In this section, we will provide procedure of IPSEC in ahost-host transport mode, and IPsec keys can be implemented as manual keys, asshared keys, or with certificates. Manual keys are explicitly exchanged and areprone to security problems. Both shared keys and certificates are managed usingthe IPsec Key Exchange protocol, which will automatically exchange keys, changingthem randomly to avoid detection. Each type of key configuration can docommunication for Linux-Linux, Solaris-Solaris or Linux-Solaris.
1 IPSec Tools
1.1 Linux IPSec tool
We will use IPsec-Tools to doconfiguration, IPsec-Tools is a port of KAME's IPsec utilities to the Linux-2.6IPsec implementation, RedHat Linux has integrate this tools.
Each tools in this tool kit are listed inthe following:
libipsec
Library with PF_KEY implementation
Tool to manipulate and dump the kernelSecurity Policy Database (SPD) and Security Association Database (SAD)
InternetKey Exchange (IKE) daemon for automatically keying IPsec connections
A shell-based control tool for raccoon
Formore detail about IPsec-Tools, you can access IPsec-Tools webs itehttp://ipsec-tools.sourceforge.net/ to get more information.
Someuseful commands about setkey to be used frequently:
Ø setkey–f <file name> //for example,file is /etc/setkey.conf
Theformat of setkey.conf can be in the following format,
add[-46n] src dst protocol spi [extensions] algorithm ... ;
get [-46n] src dst protocol spi ;
delete[-46n] src dst protocol spi ;
spdadd [-46n] src_range dst_range upperspec label policy ;
spddelete [-46n] src_range dst_range upperspec -P direction ;
So you can add/delete/display entries by this command
Ø setkey–D //dumpthe SAD entries
Ø setkey–DP //dumpthe SPD entries
Ø setkey–F //flush the SAD entries
Ø setkey–FP //flush the SPD entries
Note:“setkey –F” and “setkey –FP” can be used as disable IPSec command, if you don'twant to remove all entries id SAD and SPD, you can use command “setkey –f<file name>”
Somecommands about IKE configuration
Ø killall racoon //stop IKE dameon
Ø racoon -f/etc/racoon/racoon.conf -v -ddd -l /etc/racoon/racoon.log
//start IKE dameon, /etc/racoon/racoon.conf is the configurationfile, “-v -ddd -l /etc/racoon/racoon.log” will dump more logs and write tologfile, it may be not used.
Ø racoonctl // racoon administrative control tool, it canbe use to change raccoon log level, show sa, flush sa and so on.
1.2 Solaris IPSec tool
Wewill use tools integrated on Solaris, in this section, we will use Solaris 10,the procedure maybe has some difference with other Solaris version.
ipsecconf
IPsec policy command. It is used to view and modify the current IPsec policy, andfor testing. In releases prior to the Solaris 10 4/09 release, the boot scriptsuse ipsecconf to read the /etc/inet/ipsecinit.conf file and activate IPsec. Inthe current release, ipsecconf is used by the SMF policy service to configureIPsec policy at system boot.
ipseckey
command IPsec SAs keying command. ipseckeyis a command-line front end to the PF_KEY interface. ipseckey can create,destroy, or modify SAs.
in.iked
daemon for the Internet Key Exchange (IKE), performs automatedkey management for IPsec using the Internet Key Exchange (IKE) protocol.
For more detail about these tools, you can access SUN officialwebsite to get more document about IPSEC.
Some useful commands to be used always,
Ø ipsecconf –a <filename> //add the IPsec policy to thesystem as specified by each entry in the file. An IPsec configuration filecontains one or more entries that specify the configuration. Once the policy isadded, all outbound and inbound datagrams are subject to policy checks.
Ø ipsecconf –f // Flush all the policies in the system
Ø ipsecconf –d index //Delete the host policy denoted by the index
Ø ipsecconf –L // Lists all policy tables
Ø ipseckey –f <filename>//read commands from an input file, the command in file can beadd/update/delete/get SA
Ø ipseckey flush // Remove all SA for all types
Ø pkill in.iked //stop IKE dameon
Ø /usr/lib/inet/in.iked //start IKE dameon
Ø ikeadm //set debug level, add new policy, newpreshare key …
Note: “ipsecconf–f” can be used as disable IPSec to all hosts, or “ipsecconf –d index” can beused as disable one IPSec to one host.
