IPSec configuration procedure

In this section, we will provide procedure of IPSEC in ahost-host transport mode, and IPsec keys can be implemented as manual keys, asshared keys, or with certificates. Manual keys are explicitly exchanged and areprone to security problems. Both shared keys and certificates are managed usingthe IPsec Key Exchange protocol, which will automatically exchange keys, changingthem randomly to avoid detection. Each type of key configuration can docommunication for Linux-Linux, Solaris-Solaris or Linux-Solaris.

1        IPSec Tools

1.1       Linux IPSec tool

We will use IPsec-Tools to doconfiguration, IPsec-Tools is a port of KAME's IPsec utilities to the Linux-2.6IPsec implementation, RedHat Linux has integrate this tools.

Each tools in this tool kit are listed inthe following:

libipsec

Library with PF_KEY implementation

setkey

Tool to manipulate and dump the kernelSecurity Policy Database (SPD) and Security Association Database (SAD)

racoon

          InternetKey Exchange (IKE) daemon for automatically keying IPsec connections

racoonctl

A shell-based control tool for raccoon

Formore detail about IPsec-Tools, you can access IPsec-Tools webs  itehttp://ipsec-tools.sourceforge.net/ to get more information.

 

Someuseful commands about setkey to be used frequently:

Ø      setkey–f <file name>   //for example,file is /etc/setkey.conf

Theformat of setkey.conf can be in the following format,

add[-46n] src dst protocol spi [extensions] algorithm ... ;

      get [-46n] src dst protocol spi ;

delete[-46n] src dst protocol spi ;

      spdadd [-46n] src_range dst_range upperspec label policy ;

      spddelete [-46n] src_range dst_range upperspec -P direction ;

So you can add/delete/display entries by this command

Ø      setkey–D       //dumpthe SAD entries

Ø      setkey–DP       //dumpthe SPD entries

Ø      setkey–F   //flush the SAD entries

Ø      setkey–FP //flush the SPD entries

Note:“setkey –F” and “setkey –FP” can be used as disable IPSec command, if you don'twant to remove all entries id SAD and SPD, you can use command “setkey –f<file name>”

Somecommands about IKE configuration

Ø      killall racoon  //stop IKE dameon

Ø      racoon -f/etc/racoon/racoon.conf -v -ddd -l /etc/racoon/racoon.log

//start IKE dameon, /etc/racoon/racoon.conf is the configurationfile, “-v -ddd -l /etc/racoon/racoon.log” will dump more logs and write tologfile, it may be not used.

Ø      racoonctl   // racoon administrative control tool, it canbe use to change raccoon log level, show sa, flush sa and so on.  

1.2     Solaris IPSec tool

Wewill use tools integrated on Solaris, in this section, we will use Solaris 10,the procedure maybe has some difference with other Solaris version.

ipsecconf

IPsec policy command. It is used to view and modify the current IPsec policy, andfor testing. In releases prior to the Solaris 10 4/09 release, the boot scriptsuse ipsecconf to read the /etc/inet/ipsecinit.conf file and activate IPsec. Inthe current release, ipsecconf is used by the SMF policy service to configureIPsec policy at system boot.

ipseckey

command IPsec SAs keying command. ipseckeyis a command-line front end to the PF_KEY interface. ipseckey can create,destroy, or modify SAs.

in.iked

daemon for the Internet Key Exchange (IKE), performs automatedkey management for IPsec using the Internet Key Exchange (IKE) protocol.

For more detail about these tools, you can access SUN officialwebsite to get more document about IPSEC.

 

Some useful commands to be used always,

Ø      ipsecconf –a <filename>    //add the IPsec policy to thesystem as specified by each entry in the file. An IPsec configuration filecontains one or more entries that specify the configuration. Once the policy isadded, all outbound and inbound datagrams are subject to policy checks.

