Three ways to set up IPsec between FreeS/WAN on Red-Hat 7.3 and the IPsec implementation in Solaris 9 have been tested briefly (but what I tested worked). I only needed transport mode so that is what is tested.
- PreShared Keys where the Internet Key Exchange (IKE) protocol uses a key known at both side’s of the connection to generate Authentication and Encryption keys and set up a Security Association (SA).
- X.509 certificates where public certificates are used to identify the communication counterpart before IKE establishes a SA.
- PreShared secrets where Authentication and Encryption Keys are known in advance at both sides of the connection.
Main part of getting it to work was in carefully reading the available documentation. For the certificates http://www.natecarlson.com/linux/ipsec-x509.php was a good help, and there is a lot more out there.
Software on the Linux.FreeS/WAN side.
From http://www.strongsec.com/freeswan download:
freeswan-1.99_x509_0.9.15_2.4.18_3-0.i386.rpm
freeswan-module-1.99_x509_0.9.15_2.4.18_3-0.i386.rpm
After this turn off rp_filtering:
# echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
# echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter
# echo 0 > /proc/sys/net/ipsec/inbound_policy_check
Software on Solaris Side
I installed the Solaris Encryption Kit to have more encryption protocols supported.
I installed these packages:
SUNWamid, SUNWamidx, SUNWcry, SUNWcry64, SUNWcryr, SUNWcryrx.
I did need to reboot before encryption worked.
You can check the installation running:
# ndd /dev/ipsecesp ipsecesp_status
This should report at least 3 encryption algorithms.
Three ways to set up ipsec
PreShared keys (Sol9 <-> FreeS/WAN)
/etc/inet/ipsecinit.conf (Solaris)
{saddr HostB daddr HostA} apply {sa shared encr_algs 3des encr_auth_algs md5 }
{saddr HostA daddr HostB} permit {encr_algs 3des encr_auth_algs md5 }
/etc/inet/ike/config (Solaris)
## Phase 1 transform defaults…
p1_lifetime_secs 270
p2_lifetime_secs 150
## Parameters that may also show up in rulesc
p1_xform { auth_method preshared oakley_group 2 auth_alg sha encr_alg 3des-cbc}
p2_pfs 5
### Now some rules…
{ label “HostB to HostA”
p1_xform { auth_method preshared oakley_group 2 auth_alg md5 encr_alg 3des }
p2_pfs 5
local_addr IP_HostB
remote_addr IP_HostA
}
/etc/inet/secret.ike.preshared (Solaris)
{ local_id_type IP
local_id IP_HostB
remote_id_type IP
remote_id IP_HostA
key 7eddebc73b6a6fa845352388df5d1f67
/etc/ipsec.conf (FreeS/WAN)
# /etc/ipsec.conf – FreeS/WAN IPsec configuration file
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
interfaces=”ipsec0=eth0″
# Debug-logging controls: “none” for (almost) none, “all” for lots.
klipsdebug=none
plutodebug=all
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=no
conn %default
keyingtries=0
# use RSA based authentication with certificates
authby=rsasig
rightrsasigkey=%cert
# my side is left – the FreeS/WAN SG
leftid=@HostA.your.domain
left=IP_HostA
# load connection definitions automatically
auto=add
conn HostB
type=transport
right=IP_HostB
rightid=IP_HostB
esp=3des-md5-96
authby=secret
keyexchange=ike
auto=start
/etc/ipsec.secrets (FreeS/WAN)
IP_HostB @HostA.your.domain : PSK 0x7eddebc73b6a6fa845352388df5d1f67
Certificates (Sol 9 <-> FreeS/WAN)
-
- /etc/ipsec.conf (Linux)
# /etc/ipsec.conf – FreeS/WAN IPsec configuration file
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=”ipsec0=eth0″
# Debug-logging controls: “none” for (almost) none, “all” for lots.
klipsdebug=none
plutodebug=all
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=no
conn %default
keyingtries=0
# use RSA based authentication with certificates
authby=rsasig
compress=no
disablearrivalcheck=no
# my side is left – the FreeS/WAN SG
left=IP_HostA
leftcert=HostA_HostBert.pem
leftrsasigkey=%cert
# load connection definitions automatically
auto=add
conn HostB
type=transport
right=IP_HostB
rightcert=HostB_pub.pem
rightrsasigkey=%cert
esp=3des-md5-96
keyexchange=ike
auto=start
- /etc/ipsec.secrets (FreeS/WAN)
: RSA HostA_Hostkey.pem “Passphrase for your key”
- /etc/inet/ipsecinit.conf (Solaris)
{saddr HostB daddr HostA} apply {sa shared encr_algs 3des encr_auth_algs md5 }
{saddr HostA daddr HostB} permit {encr_algs 3des encr_auth_algs md5 }
- /etc/inet/ike/config (Solaris)