If you wantto distable Ipsec for running process, after running “ipsecconf –f” or “ipsecconf–d index”, you still need re-start it, in DGS, you need restart DGDIAM processto disable IPSEC for DGDIAM. Otherwise,the communication between DGS and HCFare still under Ipsec policy.
2 Manual key configuration onLinux
Suppose Linux IP address is 192.168.0.1;another host is 192.168.0.2, it can be Linux or Solaris.
For manual key exchange protocol, don’tneed use IKE, as the key is manually supplied, so racoon don't need to start.Procedure is as the following:
- Configure /etc/setkey.conf, ifthe file is not existed, just create one new file, the contents can be similaras below:
#!/usr/sbin/setkey -f
# AH SAs using 128 bit longkeys
add 192.168.0.1 192.168.0.2 ah0x301 -A hmac-sha1
0xe786f8df7f77d6cab36c94cdf293f013;
add 192.168.0.2 192.168.0.1 ah0x201 -A hmac-sha1
0xe896f8df7f78d6cab36c94ccf293f031;
# ESP SAs using 192 bit longkeys (168 + 24 parity)
add 192.168.0.1 192.168.0.2esp 0x301 -E 3des-cbc
0xd31db64470271826a8e7a80d343cc5aae9e2a7f05f137323;
add 192.168.0.2 192.168.0.1 esp0x201 -E 3des-cbc
0xd41fb74470271826a8e7a80d343cc5aae9e2a7f05f13730d;
# Security policies
spdadd 192.168.0.1[3868] 192.168.0.2[3868] any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 192.168.0.2[3868] 192.168.0.1[3868]any -P in ipsec
esp/transport//require
ah/transport//require;
Note:the corresponding spi, algorithm and SAD key in 192.168.0.2 should besame; the src/dst of the securecommunication can be specified port number, if don’t need specify port number, youcan just remove it and the square brackets. In above configuration example, itwill enable IPSEC for the connection between port 3868 of 192.168.0.1 and port3868 of 192.168.0.2, if you want to enable IPSEC for the connection between anyport of 192.168.0.1 and port 3868 of 192.168.0.2, you can remove port numberand square brackets nearby 192.168.0.1, vice versa.
- Run command
> setkey –F //this is not necessary, it will flush the SAD entries
> setkey –FP //this is not necessary, it will flush the SPD entries
> setkey –f/etc/setkey.conf
If we want toenable IPSEC for running process after Ipsec configurate,we need re-start processto make Ipsec take effect, for example, in DGS, after Ipsec configuration is done,we need restart DGDIAM to enable Ipsec for it.
3 Manual key configuration onSolaris
Suppose Solaris IP address is 192.168.0.2;another host is 192.168.0.1, it can be Linux or Solaris.
For manual key exchange protocol, don’tneed use IKE, as the key is manually supplied, so in.iked don't need to start.Procedure is as the following:
- Configure /etc/inet/ipsecinit.conf, if the file is not existed, copy from ipsecinit.sample, thecontent can be as below:
{lport 3868 raddr 192.168.0.1 rport 3868}
ipsec{ auth_algs sha1 encr_algs 3desencr_auth_algs sha1 sa shared}
Note: 1. we could also usehostname, to replace IP address in this file.
2. if you don’t need specify the portnumber, just remove it lport is thelocal port, rport is the other host (192.168.0.1) port, In above configurationexample, it will enable IPSEC for the connection between port 3868 of 192.168.0.1and port 3868 of 192.168.0.2, if you want to enable IPSEC for the connectionbetween any port of 192.168.0.1 and port 3868 of 192.168.0.2, you can remove “rport3868”, vice versa.
- Configure /etc/inet/secret/ipseckeys,if the file is not existed, copy from ipseckeys.sample, the content can be asbelow:
add ah spi 0x301 src 192.168.0.1 dst 192.168.0.2 \
auth_alg md5 \
authkey e786f8df7f77d6cab36c94cdf293f013
add esp spi 0x301 src 192.168.0.1 dst 192.168.0.2 \
encr_alg 3des \
encrkey d31db64470271826a8e7a80d343cc5aae9e2a7f05f137323
add ah spi 0x201 src 192.168.0.2 dst 192.168.0.1 \
auth_alg md5 \
authkey e896f8df7f78d6cab36c94ccf293f031
add esp spi 0x201 src 192.168.0.2 dst 192.168.0.1 \
encr_alg 3des \
encrkey d41fb74470271826a8e7a80d343cc5aae9e2a7f05f13730d
Note: Make sure the key for ah and esp on the pair of two nodes configuratedIpsec are same.
