number must be 48 characters long. One number is for dst enigma. One number is for dst partym. If you have a random number generator at your site, use the generator. You can also use the od command. See How to Generate Random Numbers on a Solaris System for the procedure. On the system console on one of the systems, assume the Primary Administrator role or become superuser.The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Enable the ipseckey command mode:# ipseckey >The > prompt indicates that you are in ipseckey command mode. If you are replacing existing SAs, flush the current SAs.> flush > To prevent an adversary from having time to break your SAs, you need to replace the keying material.You must coordinate key replacement on communicating systems. When you replace the SAs on one system, the SAs must also be replaced on the remote system. To create SAs, type the following command.> add protocol spi random-hex-string \ src addr dst addr2 \ protocol-prefix_alg protocol-algorithm \ protocol-prefixkey random-hex-string-of-algorithm-specified-lengthYou also use this syntax to replace SAs that you have just flushed.protocolSpecifies either esp or ah. random-hex-stringSpecifies a random number of up to eight characters in hexadecimal format. Precede the characters with 0x. If you enter more numbers than the security parameter index (SPI) accepts, the system ignores the extra numbers. If you enter fewer numbers than the SPI accepts, the system pads your entry. addrSpecifies the IP address of one system. addr2Specifies the IP address of the peer system of addr. protocol-prefixSpecifies one of encr or auth. The encr prefix is used with the esp protocol. The auth prefix is used with the ah protocol, and for authenticating the esp protocol. protocol-algorithmSpecifies an algorithm for ESP or AH. Each algorithm requires a key of a specific length.Authentication algorithms include MD5 and SHA. Encryption algorithms include 3DES and AES. random-hex-string-of-algorithm-specified-lengthSpecifies a random hexadecimal number of the length that is required by the algorithm. For example, the MD5 algorithm requires a 32-character string for its 128-bit key. The 3DES algorithm requires a 48-character string for its 192-bit key. For example, on the enigma system, protect outbound packets.Use the random numbers that you generated in Step 1.For Solaris 10 1/06:> add esp spi 0x8bcd1407 \ src 192.168.116.16 dst 192.168.13.213 \ encr_alg 3des \ auth_alg md5 \ encrkey d41fb74470271826a8e7a80d343cc5aae9e2a7f05f13730d \ authkey e896f8df7f78d6cab36c94ccf293f031 >The peer system must use the same keying material and the same SPI. Still in ipseckey command mode on the enigma system, protect inbound packets.Type the following commands to protect the packets:> add esp spi 0x122a43e4 \ src 192.168.13.213 dst 192.168.116.16 \ encr_alg 3des \ auth_alg md5 \ encrkey dd325c5c137fb4739a55c9b3a1747baa06359826a5e4358e \ authkey ad9ced7ad5f255c9a8605fba5eb4d2fd >The keys and SPI can be different for each SA. You should assign different keys and a different SPI for each SA. To exit ipseckey command mode, press Control-D or type quit. To ensure that the keying material is available to IPsec at reboot, add the keying material to the /etc/inet/secret/ipseckeys file.The lines of the /etc/inet/secret/ipseckeys file are identical to the command line language.For example, the /etc/inet/secret/ipseckeys file on the enigma system would appear similar to the following:# ipseckeys - This file takes the file format documented in # ipseckey(1m). # Note that naming services might not be available when this file # loads, just like ipsecinit.conf. # # for outbound packets on enigma add esp spi 0x8bcd1407 \ src 192.168.116.16 dst 192.168.13.213 \ encr_alg 3des \ auth_alg md5 \ encrkey d41fb74470271826a8e7a80d343cc5aae9e2a7f05f13730d \ authkey e896f8df7f78d6cab36c94ccf293f031 # # for inbound packets add esp spi 0x122a43e4 \ src 192.168.13.213 dst 192.168.116.16 \ encr_alg 3des \ auth_alg md5 \ encrkey dd325c5c137fb4739a55c9b3a1747baa06359826a5e4358e \ authkey ad9ced7ad5f255c9a8605fba5eb4d2fd Protect the file with read-only permissions.# chmod 400 /etc/inet/secret/ipseckeys Repeat Step 2 through Step 7 on the partym system. Use the same keying material that was used on enigma.The keying material on the two systems must be identical. As shown in the following example, only the comments in the ipseckeys file differ. The comments differ because dst enigma is inbound on the enigma system, and outbound on the partym system.# partym ipseckeys file # # for inbound packets add esp spi 0x8bcd1407 \ src 192.168.116.16 dst 192.168.13.213 \ encr_alg 3des \ auth_alg md5 \ encrkey d41fb74470271826a8e7a80d343cc5aae9e2a7f05f13730d \ authkey e896f8df7f78d6cab36c94ccf293f031 # # for outbound packets add esp spi 0x122a43e4 \ src 192.168.13.213 dst 192.168.116.16 \ encr_alg 3des \ auth_alg md5 \ encrkey dd325c5c137fb4739a55c9b3a1747baa06359826a5e4358e \ authkey ad9ced7ad5f255c9a8605fba5eb4d2fd To verify that packets are protected, test the connection with the snoop command. The following prefixes can appear in the snoop output:AH: Prefix indicates that AH is protecting the headers. You see AH: if you used auth_alg to protect the traffic. ESP: Prefix indicates that encrypted data is being sent. You see ESP: if you used encr_auth_alg or encr_alg to protect the traffic. You must be superuser or have assumed an equivalent role to create the snoop output. You must have access to both systems to test the connection. On one system, such as partym, become superuser.