Ø      ipsecconf –f   // Flush all the policies in the system

Ø      ipsecconf –d index //Delete the host policy denoted by the index

Ø      ipsecconf –L   // Lists all policy tables

Ø      ipseckey –f <filename>//read commands from an input file, the command in file can beadd/update/delete/get SA

Ø      ipseckey flush // Remove all SA for all types

Ø      pkill in.iked  //stop IKE dameon

Ø      /usr/lib/inet/in.iked //start IKE dameon

Ø      ikeadm  //set debug level, add new policy, newpreshare key …

Note: “ipsecconf–f” can be used as disable IPSec to all hosts, or “ipsecconf –d index” can beused as disable one IPSec to one host.

If you wantto distable Ipsec for running process, after running “ipsecconf –f” or “ipsecconf–d index”, you still need re-start it, in DGS, you need restart DGDIAM processto disable IPSEC for DGDIAM. Otherwise,the communication between DGS and HCFare still under Ipsec policy.

2        Manual key configuration onLinux

Suppose Linux IP address is 192.168.0.1;another host is 192.168.0.2, it can be Linux or Solaris.

For manual key exchange protocol, don’tneed use IKE, as the key is manually supplied, so racoon don't need to start.Procedure is as the following:

-       Configure /etc/setkey.conf, ifthe file is not existed, just create one new file, the contents can be similaras below:

#!/usr/sbin/setkey -f

 

# AH SAs using 128 bit longkeys

add 192.168.0.1 192.168.0.2 ah0x301 -A hmac-sha1

0xe786f8df7f77d6cab36c94cdf293f013;

add 192.168.0.2 192.168.0.1 ah0x201 -A hmac-sha1

0xe896f8df7f78d6cab36c94ccf293f031;

 

# ESP SAs using 192 bit longkeys (168 + 24 parity)

add 192.168.0.1 192.168.0.2esp 0x301 -E 3des-cbc

0xd31db64470271826a8e7a80d343cc5aae9e2a7f05f137323;

add 192.168.0.2 192.168.0.1 esp0x201 -E 3des-cbc

0xd41fb74470271826a8e7a80d343cc5aae9e2a7f05f13730d;

 

# Security policies

spdadd 192.168.0.1[3868] 192.168.0.2[3868]  any -P out ipsec

           esp/transport//require

           ah/transport//require;

 

spdadd 192.168.0.2[3868] 192.168.0.1[3868]any -P in ipsec

           esp/transport//require

           ah/transport//require;

 

Note:the corresponding spi, algorithm and SAD key in 192.168.0.2 should besame;  the src/dst of the securecommunication can be specified port number, if don’t need specify port number, youcan just remove it and the square brackets. In above configuration example, itwill enable IPSEC for the connection between port 3868 of 192.168.0.1 and port3868 of 192.168.0.2, if you want to enable IPSEC for the connection between anyport of 192.168.0.1 and port 3868 of 192.168.0.2, you can remove port numberand square brackets nearby 192.168.0.1, vice versa.

-       Run command

> setkey –F           //this is not necessary, it will flush the SAD entries

> setkey –FP         //this is not necessary, it will flush the SPD entries

> setkey –f/etc/setkey.conf

If we want toenable IPSEC for running process after Ipsec configurate,we need re-start processto make Ipsec take effect, for example, in DGS, after Ipsec configuration is done,we need restart DGDIAM to enable Ipsec for it.

3        Manual key configuration onSolaris

Suppose Solaris IP address is 192.168.0.2;another host is 192.168.0.1, it can be Linux or Solaris.

For manual key exchange protocol, don’tneed use IKE, as the key is manually supplied, so in.iked don't need to start.Procedure is as the following:

-       Configure /etc/inet/ipsecinit.conf, if the file is not existed, copy from ipsecinit.sample, thecontent can be as below:

{lport 3868 raddr 192.168.0.1 rport 3868}

ipsec{ auth_algs sha1  encr_algs 3desencr_auth_algs sha1  sa shared}

Note: 1. we could also usehostname, to replace IP address in this file.