- Run command below
> ipsecconf -f //this command is not necessary, itwill remove policies
> ipsecconf -a/etc/inet/ipsecinit.conf
> ipseckeyflush // this command is not necessary,it will remove all SAs
> ipseckey -f /etc/inet/secret/ipseckeys
If we want toenable IPSEC for running process after Ipsec configurate,we need re-start processto make Ipsec take effect, for example, in DGS, after Ipsec configuration isdone, we need restart DGDIAM to enable Ipsec for it.
4 Preshared key configuration onLinux
Suppose Linux IP address is 192.168.0.1; anotherhost is 192.168.0.2, it can be Linux or Solaris.
Procedure is as the following:
- Configure /etc/setkey.conf, ifthe file is not existed, just create one new file, the contents can be similaras below:
#!/usr/sbin/setkey -f
# Security policies
spdadd 192.168.0.1[3868] 192.168.0.2 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 192.168.0.2 192.168.0.1[3868]any –P in ipsec
esp/transport//require
ah/transport//require;
- Configure /etc/racoon/racoon.conf,the contents can be similar as below:
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the formatand entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote anonymous
{
exchange_mode main;
doiipsec_doi;
situationidentity_only;
my_identifier address;
#lifetimetime 2 min; # sec,min,hour
initial_contact on;
proposal_check obey; # obey, strict or claim
proposal{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
remote 192.168.0.2
{
exchange_modemain;
doiipsec_doi;
situationidentity_only;
my_identifier address;
#lifetimetime 2 min; # sec,min,hour
initial_contact on;
proposal_check obey; # obey, strict or claim
proposal{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_methodpre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 5;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
Note: 1, lifetimeshould be same at both server, on linux the default value is 28800 seconds, itcan set other values by line “#lifetime time 2 min; # sec,min,hour” under “remote192.168.0.2”
2, the corresponding algorithm, dh_groupand pfs_group in the other host should be same,if the other host is Solaris, notice that, dh_groupshould be same as oakley_group in p1_xform, pfs_groupshould be same as p2_pfs.
- Edit /etc/racoon/psk.txt, addbelow line:
192.168.0.2 abcdefghijklmn1234567890
Note: 1, "abcdefghijklmn1234567890" is thepreshared key, the key length should not be too short.
2, authentication_algorithm should be the sameas another lab, such as encr_auth_algs of Solaris and authentication_algorithmof Linux
- Run command below:
> setkey –F //this is not necessary, it will flush the SAD entries
> setkey –FP //this is not necessary, it will flush the SPD entries
> setkey –f/etc/setkey.conf
> killallracoon
> racoon -f/etc/racoon/racoon.conf //if need debuginfo, add -v -ddd -l /etc/racoon/racoon.log
If we want toenable IPSEC for running process after Ipsec configurate,we need re-start processto make Ipsec take effect, for example, in DGS, after Ipsec configuration isdone, we need restart DGDIAM to enable Ipsec for it.
5 Preshared key configuration onSolaris
Suppose Solaris IP address is 192.168.0.2;another host is 192.168.0.1, it can be Linux or Solaris.
Procedure is as the following:
- Configure /etc/inet/ipsecinit.conf,if the file is not existed, copy from ipsecinit.sample, the content can be asbelow:
{ raddr 192.168.0.1 rport 3868 }
ipsec{ auth_algs sha1 encr_algs 3des encr_auth_algs sha1sa shared}
Note: If you don’t specify encr_auth_algs, Ipsec would use default value; ifyou specify encr_auth_algs, make sure the value are same on the two nodes.
