IPSEC can be used to provide secure network connections. There are 2 components to IPSEC, authentication (AH) and encryption (ESP). The authentication means that packets get special headers that verify where they came from. The encryption encrypts the actual data in the packet. To set up IPSEC under Solaris (which is included with Solaris 8 onwards):

 1. Edit /etc/inet/ipseckey.conf to add entries, e.g.  dd ah spi 1 src
    host1.in2nix.com \ dst host2.in2nix.com auth_alg sha \ authkey
    abcd1781a8c9cbbbbe3bd4c6f87f701234567890 add ah spi 2 src
    host2.in2nix.com \ dst host1.in2nix.com auth_alg sha \ authkey
    dcba964ac90c5faabb54728fdcb96c0987654321 add esp spi 3 src
    host1.in2nix.com \ dst host2.in2nix.com auth_alg sha \ encr_alg 3des
    authkey \ xyz0987654321f725f8f4892bd0c78e4c0a4aaff \ encrkey \
    aaddbbccdd79bfddcc206b41239735afac6b10987654321 add esp spi 4 src
    host2.in2nix.com \ dst host1.in2nix.com auth_alg sha \ encr_alg 3des
    authkey \ 8899001234a52373bfe2d4a3041789ad123456fd \ encrkey \
    12345678900be6aaaabbccddef9b812a70925a12d3f4c5e6
    Notes on step 1:
       1. If you are going to use strong encryption, eg. 3DES, you need to
          download the strong encryption package, Sol8-sparc-SunWcry.tar from
          http://www.sun.com/software/solaris/encryption/download.html
       2. sha needs a 40 character key, 3DES needs a 48 character key. They
          must be exactly this length.
       3. Random keys can be generated as follows:
          dd if=/dev/random of=rand.txt bs=1 count=5000
          tr -d -c "1234567890abcdef" < rand.txt > hex.txt
          Cut and paste the number of characters required from the output (/
          dev/random is installed with patch 112438 on Solaris 8)
       4. The spi number must be identical for each line on all servers
          involved
       5. Entries can be split over multiple lines (using \ )
       6. This file should only contain entries relevant to the servers
          connections will be made between
 2. Load this file using: ipseckey -f /etc/inet/ipseckey.conf ( ipseckey dump
    will show the entries loaded. ipseckey flush will remove entries).
 3. Create the file /etc/inet.ipsecinit.conf e.g.
    {saddr host1.in2nix.com daddr host2.in2nix.co.uk} apply {auth_algs SHA
    encr_algs 3DES encr_auth_algs SHA sa shared}
    {saddr host2.in2nix.com daddr host1.in2nix.co.uk} permit {auth_algs SHA
    encr_algs 3DES encr_auth_algs SHA }
    Notes on step 3
       1. Each entry must be on one line only (can't split)
 4. Load with ipsecconf -a /etc/inet/ipsecinit.conf ( ipsecconf will show
    what's loaded, ipsecconf -f will flush)
 5. Copy /etc/inet/ipseckey.conf to the other server and load
 6. Create a reciprocal ipsecinit.conf file on the other server and load
 7. You can now check traffic is encrypted by running snoop at the target.
    The packets should arrive in ESP format.

If you need to check which encryption algorithms are available, do the following: ndd /dev/ipsecesp ipsecesp.status

Recent Changes

Contribute to this wiki

Why not help others by sharing your knowledge? Contribute something to this wiki and join out hall of fame!
Contact us for a user name and password