    2. if you don’t need specify the portnumber, just remove it  lport is thelocal port, rport is the other host (192.168.0.1) port, In above configurationexample, it will enable IPSEC for the connection between port 3868 of 192.168.0.1and port 3868 of 192.168.0.2, if you want to enable IPSEC for the connectionbetween any port of 192.168.0.1 and port 3868 of 192.168.0.2, you can remove “rport3868”,  vice versa.

 

-       Configure /etc/inet/secret/ipseckeys,if the file is not existed, copy from ipseckeys.sample, the content can be asbelow:

add ah spi 0x301 src 192.168.0.1 dst 192.168.0.2 \

   auth_alg md5 \

   authkey e786f8df7f77d6cab36c94cdf293f013

 

add esp spi 0x301 src 192.168.0.1 dst 192.168.0.2 \

  encr_alg 3des \

  encrkey d31db64470271826a8e7a80d343cc5aae9e2a7f05f137323

 

add ah spi 0x201 src 192.168.0.2 dst 192.168.0.1 \

   auth_alg md5 \

   authkey e896f8df7f78d6cab36c94ccf293f031

 

add esp spi 0x201 src 192.168.0.2 dst 192.168.0.1 \

  encr_alg 3des \

  encrkey d41fb74470271826a8e7a80d343cc5aae9e2a7f05f13730d

Note: Make sure the key for ah and esp on the pair of two nodes configuratedIpsec are same.

-       Run command below

> ipsecconf -f      //this command is not necessary, itwill remove policies

> ipsecconf -a/etc/inet/ipsecinit.conf

> ipseckeyflush     // this command is not necessary,it will remove all SAs

> ipseckey -f /etc/inet/secret/ipseckeys

 

If we want toenable IPSEC for running process after Ipsec configurate,we need re-start processto make Ipsec take effect, for example, in DGS, after Ipsec configuration isdone, we need restart DGDIAM to enable Ipsec for it.

4        Preshared key configuration onLinux

Suppose Linux IP address is 192.168.0.1; anotherhost is 192.168.0.2, it can be Linux or Solaris.

Procedure is as the following:

-       Configure /etc/setkey.conf, ifthe file is not existed, just create one new file, the contents can be similaras below:

#!/usr/sbin/setkey -f

 

# Security policies

spdadd 192.168.0.1[3868] 192.168.0.2  any -P out  ipsec

           esp/transport//require

           ah/transport//require;

 

spdadd 192.168.0.2 192.168.0.1[3868]any –P in  ipsec

           esp/transport//require

          ah/transport//require;

-       Configure /etc/racoon/racoon.conf,the contents can be similar as below:

# Racoon IKE daemon configuration file.

# See 'man racoon.conf' for a description of the formatand entries.

 

path include "/etc/racoon";

path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/racoon/certs";

 

remote anonymous

{

       exchange_mode main;

        doiipsec_doi;

        situationidentity_only;

       my_identifier address;

        #lifetimetime 2 min; # sec,min,hour

       initial_contact on;

       proposal_check obey; # obey, strict or claim

        proposal{

               encryption_algorithm 3des;

               hash_algorithm sha1;

               authentication_method pre_shared_key;

               dh_group 2;

        }

}

 

remote 192.168.0.2

{

        exchange_modemain;

        doiipsec_doi;

        situationidentity_only;

       my_identifier address;

       #lifetimetime 2 min; # sec,min,hour

       initial_contact on;

       proposal_check obey; # obey, strict or claim

        proposal{

               encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_methodpre_shared_key;

                dh_group 2;

        }

}

 

sainfo anonymous

{

       pfs_group 5;

        encryption_algorithm 3des, blowfish 448, rijndael ;

       authentication_algorithm hmac_sha1 ;

       compression_algorithm deflate ;

}

Note: 1, lifetimeshould be same at both server, on linux the default value is 28800 seconds, itcan set other values by line “#lifetime time 2 min; # sec,min,hour” under “remote192.168.0.2”

         2, the corresponding algorithm, dh_groupand pfs_group in the other host should be same,if the other host is Solaris, notice that, dh_groupshould be same as oakley_group in p1_xform, pfs_groupshould be same as p2_pfs.