- Configure /etc/inet/ike/config,if the file is not existed, copy from config.sample, the content can be asbelow:
## Phase 1 transform defaults...
p1_lifetime_secs 28800
p1_nonce_len 20
## Parameters that may also show up in rules.
p1_xform { auth_method presharedoakley_group 2 auth_alg sha1 encr_alg 3des }
p2_pfs 5
{
label "host1-host2"
local_addr 192.168.0.2
remote_addr 192.168.0.1
p1_xform { auth_method preshared oakley_group 2 auth_alg sha1 encr_alg 3des }
p2_pfs 5
}
Note: 1, lifetime should be same at both server, onlinux the default value is 28800 seconds, it can set other values on linux, fordetail, you can refer to the section before this section
2, the corresponding algorithm, oakley_groupand p2_pfs in the other host should be same, ifthe other host is Linux, notice that, oakley _groupshould be same as dh _group, p2_pfs should be same as pfs_groupand AH and ESP algorithm should be same in /etc/inet/ike/config and /etc/inet/ipsecinit.conf
- Edit /etc/inet/secret/ike.preshared,add below contents,
{ localidtype IP
localid 192.168.0.2
remoteidtype IP
remoteid 192.168.0.1
key 6162636465666768696a6b6c6d6e31323334353637383930
}
Note: Make sure the key is thesame between the two nodes. But the preshared key on Solaris and Linux is indifferent format, which is hexadecimal on Solaris and ASCII on Linux. So ifcustomer would like Ipsec configuratation between Linux and Solaris, we needtransformate the key, command can as below:
Ø /bin/echo “abcdefghijklmn1234567890\c” | od -tx1 | cut -c 8-55 | tr -d ‘\n’| tr -d ‘ ‘ | awk ‘{print}’
- Run command as below:
> ipsecconf –f //this command is not necessary, itwill remove policies
> ipsecconf –a/etc/inet/ipsecinit.conf
> ipseckeyflush // this command is not necessary,it will remove all SAs
> pkill in.iked //stop IKEdameon
> /usr/lib/inet/in.iked //startIKE dameon
If we want to enable IPSEC for running process after Ipsec configurate,weneed re-start process to make Ipsec take effect, for example, in DGS, afterIpsec configuration is done, we need restart DGDIAM to enable Ipsec for it.
6 X.509 Certificatesconfiguration on Linux
Racoon supports the usage of X.509 certificatesfor the authentication process. These certificates may be checked against acertificate authority (CA).
Suppose Linux IP address is 192.168.0.1;another host is 192.168.0.2, it can be Linux or Solaris.
One easy way to create X.509 certificateson Linux is the openssl command and the auxiliary tools. In this procedure, weuse openssl-0.9.8k, you may need install it at first, more detail aboutopenssl, you can access its official website (http://www.openssl.org/).
Generate X.509 certificates by OpenSSL procedureis as below:
- Create yourcertificate authority first
Weassumption openssl is installed on $OPENSSL_HOME, OpenSSL files are under$OPENSSL_HOME/ssl, current path is $CUR_PATH
1,generate CA private key
> $OPENSSL_HOME/bin/opensslgenrsa -out ca.key 1024
2,generate self-signed CA certificate
> $OPENSSL_HOME/bin/openssl req -new -x509-key ca.key -out ca.crt
the output is as the following:
You are about to be asked to enterinformation that will be incorporated
into your certificate request.
What you are about to enter is whatis called a Distinguished Name or a DN.