% su - Password: Type root password # From the partym system, prepare to snoop packets from a remote system.In a terminal window on partym, snoop the packets from the enigma system.# snoop -v enigma Using device /dev/hme (promiscuous mode) Send a packet from the remote system.In another terminal window, remotely log in to the enigma system. Provide your password. Then, become superuser and send a packet from the enigma system to the partym system. The packet should be captured by the snoop -v enigma command.% ssh enigma Password: Type your password % su - Password: Type root password # ping partym Examine the snoop output.On the partym system, you should see output that includes AH and ESP information after the initial IP header information. AH and ESP information that resembles the following shows that packets are being protected:IP: Time to live = 64 seconds/hops IP: Protocol = 51 (AH) IP: Header checksum = 4e0e IP: Source address = 192.168.116.16, enigma IP: Destination address = 192.168.13.213, partym IP: No options IP: AH: ----- Authentication Header ----- AH: AH: Next header = 50 (ESP) AH: AH length = 4 (24 bytes) AH: <Reserved field = 0x0> AH: SPI = 0xb3a8d714 AH: Replay = 52 AH: ICV = c653901433ef5a7d77c76eaa AH: ESP: ----- Encapsulating Security Payload ----- ESP: ESP: SPI = 0xd4f40a61 ESP: Replay = 52 ESP: ....ENCRYPTED DATA.... ETHER: ----- Ether Header ----- ... If you are using role-based access control (RBAC) to administer your systems, you use this procedure to provide a network management or network security role. Find the Network rights profiles in the local prof_attr database.% cd /etc/security % grep Network prof_attr Network Management:::Manage the host and network configuration … Network Security:::Manage network and host security … System Administrator:::…Network Management…The Network Management profile is a supplementary profile in the System Administrator profile. If you have included the System Administrator rights profile in a role, then that role can execute the commands in the Network Management profile. Determine which commands are in the Network Management rights profile.% grep "Network Management" /etc/security/exec_attr Network Management:solaris:cmd:::/usr/sbin/ifconfig:privs=sys_net_config … Network Management:suser:cmd:::/usr/sbin/snoop:uid=0The solaris policy commands run with privilege (privs=sys_net_config). The suser policy commands run as superuser (uid=0). Determine which commands are in the Network Security rights profile.% grep "Network Security" /etc/security/exec_attr … Network Security:solaris:cmd:::/usr/sbin/ipsecconf:privs=sys_net_config … Network Security:solaris:cmd:::/usr/sbin/ipseckey:privs=sys_net_config … Create a role that includes the Network Security and the Network Management rights profiles.A role with both profiles can execute the ifconfig, snoop, ipsecconf, and ipseckey commands, among others, with appropriate privilege.To create the role, assign the role to a user, and register the changes with the name service, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. The following table points to procedures that configure IPsec to protect traffic across the Internet. These procedures set up a secure virtual private network (VPN) between two systems that are separated by the Internet. One common use of this technology is to protect traffic between home workers and their corporate office.Task Description For Instructions Protect tunnel traffic in tunnel mode over IPv4 Protects traffic in tunnel mode between two Solaris Express systems.Also, protects traffic in tunnel mode between another platform and a Solaris Express system. How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv4 Protect tunnel traffic in tunnel mode over IPv6 Protects traffic in tunnel mode between two Solaris systems that are using the IPv6 protocol. How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv6 Protect tunnel traffic in transport mode over IPv4 Protects traffic in transport mode between two Solaris Express systems.Also, protects traffic in transport mode between a system that is running an earlier version of the Solaris OS and a Solaris Express system. How to Protect a VPN With an IPsec Tunnel in Transport Mode Over IPv4 Protects traffic by using the older syntax. This is useful when you are communicating with a system that is running an earlier version of the Solaris OS. This method simplifies comparing the configuration files on the two systems. Example 20–11 Protect tunnel traffic in transport mode over IPv6 Protects traffic in transport mode between two Solaris systems that are using the IPv6 protocol. How to Protect a VPN With an IPsec Tunnel in Transport Mode Over IPv6 IPsec tunnels can protect a VPN. In Solaris Express, Developer Edition 2/07, a tunnel can be in tunnel mode, or in transport mode. Tunnel mode is interoperable with the implementation of IPsec by other vendors. Transport mode is interoperable with earlier versions of the Solaris OS. For a discussion of tunnel modes, see Transport and Tunnel Modes in IPsec.Tunnels in tunnel mode offer more fine-grained control of the traffic. In tunnel mode, for an inner IP address, you can specify the particular protection you want down to a single port. For possible IPsec policies, see the examples that follow the tunnel diagram in Figure 20–1.

Diagram shows a VPN that connects two LANs. Each LAN has four subnets.