-       Edit /etc/racoon/psk.txt, addbelow line:

192.168.0.2   abcdefghijklmn1234567890

Note: 1, "abcdefghijklmn1234567890" is thepreshared key, the key length should not be too short.

         2, authentication_algorithm should be the sameas another lab, such as encr_auth_algs of Solaris and authentication_algorithmof Linux

 

-       Run command below:

> setkey –F           //this is not necessary, it will flush the SAD entries

> setkey –FP         //this is not necessary, it will flush the SPD entries

> setkey –f/etc/setkey.conf

> killallracoon

> racoon -f/etc/racoon/racoon.conf //if need debuginfo, add -v -ddd -l /etc/racoon/racoon.log

If we want toenable IPSEC for running process after Ipsec configurate,we need re-start processto make Ipsec take effect, for example, in DGS, after Ipsec configuration isdone, we need restart DGDIAM to enable Ipsec for it.

5        Preshared key configuration onSolaris

Suppose Solaris IP address is 192.168.0.2;another host is 192.168.0.1, it can be Linux or Solaris.

Procedure is as the following:

-       Configure /etc/inet/ipsecinit.conf,if the file is not existed, copy from ipsecinit.sample, the content can be asbelow:

{ raddr 192.168.0.1 rport 3868 }

ipsec{ auth_algs sha1 encr_algs 3des encr_auth_algs sha1sa shared}

 

Note: If you don’t specify encr_auth_algs, Ipsec would use default value; ifyou specify encr_auth_algs, make sure the value are same on the two nodes.

-       Configure /etc/inet/ike/config,if the file is not existed, copy from config.sample, the content can be asbelow:

## Phase 1 transform defaults...

 

p1_lifetime_secs 28800

p1_nonce_len 20

 

## Parameters that may also show up in rules.

 

p1_xform { auth_method presharedoakley_group 2 auth_alg sha1 encr_alg 3des }

p2_pfs 5

 

{

     label "host1-host2"

     local_addr 192.168.0.2

     remote_addr 192.168.0.1

     p1_xform { auth_method preshared oakley_group 2 auth_alg sha1 encr_alg 3des }

    p2_pfs 5

}

Note: 1,  lifetime should be same at both server, onlinux the default value is 28800 seconds, it can set other values on linux, fordetail, you can refer to the section before this section

        2, the corresponding algorithm, oakley_groupand p2_pfs in the other host should be same, ifthe other host is Linux, notice that, oakley _groupshould be same as dh _group, p2_pfs should be same as pfs_groupand AH and ESP algorithm should be same in /etc/inet/ike/config and /etc/inet/ipsecinit.conf

-       Edit /etc/inet/secret/ike.preshared,add below contents,

{ localidtype IP

        localid 192.168.0.2

       remoteidtype IP

        remoteid 192.168.0.1

        key 6162636465666768696a6b6c6d6e31323334353637383930

}

Note: Make sure the key is thesame between the two nodes. But the preshared key on Solaris and Linux is indifferent format, which is hexadecimal on Solaris and ASCII on Linux. So ifcustomer would like Ipsec configuratation between Linux and Solaris, we needtransformate the key, command can as below:

Ø      /bin/echo “abcdefghijklmn1234567890\c” | od -tx1 | cut -c 8-55 | tr -d ‘\n’| tr -d ‘ ‘ | awk ‘{print}’

 

-       Run command as below:

> ipsecconf –f      //this command is not necessary, itwill remove policies

> ipsecconf –a/etc/inet/ipsecinit.conf

> ipseckeyflush     // this command is not necessary,it will remove all SAs

> pkill in.iked  //stop IKEdameon

> /usr/lib/inet/in.iked      //startIKE dameon

If we want to enable IPSEC for running process after Ipsec configurate,weneed re-start process to make Ipsec take effect, for example, in DGS, afterIpsec configuration is done, we need restart DGDIAM to enable Ipsec for it.

