IPSEC under Solaris

IPSEC can be used to provide secure network connections. There are 2 components to IPSEC, authentication (AH) and encryption (ESP). The authentication means that packets get special headers that verify where they came from. The encryption encrypts the actual data in the packet.

To set up IPSEC under Solaris (which is included with Solaris 8 onwards):

Edit /etc/inet/ipseckey.conf to add entries, e.g.

dd ah spi 1 src host1.introcomp.co.uk \ dst host2.introcomp.co.uk auth_alg sha \ authkey abcd1781a8c9cbbbbe3bd4c6f87f701234567890 add ah spi 2 src host2.introcomp.co.uk \ dst host1.introcomp.co.uk auth_alg sha \ authkey dcba964ac90c5faabb54728fdcb96c0987654321 add esp spi 3 src host1.introcomp.co.uk \ dst host2.introcomp.co.uk auth_alg sha \ encr_alg 3des authkey \ xyz0987654321f725f8f4892bd0c78e4c0a4aaff \ encrkey \ aaddbbccdd79bfddcc206b41239735afac6b10987654321 add esp spi 4 src host2.introcomp.co.uk \ dst host1.introcomp.co.uk auth_alg sha \ encr_alg 3des authkey \ 8899001234a52373bfe2d4a3041789ad123456fd \ encrkey \ 12345678900be6aaaabbccddef9b812a70925a12d3f4c5e6

Notes on step 1:

  1. If you are going to use strong encryption, eg. 3DES, you need to download the strong encryption package, Sol8-sparc-SunWcry.tar from http://www.sun.com/software/solaris/encryption/download.html
  2. sha needs a 40 character key, 3DES needs a 48 character key. They must be exactly this length.
  3. Random keys can be generated as follows:
     dd if=/dev/random of=rand.txt bs=1 count=5000
     tr -d -c "1234567890abcdef" < rand.txt > hex.txt
     Cut and paste the number of characters required from the output (/dev/random is installed with patch 112438 on Solaris 8)
    
  4. The spi number must be identical for each line on all servers involved
  5. Entries can be split over multiple lines (using \ )
  6. This file should only contain entries relevant to the servers connections will be made between

    Load this file using: ipseckey -f /etc/inet/ipseckey.conf ( ipseckey dump will show the entries loaded. ipseckey flush will remove entries).

    Create the file /etc/inet.ipsecinit.conf e.g.

    {saddr host1.introcomp.co.uk daddr host2.introcomp.co.uk} apply {auth_algs SHA encr_algs 3DES encr_auth_algs SHA sa shared} {saddr host2.introcomp.co.uk daddr host1.introcomp.co.uk} permit {auth_algs SHA encr_algs 3DES encr_auth_algs SHA }

Notes on step 3

If you need to check which encryption algorithms are available, do the following:

ndd /dev/ipsecesp ipsecesp.status