The following examples assume that the tunnel is configured for all subnets of the LANs:## Tunnel configuration ## ifconfig ip.tun0 10.1.2.1 10.2.3.1 tsrc 192.168.1.10 tdst 192.168.2.10In this example, all traffic from the local LANs in Central in Figure 20–1, can be tunneled through Router 1 to Router 2, and then delivered to all local LANs of Overseas. The traffic is encrypted with AES. ## IPsec policy ## {tunnel ip.tun0 negotiate tunnel} ipsec {encr_algs aes encr_auth_algs md5 sa shared} In this example, only traffic between subnet 10.1.2.0/24 of Central and subnet 10.2.3.0/24 of Overseas is tunneled and encrypted. In the absence of other IPsec policies for Central, if Central attempts to route any traffic for other LANs over this tunnel, the traffic is dropped at Router 1.## IPsec policy ## {tunnel ip.tun0 negotiate tunnel laddr 10.1.2.0/24 raddr 10.2.3.0/24} ipsec {encr_algs aes encr_auth_algs md5 sa shared} In this example, a tunnel is created for email traffic only. The traffic is delivered from 10.1.2.0/24 of Central to the email server on the 10.2.3.0/24 subnet of the Overseas LAN. The email is encrypted with Blowfish. The policies apply to the remote and local email ports. The rport policy protects mail that Central sends to the remote email port of Overseas. The lport policy protects mail Central receives from Overseas on local port 25.## IPsec policy for email from Central to Overseas ## {tunnel ip.tun0 negotiate tunnel ulp tcp rport 25 laddr 10.1.2.0/24 raddr 10.2.3.0/24} ipsec {encr_algs blowfish encr_auth_algs md5 sa shared}## IPsec policy for email from Overseas to Central ## {tunnel ip.tun0 negotiate tunnel ulp tcp lport 25 laddr 10.1.2.0/24 raddr 10.2.3.0/24} ipsec {encr_algs blowfish encr_auth_algs md5 sa shared} In this example, IPsec policy protects the FTP ports in Figure 20–1 with 3DES for all subnets of Central to all subnets of Overseas. This configuration works for the active mode of FTP.## IPsec policy for outbound FTP from Central to Overseas ## {tunnel ip.tun0 negotiate tunnel ulp tcp rport 21} ipsec {encr_algs 3des encr_auth_algs md5 sa shared} {tunnel ip.tun0 negotiate tunnel ulp tcp lport 20} ipsec {encr_algs 3des encr_auth_algs md5 sa shared}## IPsec policy for inbound FTP from Central to Overseas ## {tunnel ip.tun0 negotiate tunnel ulp tcp lport 21} ipsec {encr_algs 3des encr_auth_algs md5 sa shared} {tunnel ip.tun0 negotiate tunnel ulp tcp rport 20} ipsec {encr_algs 3des encr_auth_algs md5 sa shared} The IPv4 procedures in this section assume the following setup. For a depiction of the network, see Figure 20–2.Each system is using an IPv4 address space.For a similar example with IPv6 addresses, see How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv6. Each system has two interfaces. The hme0 interface connects to the Internet. In this example, Internet IP addresses begin with 192.168. The hme1 interface connects to the company's local area network (LAN), its intranet. In this example, intranet IP addresses begin with the number 10. Each system invokes AH protection with the MD5 algorithm. The MD5 algorithm requires a 128-bit key. Each system invokes ESP protection with the 3DES algorithm. The 3DES algorithm requires a 192-bit key. Each system can connect to a router that has direct access to the Internet. Each system uses shared security associations. For a description of VPNs, see Virtual Private Networks and IPsec. Figure 20–2 describes the VPN that this procedure configures.

Diagram shows details of VPN between Europe and California offices.

This procedure uses the following configuration parameters.Parameter Europe California System name enigma partym System intranet interface hme1 hme1 System Internet interface hme0 hme0 System intranet address, also the -point address in Step 5 10.16.16.6 10.1.3.3 System Internet address, also the tsrc address in Step 5 192.168.116.16 192.168.13.213 Name of Internet router router-E router-C Address of Internet router 192.168.116.4 192.168.13.5 Tunnel name ip.tun0 ip.tun0 This procedure extends the procedure, How to Secure Traffic Between Two Systems With IPsec. In addition to connecting two systems, you are connecting two intranets that connect to these two systems. The systems in this procedure function as gateways.You configure IPsec policy in the global zone. On the system console on one of the systems, assume the Primary Administrator role or become superuser.The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Control the flow of packets before configuring IPsec.Ensure that IP forwarding and IP dynamic routing are disabled.# routeadm Configuration Current Current Option Configuration System State -------------------------------------------------- IPv4 forwarding disabled disabled IPv4 routing default (enabled) enabled …If forwarding and routing are enabled, you can disable them by typing:# routeadm -d ipv4-routing -d ipv4-forwarding # routeadm -uTurning off IP forwarding prevents packets from being forwarded from one network to another network through this system. For a description of the routeadm command, see the routeadm1M man page. Turn on IP strict destination multihoming.# ndd -set /dev/ip ip_strict_dst_multihoming 1Turning on IP strict destination multihoming ensures that packets for one of the system's destination addresses arrive at the correct destination address.When you turn off IP forwarding and turn on IP strict destination multihoming, fewer packets flow all the way through the system. When strict destination multihoming is enabled, packets that arrive on a particular interface must be addressed to one of the local IP addresses of that interface. All other packets, even ones that are addressed to other local addresses of the system, are dropped. Disable most network services, and possibly all network services.If your system was installed with the “limited” SMF profile, then you can skip this step. Network services, with the exception of Solaris Secure Shell, are disabled. The disabling of network services prevents IP packets from doing any harm to the system. For example, an SNMP daemon, a telnet connection, or an rlogin connection could be exploited.You have two options.Run the “limited” SMF profile.