# Make sure to put a correct Certificate identifier in cert_trust..
### First some global parameters…
# certificate parameters…
cert_trust “IP_HostB”
cert_trust “HostA.your.domain”
## Phase 1 transform defaults…
p1_lifetime_secs 270
p2_lifetime_secs 150
## Parameters that may also show up in rules
p1_xform { auth_method preshared oakley_group 2 auth_alg sha encr_alg 3des-cbc}
p2_pfs 5
### Now some rules…
{ label “HostB to HostA”
p1_xform { auth_method rsa_sig oakley_group 2 auth_alg md5 encr_alg 3des }
p2_pfs 5
local_id_type dn
local_id “C=NL, O=Antiperfect, OU=HostB, CN=Hans”
remote_id “C=NL, ST=NH, O=Antiperfect, OU=HostA, CN=Peter”
local_addr IP_HostB
remote_addr IP_HostA
}
Preshared Secrets (Sol 9 <-> FreeS/WAN)
The spi must be bigger than 0x100 and preferably lower than 0xfff
/etc/ipsec.conf (Linux)
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=”ipsec0=eth0″
# Debug-logging controls: “none” for (almost) none, “all” for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=no
manualstart=”HostB-HostA”
conn HostB-HostA
type=transport
left=IP_HostA
right=IP_HostB
spi=0x110
esp=3des-md5-96
espenckey=0x9f73267c0999ec1054f0f5a57cf8ab5654fcd9562dbee3f2
espauthkey=0x4c7411a2941b1ca68586e146ee3607df
/etc/inet/ipsecinit.conf (Solaris)
{saddr HostB daddr HostA} apply {sa shared encr_algs 3des encr_auth_algs md5 }
{saddr HostA daddr HostB} permit {encr_algs 3des encr_auth_algs md5 }
/etc/inet/secret/ipseckeys (Solaris)
add esp spi 0x110 src HostB dst HostA authalg md5 encr_alg 3des
authkey 4c7411a2941b1ca68586e146ee3607df
encrkey 9f73267c0999ec1054f0f5a57cf8ab5654fcd9562dbee3f2
add esp spi 0x110 src HostA dst HostB authalg md5 encr_alg 3des
authkey 4c7411a2941b1ca68586e146ee3607df
encrkey 9f73267c0999ec1054f0f5a57cf8ab5654fcd9562dbee3f2
Useful commands
# ipsecconf -f ;Flush all ipsec rules
# ipsecconf -a /etc/inet/ipsecinit.conf ;Add rules, this causes the system to use IPSec
# /usr/lib/inet/in.iked -c -f /etc/inet/ike/config ;Check ike config file syntax
# /usr/lib/inet/in.iked -p2 -d ;Start iked with full privileges and debug output to your terminal.
# /usr/lib/inet/in.iked ;Start it as a daemon
# ikeadm ;Start ike administration
ikeadm> dump p1 ;Show P1 SA’s
Generate a certificate in the local database;
# ikecert certlocal -ks -m 1024 -t rsa-md5
-D “C=US, O=ExampleCompany, OU=US-Example, CN=Example”
-A IP=192.168.10.242
Add a certificate to another machine;
1. Output the certificate as ASCII:
# ikecert certlocal -e <keynumber>
2. To add the certificate:
# ikecert certdb -a <return>
<Paste the ASCII certificate here><return>
<CTRL-D>
# ikecert certdb -l ;Show all certificates
# ndd /dev/ipsecesp ipsecesp_status ;Should report at least 3 Encryption Algorithms
# ipseckey ;Start key administration
# ipseckey> flush ;Delete all keys
# ipseckey -f <keyfile> ;execute command in file (add)
FreeS/WAN
# service ipsec restart ;To get it to work
# ipsec auto -listall ;Show all certificate things
# ipsec auto -rereadall ;To see what certificates you have
# ipsec auto -verbose -up <conn> ;Bring connection to life