6        X.509 Certificatesconfiguration on Linux

Racoon supports the usage of X.509 certificatesfor the authentication process. These certificates may be checked against acertificate authority (CA).

Suppose Linux IP address is 192.168.0.1;another host is 192.168.0.2, it can be Linux or Solaris.

One easy way to create X.509 certificateson Linux is the openssl command and the auxiliary tools. In this procedure, weuse openssl-0.9.8k, you may need install it at first, more detail aboutopenssl, you can access its official website (http://www.openssl.org/).

 

Generate X.509 certificates by OpenSSL procedureis as below:

-        Create yourcertificate authority first

Weassumption openssl is installed on $OPENSSL_HOME, OpenSSL files are under$OPENSSL_HOME/ssl, current path is $CUR_PATH

1,generate CA private key

> $OPENSSL_HOME/bin/opensslgenrsa -out ca.key 1024

2,generate self-signed CA certificate

> $OPENSSL_HOME/bin/openssl req -new -x509-key ca.key -out ca.crt

the output is as the following:

You are about to be asked to enterinformation that will be incorporated

into your certificate request.

What you are about to enter is whatis called a Distinguished Name or a DN.

There are quite a few fields but youcan leave some blank

For some fields there will be adefault value,

If you enter '.', the field will beleft blank.

-----

Country Name (2 letter code) [AU]:

State or Province Name (full name)[Some-State]:

Locality Name (eg, city) []:QD

Organization Name (eg, company)[Internet Widgits Pty Ltd]:

Organizational Unit Name (eg,section) []:

Common Name (eg, YOUR name) []:

Email Address []:

3,setup the CA certificate

>$OPENSSL_HOME/ssl/misc/CA.pl –newca

Note:when prompt “CA certificate filename (or enter to create)”,please enter the ca.crt generated just now

4,create serial

> echo "01" >> demoCA/serial

-        Create acertificate signing request and sign it

1,generate private key

> $OPENSSL_HOME/bin/opensslgenrsa -out client.key 1024

2,generate cert signing request (Common Name is the mandotary attribute thatneeded to input, and the Country Name should be the same as root CA)

>$OPENSSL_HOME/bin/openssl req -new -key client.key -out client.csr

 

[root@qddgs08 bin]# ./openssl req -new -key dg.key -out dg.csr

You are about to be asked to enter information that will beincorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Nameor a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:135.252.129.224

Email Address []:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:

 

3,sign certificate request,generate certificate

>$OPENSSL_HOME/bin/openssl ca -in client.csr -out client.crt -certca.crt -keyfile ca.key

 [root@qddgs08 bin]#./openssl ca -in dg.csr -out dg.crt -cert ca.crt -keyfile ca.key

Using configuration from /export/ssl/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1(0x1)

        Validity

            Not Before: Oct15 08:09:54 2009 GMT

            Not After : Oct15 08:09:54 2010 GMT

        Subject:

            countryName               = AU

           stateOrProvinceName       =Some-State

           organizationName          =Internet Widgits Pty Ltd

            commonName                = 135.252.129.224

        X509v3 extensions:

            X509v3 BasicConstraints:

                CA:FALSE

            NetscapeComment:

                OpenSSLGenerated Certificate

            X509v3 SubjectKey Identifier:

               EB:FB:73:BE:C2:DC:12:EA:92:25:1F:F7:EF:AA:E3:37:EA:73:35:EB

            X509v3 AuthorityKey Identifier:

               keyid:B0:7D:1B:9B:78:D3:43:75:1C:AD:56:D0:DA:C9:6F:6F:5B:6B:1E:8C

 

Certificate is to be certified until Oct 15 08:09:54 2010 GMT (365days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

client.crt, client.key and ca.crt will beused in IPSec configuration.