# netservices limited Or, individually disable network services.# svcadm disable network/ftp:default # svcadm disable network/finger:default # svcadm disable network/login:rlogin # svcadm disable network/nfs/server:default # svcadm disable network/rpc/rstat:default # svcadm disable network/smtp:sendmail # svcadm disable network/telnet:default # svcs | grep network online Aug_02 svc:/network/loopback:default … online Aug_09 svc:/network/ssh:default … On each system, add a pair of SAs between the two systems.Choose one of the following options:Configure IKE to manage the keys for the SAs. Use one of the procedures in Configuring IKE (Task Map) to configure IKE for the VPN. If you have an overriding reason to manually manage the keys, see How to Manually Create IPsec Security Associations. On each system, add IPsec policy.Edit the /etc/inet/ipsecinit.conf file to add the IPsec policy for the VPN. To strengthen the policy, see Example 20–7. For additional examples, see Example 20–3 and following.For example, on the enigma system, type the following entry into the ipsecinit.conf file:# LAN traffic to and from this host can bypass IPsec. {laddr 10.1.3.3 dir both} bypass {} # WAN traffic uses ESP with 3DES and MD5. {tunnel ip.tun0 negotiate tunnel} ipsec {encr_algs 3des encr_auth_algs md5 sa shared} On the partym system, type the following entry into the ipsecinit.conf file:# LAN traffic to and from this host can bypass IPsec. {laddr 10.1.3.3 dir both} bypass {} # WAN traffic uses ESP with 3DES and MD5. {tunnel ip.tun0 negotiate tunnel} ipsec {encr_algs 3des encr_auth_algs md5 sa shared} On each system, configure the tunnel, ip.tun0.Use the following ifconfig commands to create the point-to-point interface:# ifconfig ip.tun0 plumb # ifconfig ip.tun0 system1-point system2-point \ tsrc system1-taddr tdst system2-taddrFor example, on the enigma system, type the following commands:# ifconfig ip.tun0 plumb # ifconfig ip.tun0 10.16.16.6 10.1.3.3 \ tsrc 192.168.116.16 tdst 192.168.13.213 On the partym system, type the following commands:# ifconfig ip.tun0 plumb # ifconfig ip.tun0 10.1.3.3 10.16.16.6 \ tsrc 192.168.13.213 tdst 192.168.116.16 Protect the tunnel with the IPsec policy that you created.# ipsecconf Bring up the router for the tunnel.# ifconfig ip.tun0 router up On each system, turn on IP forwarding for the hme1 interface.# ifconfig hme1 routerIP forwarding means that packets that arrive from somewhere else can be forwarded. IP forwarding also means that packets that leave this interface might have originated somewhere else. To successfully forward a packet, both the receiving interface and the transmitting interface must have IP forwarding turned on.Because the hme1 interface is inside the intranet, IP forwarding must be turned on for hme1. Because ip.tun0 connects the two systems through the Internet, IP forwarding must be turned on for ip.tun0.The hme0 interface has its IP forwarding turned off to prevent an outside adversary from injecting packets into the protected intranet. The outside refers to the Internet. On each system, ensure that routing protocols do not advertise the default route within the intranet.# ifconfig hme0 privateEven if hme0 has IP forwarding turned off, a routing protocol implementation might still advertise the interface. For example, the in.routed protocol might still advertise that hme0 is available to forward packets to its peers inside the intranet. By setting the interface's private flag, these advertisements are prevented. Manually, add a default route over hme0.The default route should be a router with direct access to the Internet.# route add default router-on-hme0-subnetFor example, on the enigma system, add the following route:# route add default 192.168.116.4 On the partym system, add the following route:# route add default 192.168.13.5Even though the hme0 interface is not part of the intranet, hme0 does need to reach across the Internet to its peer system. To find its peer, hme0 needs information about Internet routing. The VPN system appears to be a host, rather than a router, to the rest of the Internet. Therefore, you can use a default router or run the router discovery protocol to find a peer system. For more information, see the route1M and in.routed1M man pages. Ensure that the VPN starts after a reboot by adding an entry to the /etc/hostname.ip.tun0 file.system1-point system2-point tsrc system1-taddr tdst system2-taddr router upFor example, on the enigma system, add the following entry to the hostname.ip.tun0 file:10.16.16.6 10.1.3.3 tsrc 192.168.116.16 tdst 192.168.13.213 router up On the partym system, add the following entry to the hostname.ip.tun0 file:10.1.3.3 10.16.16.6 tsrc 192.168.13.213 tdst 192.168.116.16 router up On each system, configure the interface files to pass the correct parameters to the routing daemon.On the enigma system, modify the /etc/hostname.interface files.# cat enigma hostname.hme0 10.16.16.6 private# cat enigma hostname.hme1 192.168.116.16 router On the partym system, modify the /etc/hostname.interface files.# cat partym hostname.hme0 10.1.3.3 private# cat partym hostname.hme1 192.168.13.213 router On each system, run a routing protocol.You might need to configure the routing protocol before enabling routing. For more information, see Routing Protocols in the Solaris OS. For a procedure, see How to Configure an IPv4 Router.# routeadm -e ipv4-routing # routeadm -u In this example, the administrator comments out the bypass policy that was configured in Step 4, thereby strengthening the protection. With this policy configuration, each system on the LAN must activate IPsec to communicate with the router.