| Skip Navigation Links | |
| Exit Print View | |
|
Securing the Network in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Securing the Network in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
1. Using Link Protection in Virtualized Environments
2. Tuning Your Network (Tasks)
3. Web Servers and the Secure Sockets Layer Protocol
4. IP Filter in Oracle Solaris (Overview)
6. IP Security Architecture (Overview)
8. IP Security Architecture (Reference)
9. Internet Key Exchange (Overview)
How to Display Available Groups and Algorithms for Phase 1 IKE Exchanges
Configuring IKE With Preshared Keys (Task Map)
Configuring IKE With Preshared Keys
How to Configure IKE With Preshared Keys
How to Update IKE for a New Peer System
Configuring IKE With Public Key Certificates (Task Map)
Configuring IKE With Public Key Certificates
How to Configure IKE With Self-Signed Public Key Certificates
How to Configure IKE With Certificates Signed by a CA
How to Generate and Store Public Key Certificates in Hardware
How to Handle a Certificate Revocation List
Configuring IKE for Mobile Systems (Task Map)
Configuring IKE to Find Attached Hardware
How to Configure IKE to Find the Sun Crypto Accelerator 6000 Board
When configured properly, home offices and mobile laptops can use IPsec and IKE to communicate with their company's central computers. A blanket IPsec policy that is combined with a public key authentication method enables off-site systems to protect their traffic to a central system.
IPsec and IKE require a unique ID to identify source and destination. For off-site or mobile systems that do not have a unique IP address, you must use another ID type. ID types such as DNS, DN, or email can be used to uniquely identify a system.
Off-site or mobile systems that have unique IP addresses are still best configured with a different ID type. For example, if the systems attempt to connect to a central site from behind a NAT box, their unique addresses are not used. A NAT box assigns an arbitrary IP address, which the central system would not recognize.
Preshared keys also do not work well as an authentication mechanism for mobile systems, because preshared keys require fixed IP addresses. Self-signed certificates, or certificates from a PKI enable mobile systems to communicate with the central site.
Before You Begin
You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services. If you log in remotely, use the ssh command for a secure remote login. For an example, see Example 7-1.
The central system needs a policy that allows a wide range of IP addresses. Later, certificates in the IKE policy ensure that the connecting systems are legitimate.
# /etc/inet/ipsecinit.conf on central
# Keep everyone out unless they use this IPsec policy:
{} ipsec {encr_algs aes encr_auth_algs sha256 sa shared}DNS identifies the central system. Certificates are used to authenticate the system.
## /etc/inet/ike/ike.config on central
# Global parameters
#
# Find CRLs by URI, URL, or LDAP
# Use CRL from organization's URI
use_http
#
# Use web proxy
proxy "http://somecache.domain:port/"
#
# Use LDAP server
ldap_server "ldap-server1.domain.org,ldap2.domain.org:port"
#
# List CA-signed certificates
cert_root "C=US, O=Domain Org, CN=Domain STATE"
#
# List self-signed certificates - trust server and enumerated others
#cert_trust "DNS=central.domain.org"
#cert_trust "DNS=mobile.domain.org"
#cert_trust "DN=CN=Domain Org STATE (CLASS), O=Domain Org
#cert_trust "email=root@central.domain.org"
#cert_trust "email=user1@mobile.domain.org"
#
# Rule for mobile systems with certificate
{
label "Mobile systems with certificate"
local_id_type DNS
# CA's public certificate ensures trust,
# so allow any remote_id and any remote IP address.
remote_id ""
remote_addr 0.0.0.0/0
p2_pfs 5
p1_xform
{auth_method rsa_sig oakley_group 5 encr_alg aes auth_alg sha256 }
}The /etc/hosts file does not need an address for the mobile system, but can provide one. The file must contain a public IP address for the central system.
# /etc/hosts on mobile central 192.xxx.xxx.x
The mobile system needs to find the central system by its public IP address. The systems must configure the same IPsec policy.