After X.509 certificate is generated, let’sdo IPSec configuration, Suppose LinuxIP address is 192.168.0.1; another host is 192.168.0.2, it can be Linux orSolaris. The procedure is as the following:

-       Configure /etc/setkey.conf, ifthe file is not existed, just create one new file, the contents can be similaras below:

#!/usr/sbin/setkey -f

 

# Security policies

spdadd 192.168.0.1[3868] 192.168.0.2  any -P out ipsec

           esp/transport//require

           ah/transport//require;

 

spdadd 192.168.0.2 192.168.0.1[3868]any -P in ipsec

           esp/transport//require

          ah/transport//require;

-       Copy client.crt and client.keyto /etc/racoon/certs

-       Configure /etc/racoon/racoon.conf,the contents can be similar as below:

# Racoon IKE daemon configuration file.

# See 'man racoon.conf' for a description of the formatand entries.

 

path include "/etc/racoon";

path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/racoon/certs";

 

remote anonymous

{

       exchange_mode main;

        doiipsec_doi;

        situationidentity_only;

       my_identifier address;

        #lifetimetime 2 min; # sec,min,hour

        initial_contacton;

       proposal_check obey; # obey, strict or claim

        proposal{

               encryption_algorithm 3des;

               hash_algorithm sha1;

               authentication_method pre_shared_key;

               dh_group 2;

        }

}

 

remote 192.168.0.2

{

        exchange_modemain;

        #lifetimetime 2 min; # sec,min,hour

       certificate_type x509 "client.crt" "client.key";

        verify_cert on;

       my_identifier asn1dn;

       peers_identifier asn1dn;

        proposal{

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method rsasig;

                dh_group 2;

        }

}

 

sainfo anonymous

{

       pfs_group 5;

        encryption_algorithm 3des, blowfish 448, rijndael ;

       authentication_algorithm hmac_sha1 ;

       compression_algorithm deflate ;

}

Note: 1, lifetime should be same at bothserver, on linux the default value is 28800 seconds, it can set other values byline “#lifetime time 2 min; # sec,min,hour” under “remote 192.168.0.2”

2, if the certificate of the peer is to bechecked against a certificate authority (verify_cert on; is the default), weneed copy ca.crt to /etc/racoon/certs, and for racoon to find the certificate,it has to be renamed or linked using the hashed name, do command as thefollowing

> openssl x509 -noout -hash < ca.crt    //will display one hash code, such as 0ccad1dd

>ln –s ca.crt  0ccad1dd.0

3, authentication_algorithmshould be the same as another lab, such as encr_auth_algs of Solaris andauthentication_algorithm of Linux

 

-       Run command below:

> setkey -F           //this is not necessary, it will flush the SAD entries

> setkey -FP         //this is not necessary, it will flush the SPD entries

> setkey -f/etc/setkey.conf

> killallracoon

> racoon -f/etc/racoon/racoon.conf //if need debuginfo, add -v -ddd -l /etc/racoon/racoon.log

 

Useful command to list CA info on Linux:

    >openssl x509 -in dg.crt -noout -text

 

7        X.509 Certificatesconfiguration on Solaris

On Solaris, ikecert tool can be used tomanipulate the machine's on-filesystem public-key certificate databases. Wewill use it to generate certificate request, and we will use openssl on Linuxto sign the request, last section can be referred.

Suppose Solaris IP address is 192.168.0.2;another host is 192.168.0.1, it can be Linux or Solaris.

-       Create X.509 certificaterequest

> ikecert certlocal -kc -m 1024 -t rsa-sha1-D "C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=192.168.0.2"-A "DN=C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=192.168.0.2"

The certificate request will be displayedas below:

-----BEGIN CERTIFICATE REQUEST-----

MIICLjCCAZcCAQAwXjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx

ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAxMOMTM1

LjI1Mi4zNi4yMTYwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN9Zw0pUc73D

aGW3zWMJ0B1e8svm7bFwz8ZRl67VqTQtwm4VSSSraPaTWULArCl/EaCnlBbpAU76

lS8Sk/B3/VqLzQqzXaybHtB5nJjedw0fs4PuSjFWwow5osg9O+8hqO+/BRYc9FD5

Wp5Y89FzYaXFZYKhQPpt6gKCaxwQb1rhAgMBAAGggY8wgYwGCSqGSIb3DQEJDjF/

MH0wDgYDVR0PAQH/BAQDAgWgMGsGA1UdEQRkMGKkYDBeMQswCQYDVQQGEwJBVTET

MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ

dHkgTHRkMRcwFQYDVQQDEw4xMzUuMjUyLjM2LjIxNjANBgkqhkiG9w0BAQUFAAOB

gQAGwPRSLsOVxb4bxOp3EpUUEm9kYGy16oIWhc6W/hGi49wMhVfQXk7N8VecBjpz

f086jgR8WGt9B5MSuonWqaUuMs9Y/6pqPRyY/F0BRmLd0YQG7Fn9JlPIf6pu3jed

Fgq/7p0z/4RTyM0SWKAxq6xIwT32znhqJ2/2jMC8aPLNdA==

-----END CERTIFICATE REQUEST-----

Note: the country name (AU) should be same as CA create by openssl, as wewill need use openssl to sign this request.

Note: on linux openssl, defaultmessage digest algorithm is sha1,  weshould use rsa-sha1 here

-       On Linux lab, create host2.csr,and copy the certificate request in it

-       Sign the certificate usingopenssl on Linux, refer to the section before this section

> $OPENSSL_HOME/bin/openssl ca -in host2.csr -out host2.crt -cert ca.crt-keyfile ca.key

-       Display host2.crt, you can seethe certifacte as below:

-----BEGIN CERTIFICATE-----

MIICrjCCAhegAwIBAgICASAwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCQVUx

EzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMg

UHR5IEx0ZDEXMBUGA1UEAxMOMTM1LjI1Mi4zMi4xMjkwHhcNMDkwOTIzMDc1MzUw

WhcNMTAwOTIzMDc1MzUwWjBeMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1T

dGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRcwFQYDVQQD

Ew4xMzUuMjUyLjM2LjIxNjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA31nD

SlRzvcNoZbfNYwnQHV7yy+btsXDPxlGXrtWpNC3CbhVJJKto9pNZQsCsKX8RoKeU

FukBTvqVLxKT8Hf9WovNCrNdrJse0HmcmN53DR+zg+5KMVbCjDmiyD077yGo778F

Fhz0UPlanljz0XNhpcVlgqFA+m3qAoJrHBBvWuECAwEAAaN7MHkwCQYDVR0TBAIw

ADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUw

HQYDVR0OBBYEFLoBibZCWLg0MsaH4a9e2VdKJfcOMB8GA1UdIwQYMBaAFA3rDs2o

UKrCTuG/Ifp4ggbKyU4uMA0GCSqGSIb3DQEBBQUAA4GBAGqbhJRavGDl/Isld7wp

TBhbY0WBCLIZehNzfqReYNht681QyCFEC4APZWs9tWP50VK5vgCabWkJgsoUv4Rl

v/gHrAgDmkZPW2FtJme/EgDOz+iry+u0SEqW8yxxq9aUwpzc1E6eLsIAghwoUatj

cCcdYETDnMyXyZ1o92mMPuMI

-----END CERTIFICATE-----

-       Add host2.crt certicate to IKEcertificate database on Solaris 192.168.0.2

> ikecertcertdb -a

Note: copy thecertificate displayed above, then press return, and press (CRTL+D)

-       Add ca.crt certicate to IKEcertificate database

> ikecertcertdb –a

Note: copy theroot CA(ca.crt), then press return, and press (CRTL+D)

 

You could checkwhether the two CA is added to DB by the command below:

> ikecertcertdb -l

Certificate Slot Name: 0   Key Type: rsa

        (Private key in certlocal slot 0)

        Subject Name: <C=AU, ST=Some-State,O=Internet Widgits Pty Ltd, CN=192.168.0.2>

        Key Size: 1024

        Public key hash:9CFACB7FB0A06286ACA5077A2F603062

 