# LAN traffic must implement IPsec. # {laddr 10.1.3.3 dir both} bypass {} # WAN traffic uses ESP with 3DES and MD5. {tunnel ip.tun0 negotiate tunnel} ipsec {encr_algs 3des encr_auth_algs md5} The first rule protects telnet traffic on port 23 with Blowfish and Sha-1. The second rule protects SMTP traffic on port 25 with AES and MD5.{laddr 10.1.3.3 ulp tcp dport 23 dir both} ipsec {encr_algs blowfish encr_auth_algs sha1 sa unique} {laddr 10.1.3.3 ulp tcp dport 25 dir both} ipsec {encr_algs aes encr_auth_algs md5 sa unique} The following tunnel configuration protects all traffic from subnet 10.1.3.0/24 across the tunnel.{tunnel ip.tun0 negotiate tunnel laddr 10.1.3.0/24} ipsec {encr_algs aes encr_auth_algs md5 sa shared}The following tunnel configurations protect traffic from subnet 10.1.3.0/24 to different subnets across the tunnel. Subnets that begin with 10.2.x.x are across the tunnel.{tunnel ip.tun0 negotiate tunnel laddr 10.1.3.0/24 raddr 10.2.1.0/24} ipsec {encr_algs blowfish encr_auth_algs md5 sa shared}{tunnel ip.tun0 negotiate tunnel laddr 10.1.3.0/24 raddr 10.2.2.0/24} ipsec {encr_algs blowfish encr_auth_algs sha1 sa shared}{tunnel ip.tun0 negotiate tunnel laddr 10.1.3.0/24 raddr 10.2.3.0/24} ipsec {encr_algs aes encr_auth_algs sha1 sa shared} To set up a VPN on an IPv6 network, you follow the same steps as for an IPv4 network. However, the syntax of the commands is slightly different. For a fuller description of the reasons for running particular commands, see How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv4.This procedure uses the following configuration parameters.Parameter Europe California System name enigma partym System intranet interface hme1 hme1 System Internet interface hme0 hme0 System intranet address 6000:6666::aaaa:1116 6000:3333::eeee:1113 System Internet address 2001::aaaa:6666:6666 2001::eeee:3333:3333 Name of Internet router router-E router-C Address of Internet router 2001::aaaa:0:4 2001::eeee:0:1 Tunnel name ip6.tun0 ip6.tun0 On the system console on one of the systems, assume the Primary Administrator role or become superuser.The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Control the flow of packets before configuring IPsec.For the effects of these commands, see Step 2 in How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv4.Ensure that IP forwarding and IP dynamic routing are disabled.# routeadm Configuration Current Current Option Configuration System State -------------------------------------------------- … IPv6 forwarding disabled disabled IPv6 routing disabled disabledIf forwarding and routing are enabled, you can disable them by typing:# routeadm -d ipv6-forwarding -d ipv6-routing # routeadm -u Turn on IP strict destination multihoming.# ndd -set /dev/ip ip6_strict_dst_multihoming 1 Disable most network services, and possibly all network services.If your system was installed with the “limited” SMF profile, then you can skip this step. Network services, with the exception of Solaris Secure Shell, are disabled. The disabling of network services prevents IP packets from doing any harm to the system. For example, an SNMP daemon, a telnet connection, or an rlogin connection could be exploited.You have two options.Run the “limited” SMF profile.# netservices limited Or, individually disable network services.# svcadm disable network/ftp:default # svcadm disable network/finger:default # svcadm disable network/login:rlogin # svcadm disable network/nfs/server:default # svcadm disable network/rpc/rstat:default # svcadm disable network/smtp:sendmail # svcadm disable network/telnet:default # svcs | grep network online Aug_02 svc:/network/loopback:default … online Aug_09 svc:/network/ssh:default … On each system, add a pair of SAs between the two systems.Choose one of the following options.Configure IKE to manage the keys for the SAs. Use one of the procedures in Configuring IKE (Task Map) to configure IKE for the VPN. If you have an overriding reason to manually manage the keys, see How to Manually Create IPsec Security Associations. On each system, add IPsec policy.Edit the /etc/inet/ipsecinit.conf file to add the IPsec policy for the VPN.For example, on the enigma system, type the following entry into the ipsecinit.conf file:# IPv6 Neighbor Discovery messages bypass IPsec. {ulp ipv6-icmp type 133-137 dir both} pass {} # LAN traffic to and from this host can bypass IPsec. {laddr 6000:6666::aaaa:1116 dir both} bypass {} # WAN traffic uses ESP with 3DES and MD5. {tunnel ip6.tun0 negotiate tunnel} ipsec {encr_algs 3des encr_auth_algs md5 sa shared} On the partym system, type the following entry into the ipsecinit.conf file:# IPv6 Neighbor Discovery messages bypass IPsec. {ulp ipv6-icmp type 133-137 dir both} pass {} # LAN traffic to and from this host can bypass IPsec. {laddr 6000:3333::eeee:1113 dir both} bypass {} # WAN traffic uses ESP with 3DES and MD5. {tunnel ip6.tun0 negotiate tunnel} ipsec {encr_algs 3des encr_auth_algs md5 sa shared} On each system, configure a secure tunnel, ip6.tun0.For example, on the enigma system, type the following commands:# ifconfig ip6.tun0 inet6 plumb # ifconfig ip6.tun0 inet6 6000:6666::aaaa:1116 6000:3333::eeee:1113 \ tsrc 2001::aaaa:6666:6666 tdst 2001::eeee:3333:3333 On the partym system, type the following commands:# ifconfig ip6.tun0 inet6 plumb # ifconfig ip6.tun0 inet6 6000:3333::eeee:1113 6000:6666::aaaa:1116 \ tsrc 2001::eeee:3333:3333 tdst 2001::aaaa:6666:6666 Protect the tunnel with the IPsec policy that you created.# ipsecconf Bring up the router for the tunnel.# ifconfig ip6.tun0 router up On each system, turn on IP forwarding for the hme1 interface. # ifconfig hme1 router On each system, ensure that routing protocols do not advertise the default route within the intranet.