# /etc/inet/ipsecinit.conf on mobile
# Find central
{raddr 192.xxx.xxx.x} ipsec {encr_algs aes encr_auth_algs sha256 sa shared}The identifier cannot be an IP address. The following identifiers are valid for mobile systems:
DN=ldap-directory-name
DNS=domain-name-server-address
email=email-address
Certificates are used to authenticate the mobile system.
## /etc/inet/ike/ike.config on mobile
# Global parameters
#
# Find CRLs by URI, URL, or LDAP
# Use CRL from organization's URI
use_http
#
# Use web proxy
proxy "http://somecache.domain:port/"
#
# Use LDAP server
ldap_server "ldap-server1.domain.org,ldap2.domain.org:port"
#
# List CA-signed certificates
cert_root "C=US, O=Domain Org, CN=Domain STATE"
#
# Self-signed certificates - trust me and enumerated others
#cert_trust "DNS=mobile.domain.org"
#cert_trust "DNS=central.domain.org"
#cert_trust "DN=CN=Domain Org STATE (CLASS), O=Domain Org
#cert_trust "email=user1@domain.org"
#cert_trust "email=root@central.domain.org"
#
# Rule for off-site systems with root certificate
{
label "Off-site mobile with certificate"
local_id_type DNS
# NAT-T can translate local_addr into any public IP address
# central knows me by my DNS
local_id "mobile.domain.org"
local_addr 0.0.0.0/0
# Find central and trust the root certificate
remote_id "central.domain.org"
remote_addr 192.xxx.xxx.x
p2_pfs 5
p1_xform
{auth_method rsa_sig oakley_group 5 encr_alg aes auth_alg sha256 }
}# svcadm enable svc:/network/ipsec/ike
Example 10-4 Configuring a Central Computer to Accept IPsec Traffic From a Mobile System
IKE can initiate negotiations from behind a NAT box. However, the ideal setup for IKE is without an intervening NAT box. In the following example, the CA's public certificate has been placed on the mobile system and the central system. A central system accepts IPsec negotiations from a system behind a NAT box. main1 is the company system that can accept connections from off-site systems. To set up the off-site systems, see Example 10-5.
## /etc/hosts on main1 main1 192.168.0.100
## /etc/inet/ipsecinit.conf on main1
# Keep everyone out unless they use this IPsec policy:
{} ipsec {encr_algs aes encr_auth_algs sha256 sa shared}## /etc/inet/ike/ike.config on main1
# Global parameters
#
# Find CRLs by URI, URL, or LDAP
# Use CRL from organization's URI
use_http
#
# Use web proxy
proxy "http://cache1.domain.org:8080/"
#
# Use LDAP server
ldap_server "ldap1.domain.org,ldap2.domain.org:389"
#
# List CA-signed certificate
cert_root "C=US, O=ExamplePKI Inc, OU=PKI-Example, CN=Example PKI"
#
# Rule for off-site systems with root certificate
{
label "Off-site system with root certificate"
local_id_type DNS
local_id "main1.domain.org"
local_addr 192.168.0.100
# CA's public certificate ensures trust,
# so allow any remote_id and any remote IP address.
remote_id ""
remote_addr 0.0.0.0/0
p2_pfs 5
p1_xform
{auth_method rsa_sig oakley_group 5 encr_alg aes auth_alg sha256}
p1_xform
{auth_method rsa_sig oakley_group 5 encr_alg aes auth_alg sha256}
p1_xform
{auth_method rsa_sig oakley_group 5 encr_alg aes auth_alg sha256}
p1_xform
{auth_method rsa_sig oakley_group 5 encr_alg aes auth_alg sha256}
}Example 10-5 Configuring a System Behind a NAT With IPsec
In the following example, the CA's public certificate is placed on the mobile system and the central system. mobile1 is connecting to the company headquarters from home. The Internet service provider (ISP) network uses a NAT box to enable the ISP to assign mobile1 a private address. The NAT box then translates the private address into a public IP address that is shared with other ISP network nodes. Company headquarters is not behind a NAT. For setting up the computer at company headquarters, see Example 10-4.