There are quite a few fields but youcan leave some blank
For some fields there will be adefault value,
If you enter '.', the field will beleft blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name)[Some-State]:
Locality Name (eg, city) []:QD
Organization Name (eg, company)[Internet Widgits Pty Ltd]:
Organizational Unit Name (eg,section) []:
Common Name (eg, YOUR name) []:
Email Address []:
3,setup the CA certificate
>$OPENSSL_HOME/ssl/misc/CA.pl –newca
Note:when prompt “CA certificate filename (or enter to create)”,please enter the ca.crt generated just now
4,create serial
> echo "01" >> demoCA/serial
- Create acertificate signing request and sign it
1,generate private key
> $OPENSSL_HOME/bin/opensslgenrsa -out client.key 1024
2,generate cert signing request (Common Name is the mandotary attribute thatneeded to input, and the Country Name should be the same as root CA)
>$OPENSSL_HOME/bin/openssl req -new -key client.key -out client.csr
[root@qddgs08 bin]# ./openssl req -new -key dg.key -out dg.csr
You are about to be asked to enter information that will beincorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Nameor a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:135.252.129.224
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
3,sign certificate request,generate certificate
>$OPENSSL_HOME/bin/openssl ca -in client.csr -out client.crt -certca.crt -keyfile ca.key
[root@qddgs08 bin]#./openssl ca -in dg.csr -out dg.crt -cert ca.crt -keyfile ca.key
Using configuration from /export/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1(0x1)
Validity
Not Before: Oct15 08:09:54 2009 GMT
Not After : Oct15 08:09:54 2010 GMT
Subject:
countryName = AU
stateOrProvinceName =Some-State
organizationName =Internet Widgits Pty Ltd
commonName = 135.252.129.224
X509v3 extensions:
X509v3 BasicConstraints:
CA:FALSE
NetscapeComment:
OpenSSLGenerated Certificate
X509v3 SubjectKey Identifier:
EB:FB:73:BE:C2:DC:12:EA:92:25:1F:F7:EF:AA:E3:37:EA:73:35:EB
X509v3 AuthorityKey Identifier:
keyid:B0:7D:1B:9B:78:D3:43:75:1C:AD:56:D0:DA:C9:6F:6F:5B:6B:1E:8C
Certificate is to be certified until Oct 15 08:09:54 2010 GMT (365days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
client.crt, client.key and ca.crt will beused in IPSec configuration.
After X.509 certificate is generated, let’sdo IPSec configuration, Suppose LinuxIP address is 192.168.0.1; another host is 192.168.0.2, it can be Linux orSolaris. The procedure is as the following:
- Configure /etc/setkey.conf, ifthe file is not existed, just create one new file, the contents can be similaras below:
#!/usr/sbin/setkey -f
# Security policies
spdadd 192.168.0.1[3868] 192.168.0.2 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 192.168.0.2 192.168.0.1[3868]any -P in ipsec
esp/transport//require
ah/transport//require;
- Copy client.crt and client.keyto /etc/racoon/certs
- Configure /etc/racoon/racoon.conf,the contents can be similar as below:
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the formatand entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote anonymous
{
exchange_mode main;
doiipsec_doi;
situationidentity_only;
my_identifier address;
#lifetimetime 2 min; # sec,min,hour
initial_contacton;
proposal_check obey; # obey, strict or claim
proposal{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
remote 192.168.0.2
{
exchange_modemain;
#lifetimetime 2 min; # sec,min,hour
certificate_type x509 "client.crt" "client.key";
verify_cert on;
my_identifier asn1dn;
peers_identifier asn1dn;
proposal{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 5;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
Note: 1, lifetime should be same at bothserver, on linux the default value is 28800 seconds, it can set other values byline “#lifetime time 2 min; # sec,min,hour” under “remote 192.168.0.2”
2, if the certificate of the peer is to bechecked against a certificate authority (verify_cert on; is the default), weneed copy ca.crt to /etc/racoon/certs, and for racoon to find the certificate,it has to be renamed or linked using the hashed name, do command as thefollowing
> openssl x509 -noout -hash < ca.crt //will display one hash code, such as 0ccad1dd
>ln –s ca.crt 0ccad1dd.0
3, authentication_algorithmshould be the same as another lab, such as encr_auth_algs of Solaris andauthentication_algorithm of Linux
- Run command below:
> setkey -F //this is not necessary, it will flush the SAD entries
> setkey -FP //this is not necessary, it will flush the SPD entries
> setkey -f/etc/setkey.conf
> killallracoon
> racoon -f/etc/racoon/racoon.conf //if need debuginfo, add -v -ddd -l /etc/racoon/racoon.log
Useful command to list CA info on Linux:
>openssl x509 -in dg.crt -noout -text
7 X.509 Certificatesconfiguration on Solaris
On Solaris, ikecert tool can be used tomanipulate the machine's on-filesystem public-key certificate databases. Wewill use it to generate certificate request, and we will use openssl on Linuxto sign the request, last section can be referred.
Suppose Solaris IP address is 192.168.0.2;another host is 192.168.0.1, it can be Linux or Solaris.