# ifconfig hme0 private Manually, add a default route over hme0.For example, on the enigma system, add the following route:# route add -inet6 default 2001::aaaa:0:4 On the partym system, add the following route:# route add -inet6 default 2001::eeee:0:1 Ensure that the VPN starts after a reboot by adding an entry to the /etc/hostname6.ip6.tun0 file. The entry replicates the parameters that were passed to the ifconfig command in Step 5.For example, on the enigma system, add the following entry to the hostname6.ip6.tun0 file:6000:6666::aaaa:1116 6000:3333::eeee:1113 \ tsrc 2001::aaaa:6666:6666 tdst 2001::eeee:3333:3333 router up On the partym system, add the following entry to the hostname6.ip6.tun0 file:6000:3333::eeee:1113 6000:6666::aaaa:1116 \ tsrc 2001::eeee:3333:3333 tdst 2001::aaaa:6666:6666 router up On each system, configure the interface files to pass the correct parameters to the routing daemon.On the enigma system, modify the /etc/hostname6.interface files.# cat enigma hostname6.hme0 6000:6666::aaaa:1116 inet6 private# cat enigma hostname6.hme1 2001::aaaa:6666:6666 inet6 router On the partym system, modify the /etc/hostname6.interface files.# cat partym hostname6.hme0 6000:3333::eeee:1113 inet6 private# cat partym hostname6.hme1 2001::eeee:3333:3333 inet6 router On each system, run a routing protocol.# routeadm -e ipv6-routing # routeadm -u This procedure extends the procedure, How to Secure Traffic Between Two Systems With IPsec. In addition to connecting two systems, you are connecting two intranets that connect to these two systems. The systems in this procedure function as gateways.This procedure assumes the same setup as in How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv6. On the system console on one of the systems, assume the Primary Administrator role or become superuser.The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Control the flow of packets before configuring IPsec.Ensure that IP forwarding and IP dynamic routing are disabled.# routeadm Configuration Current Current Option Configuration System State -------------------------------------------------- IPv4 forwarding disabled disabled IPv4 routing default (enabled) enabled …If forwarding and routing are enabled, you can disable them by typing:# routeadm -d ipv4-routing -d ipv4-forwarding # routeadm -uTurning off IP forwarding prevents packets from being forwarded from one network to another network through this system. For a description of the routeadm command, see the routeadm1M man page. Turn on IP strict destination multihoming.# ndd -set /dev/ip ip_strict_dst_multihoming 1Turning on IP strict destination multihoming ensures that packets for one of the system's destination addresses arrive at the correct destination address.When you turn off IP forwarding and turn on IP strict destination multihoming, fewer packets flow all the way through the system. When strict destination multihoming is enabled, packets that arrive on a particular interface must be addressed to one of the local IP addresses of that interface. All other packets, even ones that are addressed to other local addresses of the system, are dropped. Disable most network services, and possibly all network services.If your system was installed with the “limited” SMF profile, then you can skip this step. Network services, with the exception of Solaris Secure Shell, are disabled. The disabling of network services prevents IP packets from doing any harm to the system. For example, an SNMP daemon, a telnet connection, or an rlogin connection could be exploited.You have two options.Run the “limited” SMF profile.# netservices limited Or, individually disable network services.# svcadm disable network/ftp:default # svcadm disable network/finger:default # svcadm disable network/login:rlogin # svcadm disable network/nfs/server:default # svcadm disable network/rpc/rstat:default # svcadm disable network/smtp:sendmail # svcadm disable network/telnet:default # svcs | grep network online Aug_02 svc:/network/loopback:default … online Aug_09 svc:/network/ssh:default … On each system, add a pair of SAs between the two systems.Choose one of the following options:Configure IKE to manage the keys for the SAs. Use one of the procedures in Configuring IKE (Task Map) to configure IKE for the VPN. If you have an overriding reason to manually manage the keys, see How to Manually Create IPsec Security Associations. On each system, add IPsec policy.Edit the /etc/inet/ipsecinit.conf file to add the IPsec policy for the VPN. To strengthen the policy, see Example 20–10.For example, on the enigma system, type the following entry into the ipsecinit.conf file:# LAN traffic to and from this host can bypass IPsec. {laddr 10.1.3.3 dir both} bypass {} # WAN traffic uses ESP with 3DES and MD5. {tunnel ip.tun0 negotiate transport} ipsec {encr_algs 3des encr_auth_algs md5 sa shared} On the partym system, type the following entry into the ipsecinit.conf file:# LAN traffic to and from this host can bypass IPsec. {laddr 10.1.3.3 dir both} bypass {} # WAN traffic uses ESP with 3DES and MD5. {tunnel ip.tun0 negotiate transport} ipsec {encr_algs 3des encr_auth_algs md5 sa shared} On each system, configure the tunnel, ip.tun0.Use the following ifconfig commands to create the point-to-point interface:# ifconfig ip.tun0 plumb # ifconfig ip.tun0 system1-point system2-point \ tsrc system1-taddr tdst system2-taddrFor example, on the enigma system, type the following commands:# ifconfig ip.tun0 plumb # ifconfig ip.tun0 10.16.16.6 10.1.3.3 \ tsrc 192.168.116.16 tdst 192.168.13.213 On the partym system, type the following commands:# ifconfig ip.tun0 plumb # ifconfig ip.tun0 10.1.3.3 10.16.16.6 \ tsrc 192.168.13.213 tdst 192.168.116.16 Protect the tunnel with the IPsec policy that you created.# ipsecconf Bring up the router for the tunnel.