## /etc/hosts on mobile1 mobile1 10.1.3.3 main1 192.168.0.100
## /etc/inet/ipsecinit.conf on mobile1
# Find main1
{raddr 192.168.0.100} ipsec {encr_algs aes encr_auth_algs sha256 sa shared}## /etc/inet/ike/ike.config on mobile1
# Global parameters
#
# Find CRLs by URI, URL, or LDAP
# Use CRL from organization's URI
use_http
#
# Use web proxy
proxy "http://cache1.domain.org:8080/"
#
# Use LDAP server
ldap_server "ldap1.domain.org,ldap2.domain.org:389"
#
# List CA-signed certificate
cert_root "C=US, O=ExamplePKI Inc, OU=PKI-Example, CN=Example PKI"
#
# Rule for off-site systems with root certificate
{
label "Off-site mobile1 with root certificate"
local_id_type DNS
local_id "mobile1.domain.org"
local_addr 0.0.0.0/0
# Find main1 and trust the root certificate
remote_id "main1.domain.org"
remote_addr 192.168.0.100
p2_pfs 5
p1_xform
{auth_method rsa_sig oakley_group 5 encr_alg aes auth_alg sha256 }
}Example 10-6 Accepting Self-Signed Certificates From a Mobile System
In the following example, self-signed certificates have been issued and are on the mobile and the central system. main1 is the company system that can accept connections from off-site systems. To set up the off-site systems, see Example 10-7.
## /etc/hosts on main1 main1 192.168.0.100
## /etc/inet/ipsecinit.conf on main1
# Keep everyone out unless they use this IPsec policy:
{} ipsec {encr_algs aes encr_auth_algs sha256 sa shared}## /etc/inet/ike/ike.config on main1
# Global parameters
#
# Self-signed certificates - trust me and enumerated others
cert_trust "DNS=main1.domain.org"
cert_trust "jdoe@domain.org"
cert_trust "user2@domain.org"
cert_trust "user3@domain.org"
#
# Rule for off-site systems with trusted certificate
{
label "Off-site systems with trusted certificates"
local_id_type DNS
local_id "main1.domain.org"
local_addr 192.168.0.100
# Trust the self-signed certificates
# so allow any remote_id and any remote IP address.
remote_id ""
remote_addr 0.0.0.0/0
p2_pfs 5
p1_xform
{auth_method rsa_sig oakley_group 5 encr_alg aes auth_alg sha256 }
}Example 10-7 Using Self-Signed Certificates to Contact a Central System
In the following example, mobile1 is connecting to the company headquarters from home. The certificates have been issued and placed on the mobile and the central system. The ISP network uses a NAT box to enable the ISP to assign mobile1 a private address. The NAT box then translates the private address into a public IP address that is shared with other ISP network nodes. Company headquarters is not behind a NAT. To set up the computer at company headquarters, see Example 10-6.
## /etc/hosts on mobile1 mobile1 10.1.3.3 main1 192.168.0.100
## /etc/inet/ipsecinit.conf on mobile1
# Find main1
{raddr 192.168.0.100} ipsec {encr_algs aes encr_auth_algs sha256 sa shared}## /etc/inet/ike/ike.config on mobile1
# Global parameters
# Self-signed certificates - trust me and the central system
cert_trust "jdoe@domain.org"
cert_trust "DNS=main1.domain.org"
#
# Rule for off-site systems with trusted certificate
{
label "Off-site mobile1 with trusted certificate"
local_id_type email
local_id "jdoe@domain.org"
local_addr 0.0.0.0/0
# Find main1 and trust the certificate
remote_id "main1.domain.org"
remote_addr 192.168.0.100
p2_pfs 5
p1_xform
{auth_method rsa_sig oakley_group 5 encr_alg aes auth_alg sha256 }
}Next Steps
If you have not completed establishing IPsec policy, return to the IPsec procedure to enable or refresh IPsec policy.
|