- Create X.509 certificaterequest
> ikecert certlocal -kc -m 1024 -t rsa-sha1-D "C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=192.168.0.2"-A "DN=C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=192.168.0.2"
The certificate request will be displayedas below:
-----BEGIN CERTIFICATE REQUEST-----
MIICLjCCAZcCAQAwXjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAxMOMTM1
LjI1Mi4zNi4yMTYwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN9Zw0pUc73D
aGW3zWMJ0B1e8svm7bFwz8ZRl67VqTQtwm4VSSSraPaTWULArCl/EaCnlBbpAU76
lS8Sk/B3/VqLzQqzXaybHtB5nJjedw0fs4PuSjFWwow5osg9O+8hqO+/BRYc9FD5
Wp5Y89FzYaXFZYKhQPpt6gKCaxwQb1rhAgMBAAGggY8wgYwGCSqGSIb3DQEJDjF/
MH0wDgYDVR0PAQH/BAQDAgWgMGsGA1UdEQRkMGKkYDBeMQswCQYDVQQGEwJBVTET
MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
dHkgTHRkMRcwFQYDVQQDEw4xMzUuMjUyLjM2LjIxNjANBgkqhkiG9w0BAQUFAAOB
gQAGwPRSLsOVxb4bxOp3EpUUEm9kYGy16oIWhc6W/hGi49wMhVfQXk7N8VecBjpz
f086jgR8WGt9B5MSuonWqaUuMs9Y/6pqPRyY/F0BRmLd0YQG7Fn9JlPIf6pu3jed
Fgq/7p0z/4RTyM0SWKAxq6xIwT32znhqJ2/2jMC8aPLNdA==
-----END CERTIFICATE REQUEST-----
Note: the country name (AU) should be same as CA create by openssl, as wewill need use openssl to sign this request.
Note: on linux openssl, defaultmessage digest algorithm is sha1, weshould use rsa-sha1 here
- On Linux lab, create host2.csr,and copy the certificate request in it
- Sign the certificate usingopenssl on Linux, refer to the section before this section
> $OPENSSL_HOME/bin/openssl ca -in host2.csr -out host2.crt -cert ca.crt-keyfile ca.key
- Display host2.crt, you can seethe certifacte as below:
-----BEGIN CERTIFICATE-----
MIICrjCCAhegAwIBAgICASAwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCQVUx
EzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMg
UHR5IEx0ZDEXMBUGA1UEAxMOMTM1LjI1Mi4zMi4xMjkwHhcNMDkwOTIzMDc1MzUw
WhcNMTAwOTIzMDc1MzUwWjBeMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1T
dGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRcwFQYDVQQD
Ew4xMzUuMjUyLjM2LjIxNjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA31nD
SlRzvcNoZbfNYwnQHV7yy+btsXDPxlGXrtWpNC3CbhVJJKto9pNZQsCsKX8RoKeU
FukBTvqVLxKT8Hf9WovNCrNdrJse0HmcmN53DR+zg+5KMVbCjDmiyD077yGo778F
Fhz0UPlanljz0XNhpcVlgqFA+m3qAoJrHBBvWuECAwEAAaN7MHkwCQYDVR0TBAIw
ADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUw
HQYDVR0OBBYEFLoBibZCWLg0MsaH4a9e2VdKJfcOMB8GA1UdIwQYMBaAFA3rDs2o
UKrCTuG/Ifp4ggbKyU4uMA0GCSqGSIb3DQEBBQUAA4GBAGqbhJRavGDl/Isld7wp
TBhbY0WBCLIZehNzfqReYNht681QyCFEC4APZWs9tWP50VK5vgCabWkJgsoUv4Rl
v/gHrAgDmkZPW2FtJme/EgDOz+iry+u0SEqW8yxxq9aUwpzc1E6eLsIAghwoUatj
cCcdYETDnMyXyZ1o92mMPuMI
-----END CERTIFICATE-----
- Add host2.crt certicate to IKEcertificate database on Solaris 192.168.0.2
> ikecertcertdb -a
Note: copy thecertificate displayed above, then press return, and press (CRTL+D)
- Add ca.crt certicate to IKEcertificate database
> ikecertcertdb –a
Note: copy theroot CA(ca.crt), then press return, and press (CRTL+D)
You could checkwhether the two CA is added to DB by the command below:
> ikecertcertdb -l
Certificate Slot Name: 0 Key Type: rsa
(Private key in certlocal slot 0)
Subject Name: <C=AU, ST=Some-State,O=Internet Widgits Pty Ltd, CN=192.168.0.2>
Key Size: 1024
Public key hash:9CFACB7FB0A06286ACA5077A2F603062
Certificate Slot Name: 1 Key Type: rsa
Subject Name: <C=AU, ST=Some-State,O=Internet Widgits Pty Ltd>
Key Size: 1024
Public key hash:0842E90D3D3BCEEC454A64AA9491CB86
- Configure /etc/inet/ipsecinit.conf,if the file is not existed, copy from ipsecinit.sample, the content can be asbelow:
{ raddr 192.168.0.1 rport 3868 }
ipsec{ auth_algs sha1 encr_algs 3des encr_auth_algs sha1sa shared}
Note: If you don’tspecify encr_auth_algs, Ipsec would use default value; if you specifyencr_auth_algs, make sure the value are same on the two nodes
- Configure /etc/inet/ike/config,if the file is not existed, copy from config.sample, the content can be asbelow:
## Phase 1 transform defaults...
# Root certificates. I SHOULD use a full Distinguished Name.
# I MUST have this certificate in my local filesystem,see ikecert(1m).
cert_root "C=AU, ST=Some-State, O=Internet Widgits Pty Ltd”
# If you wish to ignore CRLs, uncomment this:
ignore_crls
p1_lifetime_secs 28800
p1_nonce_len 20
## Parameters that may also show up in rules.
p1_xform { auth_method presharedoakley_group 2 auth_alg sha1 encr_alg 3des }
p2_pfs 5
{
label "host1-host2"
local_id_type dn
local_id "C=AU, ST=Some-State,O=Internet Widgits Pty Ltd, CN=192.168.0.2"
remote_id "C=AU, ST=Some-State,O=Internet Widgits Pty Ltd, CN=192.168.0.1"
local_addr 192.168.0.2
remote_addr 192.168.0.1
p1_xform
{auth_method rsa_sig oakley_group 2 auth_alg sha1 encr_alg 3des}
p2_pfs 5
}
Note: 1, lifetime should be same at both server, on linux the default value is28800 seconds, it can set other values on linux, for detail, you can refer tothe section before this section
2, you can use “ikecert certdb –l” to list certificates in the IKEcertificate databases, and fill local_id and remote_id with the correct value. local_id is the Subject Name in the local certification DB,and the remote_id is the Subject Name in remote certification DB, see below:
On the local node:
> ikecert certdb-l
Certificate SlotName: 0 Key Type: rsa
(Private key in certlocal slot 0)
Subject Name: <C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=192.168.0.2>
Key Size: 1024
Public key hash:9CFACB7FB0A06286ACA5077A2F603062
Certificate SlotName: 1 Key Type: rsa
Subject Name: <C=AU, ST=Some-State,O=Internet Widgits Pty Ltd>
Key Size: 1024
Public key hash:0842E90D3D3BCEEC454A64AA9491CB86
On the remote Nodeif it is also Solaris:
>ikecert certdb -l
Certificate SlotName: 0 Key Type: rsa
(Private key in certlocal slot 0)
Subject Name: <C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=192.168.0.1>
Key Size: 1024
Public key hash:D4F286F12FD22659A9A581D9109A9782
Certificate SlotName: 1 Key Type: rsa
Subject Name: <C=AU, ST=Some-State,O=Internet Widgits Pty Ltd>
Key Size: 1024
Public key hash:0842E90D3D3BCEEC454A64AA9491CB86
Some useful command are listed as thefollowing
> ikecert certdb –l //list certificates
> ikecert certdb –a //add certificates to IKE databases
> ikecert certdb –r <certspec> //remove certificates from IKE database
- Run command as below:
> ipsecconf -f //this command is not necessary, itwill remove policies
> ipsecconf -a/etc/inet/ipsecinit.conf
> ipseckeyflush // this command is not necessary,it will remove all SAs
> pkill in.iked //stop IKEdameon
>/usr/lib/inet/in.iked //start IKEdameon
8 Enable/Disable IPSec
To enable IPSec, please refer to section 3to section 8.
To disable IPSec, please refer to section2, disable IPSec command are list there.