# ifconfig ip.tun0 router up On each system, turn on IP forwarding for the hme1 interface.# ifconfig hme1 routerIP forwarding means that packets that arrive from somewhere else can be forwarded. IP forwarding also means that packets that leave this interface might have originated somewhere else. To successfully forward a packet, both the receiving interface and the transmitting interface must have IP forwarding turned on.Because the hme1 interface is inside the intranet, IP forwarding must be turned on for hme1. Because ip.tun0 connects the two systems through the Internet, IP forwarding must be turned on for ip.tun0.The hme0 interface has its IP forwarding turned off to prevent an outside adversary from injecting packets into the protected intranet. The outside refers to the Internet. On each system, ensure that routing protocols do not advertise the default route within the intranet.# ifconfig hme0 privateEven if hme0 has IP forwarding turned off, a routing protocol implementation might still advertise the interface. For example, the in.routed protocol might still advertise that hme0 is available to forward packets to its peers inside the intranet. By setting the interface's private flag, these advertisements are prevented. Manually, add a default route over hme0.The default route should be a router with direct access to the Internet.# route add default router-on-hme0-subnetFor example, on the enigma system, add the following route:# route add default 192.168.116.4 On the partym system, add the following route:# route add default 192.168.13.5Even though the hme0 interface is not part of the intranet, hme0 does need to reach across the Internet to its peer system. To find its peer, hme0 needs information about Internet routing. The VPN system appears to be a host, rather than a router, to the rest of the Internet. Therefore, you can use a default router or run the router discovery protocol to find a peer system. For more information, see the route1M and in.routed1M man pages. Ensure that the VPN starts after a reboot by adding an entry to the /etc/hostname.ip.tun0 file.system1-point system2-point tsrc system1-taddr \ tdst system2-taddr encr_algs 3des encr_auth_algs md5 router upFor example, on the enigma system, add the following entry to the hostname.ip.tun0 file:10.16.16.6 10.1.3.3 tsrc 192.168.116.16 \ tdst 192.168.13.213 router up On the partym system, add the following entry to the hostname.ip.tun0 file:10.1.3.3 10.16.16.6 tsrc 192.168.13.213 \ tdst 192.168.116.16 router up On each system, configure the interface files to pass the correct parameters to the routing daemon.On the enigma system, modify the /etc/hostname.interface files.# cat enigma hostname.hme0 10.16.16.6 private# cat enigma hostname.hme1 192.168.116.16 router On the partym system, modify the /etc/hostname.interface files.# cat partym hostname.hme0 10.1.3.3 private# cat partym hostname.hme1 192.168.13.213 router On each system, run a routing protocol.You might need to configure the routing protocol before enabling routing. For more information, see Routing Protocols in the Solaris OS. For a procedure, see How to Configure an IPv4 Router.# routeadm -e ipv4-routing # routeadm -u In this example, the administrator comments out the bypass policy that was configured in Step 4, thereby strengthening the protection. With this policy configuration, each system on the LAN must activate IPsec to communicate with the router.# LAN traffic must implement IPsec. # {laddr 10.1.3.3 dir both} bypass {} # WAN traffic uses ESP with 3DES and MD5. {tunnel ip.tun0 negotiate transport} ipsec {encr_algs 3des encr_auth_algs md5} In this example, administrator is connecting a Solaris Express system with a system that is running the Solaris 10 release. Therefore, the administrator uses Solaris 10 syntax in the configuration file, and includes the IPsec algorithms in the ifconfig command.In Step 4, the syntax is the following:# LAN traffic to and from this address can bypass IPsec. {laddr 10.1.3.3 dir both} bypass {} # WAN traffic uses ESP with 3DES and MD5. {} ipsec {encr_algs 3des encr_auth_algs md5} For Step 5 to Step 7, the syntax is the following:# ifconfig ip.tun0 plumb # ifconfig ip.tun0 10.16.16.6 10.1.3.3 \ tsrc 192.168.116.16 tdst 192.168.13.213 \ encr_algs 3des encr_auth_algs md5 # ifconfig ip.tun0 router up# ifconfig ip.tun0 plumb # ifconfig ip.tun0 10.16.16.6 10.1.3.3 \ tsrc 192.168.116.16 tdst 192.168.13.213 \ encr_algs 3des encr_auth_algs md5The IPsec policy that is passed to the ifconfig commands must be the same as the IPsec policy in the ipsecinit.conf file. Upon reboot, each system reads the ipsecinit.conf file for its policy. In Step 11, the syntax is the following:10.16.16.6 10.1.3.3 tsrc 192.168.116.16 \ tdst 192.168.13.213 encr_algs 3des encr_auth_algs md5 router up To set up a VPN on an IPv6 network, you follow the same steps as for an IPv4 network. However, the syntax of the commands is slightly different. For a fuller description of the reasons for running particular commands, see How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv4.This procedure uses the following configuration parameters.Parameter Europe California System name enigma partym System intranet interface hme1 hme1 System Internet interface hme0 hme0 System intranet address 6000:6666::aaaa:1116 6000:3333::eeee:1113 System Internet address 2001::aaaa:6666:6666 2001::eeee:3333:3333 Name of Internet router router-E router-C Address of Internet router 2001::aaaa:0:4 2001::eeee:0:1 Tunnel name ip6.tun0 ip6.tun0 On the system console on one of the systems, assume the Primary Administrator role or become superuser.The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Control the flow of packets before configuring IPsec.For the effects of these commands, see Step 2 in How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv4.Ensure that IP forwarding and IP dynamic routing are disabled.