Certificate Slot Name: 1   Key Type: rsa

        Subject Name: <C=AU, ST=Some-State,O=Internet Widgits Pty Ltd>

        Key Size: 1024

        Public key hash:0842E90D3D3BCEEC454A64AA9491CB86

-       Configure /etc/inet/ipsecinit.conf,if the file is not existed, copy from ipsecinit.sample, the content can be asbelow:

{ raddr 192.168.0.1 rport 3868 }

ipsec{ auth_algs sha1 encr_algs 3des encr_auth_algs sha1sa shared}

Note: If you don’tspecify encr_auth_algs, Ipsec would use default value; if you specifyencr_auth_algs, make sure the value are same on the two nodes

-       Configure /etc/inet/ike/config,if the file is not existed, copy from config.sample, the content can be asbelow:

## Phase 1 transform defaults...

 

# Root certificates. I SHOULD use a full Distinguished Name.

# I MUST have this certificate in my local filesystem,see ikecert(1m).

cert_root   "C=AU, ST=Some-State, O=Internet Widgits Pty Ltd”

 

# If you wish to ignore CRLs, uncomment this:

ignore_crls

 

p1_lifetime_secs 28800

p1_nonce_len 20

 

## Parameters that may also show up in rules.

 

p1_xform { auth_method presharedoakley_group 2 auth_alg sha1 encr_alg 3des }

p2_pfs 5

 

{

     label "host1-host2"

     local_id_type dn

    local_id "C=AU, ST=Some-State,O=Internet Widgits Pty Ltd, CN=192.168.0.2"

    remote_id "C=AU, ST=Some-State,O=Internet Widgits Pty Ltd, CN=192.168.0.1"

   local_addr 192.168.0.2

   remote_addr 192.168.0.1

   p1_xform

      {auth_method rsa_sig oakley_group 2 auth_alg sha1  encr_alg 3des}

   p2_pfs 5

}

Note: 1, lifetime should be same at both server, on linux the default value is28800 seconds, it can set other values on linux, for detail, you can refer tothe section before this section

        2, you can use “ikecert certdb –l” to list certificates in the IKEcertificate databases, and fill local_id and remote_id with the correct value. local_id is the Subject Name in the local certification DB,and the remote_id is the Subject Name in remote certification DB, see below:

On the local node:

> ikecert certdb-l

Certificate SlotName: 0   Key Type: rsa

        (Private key in certlocal slot 0)

        Subject Name: <C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=192.168.0.2>

        Key Size: 1024

        Public key hash:9CFACB7FB0A06286ACA5077A2F603062

 

Certificate SlotName: 1   Key Type: rsa

        Subject Name: <C=AU, ST=Some-State,O=Internet Widgits Pty Ltd>

        Key Size: 1024

        Public key hash:0842E90D3D3BCEEC454A64AA9491CB86

 

On the remote Nodeif it is also Solaris:

>ikecert certdb -l

Certificate SlotName: 0   Key Type: rsa

        (Private key in certlocal slot 0)

        Subject Name: <C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=192.168.0.1>

        Key Size: 1024

        Public key hash:D4F286F12FD22659A9A581D9109A9782

 

Certificate SlotName: 1   Key Type: rsa

        Subject Name: <C=AU, ST=Some-State,O=Internet Widgits Pty Ltd>

        Key Size: 1024

        Public key hash:0842E90D3D3BCEEC454A64AA9491CB86

Some useful command are listed as thefollowing

> ikecert certdb –l       //list certificates

> ikecert certdb –a      //add certificates to IKE databases

> ikecert certdb –r <certspec>  //remove certificates from IKE database

 

-       Run command as below:

> ipsecconf -f      //this command is not necessary, itwill remove policies

> ipsecconf -a/etc/inet/ipsecinit.conf

> ipseckeyflush     // this command is not necessary,it will remove all SAs

> pkill in.iked  //stop IKEdameon

>/usr/lib/inet/in.iked      //start IKEdameon

8        Enable/Disable IPSec

To enable IPSec, please refer to section 3to section 8.

To disable IPSec, please refer to section2, disable IPSec command are list there.