# routeadm Configuration Current Current Option Configuration System State -------------------------------------------------- … IPv6 forwarding disabled disabled IPv6 routing disabled disabledIf forwarding and routing are enabled, you can disable them by typing:# routeadm -d ipv6-forwarding -d ipv6-routing # routeadm -u Turn on IP strict destination multihoming.# ndd -set /dev/ip ip6_strict_dst_multihoming 1 Disable most network services, and possibly all network services.If your system was installed with the “limited” SMF profile, then you can skip this step. Network services, with the exception of Solaris Secure Shell, are disabled. The disabling of network services prevents IP packets from doing any harm to the system. For example, an SNMP daemon, a telnet connection, or an rlogin connection could be exploited.You have two options.Run the “limited” SMF profile.# netservices limited Or, individually disable network services.# svcadm disable network/ftp:default # svcadm disable network/finger:default # svcadm disable network/login:rlogin # svcadm disable network/nfs/server:default # svcadm disable network/rpc/rstat:default # svcadm disable network/smtp:sendmail # svcadm disable network/telnet:default # svcs | grep network online Aug_02 svc:/network/loopback:default … online Aug_09 svc:/network/ssh:default … On each system, add a pair of SAs between the two systems.Choose one of the following options.Configure IKE to manage the keys for the SAs. Use one of the procedures in Configuring IKE (Task Map) to configure IKE for the VPN. If you have an overriding reason to manually manage the keys, see How to Manually Create IPsec Security Associations. On each system, add IPsec policy.Edit the /etc/inet/ipsecinit.conf file to add the IPsec policy for the VPN.For example, on the enigma system, type the following entry into the ipsecinit.conf file:# IPv6 Neighbor Discovery messages bypass IPsec. {ulp ipv6-icmp type 133-137 dir both} pass {} # LAN traffic can bypass IPsec. {laddr 6000:6666::aaaa:1116 dir both} bypass {} # WAN traffic uses ESP with 3DES and MD5. {tunnel ip6.tun0 negotiate transport} ipsec {encr_algs 3des encr_auth_algs md5} On the partym system, type the following entry into the ipsecinit.conf file:# IPv6 Neighbor Discovery messages bypass IPsec. {ulp ipv6-icmp type 133-137 dir both} pass {} # LAN traffic can bypass IPsec. {laddr 6000:3333::eeee:1113 dir both} bypass {} # WAN traffic uses ESP with 3DES and MD5. {tunnel ip6.tun0 negotiate transport} ipsec {encr_algs 3des encr_auth_algs md5} On each system, configure a secure tunnel, ip6.tun0.For example, on the enigma system, type the following commands:# ifconfig ip6.tun0 inet6 plumb # ifconfig ip6.tun0 inet6 6000:6666::aaaa:1116 6000:3333::eeee:1113 \ tsrc 2001::aaaa:6666:6666 tdst 2001::eeee:3333:3333 On the partym system, type the following commands:# ifconfig ip6.tun0 inet6 plumb # ifconfig ip6.tun0 inet6 6000:3333::eeee:1113 6000:6666::aaaa:1116 \ tsrc 2001::eeee:3333:3333 tdst 2001::aaaa:6666:6666 On each system, turn on IP forwarding for the hme1 interface. # ifconfig hme1 router On each system, ensure that routing protocols do not advertise the default route within the intranet.# ifconfig hme0 private Manually, add a default route over hme0.For example, on the enigma system, add the following route:# route add -inet6 default 2001::aaaa:0:4 On the partym system, add the following route:# route add -inet6 default 2001::eeee:0:1 Ensure that the VPN starts after a reboot by adding an entry to the /etc/hostname6.ip6.tun0 file. The entry replicates the parameters that were passed to the ifconfig command in Step 5.For example, on the enigma system, add the following entry to the hostname6.ip6.tun0 file:6000:6666::aaaa:1116 6000:3333::eeee:1113 \ tsrc 2001::aaaa:6666:6666 tdst 2001::eeee:3333:3333 router up On the partym system, add the following entry to the hostname6.ip6.tun0 file:6000:3333::eeee:1113 6000:6666::aaaa:1116 \ tsrc 2001::eeee:3333:3333 tdst 2001::aaaa:6666:6666 router up On each system, configure the interface files to pass the correct parameters to the routing daemon.On the enigma system, modify the /etc/hostname6.interface files.# cat enigma hostname6.hme0 6000:6666::aaaa:1116 inet6 private# cat enigma hostname6.hme1 2001::aaaa:6666:6666 inet6 router On the partym system, modify the /etc/hostname6.interface files.# cat partym hostname6.hme0 6000:3333::eeee:1113 inet6 private# cat partym hostname6.hme1 2001::eeee:3333:3333 inet6 router On each system, run a routing protocol.# routeadm -e ipv6-routing # routeadm -u In this example, administrator is connecting a Solaris Express system with a system that is running the Solaris 10 release. Therefore, the administrator uses Solaris 10 syntax in the configuration file, and includes the IPsec algorithms in the ifconfig command. The steps are performed in the same order, but uses the Solaris 10 syntax.In Step 4, the syntax is the following:# IPv6 Neighbor Discovery messages bypass IPsec. {ulp ipv6-icmp type 133-137 dir both} pass {} # LAN traffic can bypass IPsec. {laddr 6000:3333::eeee:1113 dir both} bypass {} # WAN traffic uses ESP with 3DES and MD5. {} ipsec {encr_algs 3des encr_auth_algs md5} For Step 5 to Step 7, the syntax is the following:# ifconfig ip6.tun0 inet6 plumb # ifconfig ip6.tun0 inet6 6000:6666::aaaa:1116 6000:3333::eeee:1113 \ tsrc 2001::aaaa:6666:6666 tdst 2001::eeee:3333:3333 \ encr_algs 3des encr_auth_algs md5 # ifconfig ip6.tun0 inet6 router upThe IPsec policy that is passed to the ifconfig commands must be the same as the IPsec policy in the ipsecinit.conf file. Upon reboot, each system reads the ipsecinit.conf file for its policy. In Step 9, the syntax is the following:6000:6666::aaaa:1116 6000:3333::eeee:1113 \ tsrc 2001::aaaa:6666:6666 tdst 2001::eeee:3333:3333 \ encr_algs 3des encr_auth_algs md5 router up