On 03/ 9/11 07:23 PM, Gary Gendel wrote: > Any pointers on a simple walk-through of setting up IPSEC on > OpenSolaris? > > I'm using an OpenSolaris machine as a a gateway/router from the > internet (bge0) to my internal network (bge1). The bge0 interface > gets it's IP address via DHCP. > > I'd like to experiment setting up a VPN from machines outside my > network, but I'm very confused at how to begin. I was thinking about > installing the tun and tap drivers and OpenVPN, but then I found that > the tun driver may interfere with the in.tun drivers used by IPSEC. > So, I decided that I should explore IPSEC that comes natively with > OpenSolaris before delving into an alternative VPN. > > As a novice in this area, I'm having a tough time figuring out what > the steps needed for setting up IPSEC with my particular setup. For > example, what IP address to I put in the certificate? Or do I leave > that off?
When you say "VPN", do you mean just an encrypted tunnel, or that plus interactive user authentication. If you just need a tunnel, authenticated by the machine's certificate and not needing human interaction, Solaris can do that well and will be a better fit than tun/tap from a performance perspective and arguably from a security perspective. For native IPsec... If you are using a certificate for a machine that gets its address from DHCP, you probably don't want to use an IP as a subject alt name. A subject alt name is not required, though you can use an email address or something to key off of if you want. But just setting a distinguished name is fine (i.e. just omit the -A option to ikecert certlocal). I assume you found the docs, but the IP security section of the System Administration Guide: IP services has some task examples... http://download.oracle.com/docs/cd/E19963-01/html/821-1453/index.html For the tunnel part, you'll need: "Examples of Protecting a VPN With IPsec by Using Tunnels in Tunnel Mode" Along with "Configuring IKE With Public Key Certificates" For the cert_trust lines for IKE, instead of using an IP address, you can use the distinguished name associated with the cert. For example, if you generated the cert like this: # ikecert certlocal -ks -t rsa-sha1 -m 4096 -D "CN=myinternethost, O=myorg, C=US" The cert_trust line in ike.config is cert_trust "CN=myinternethost, O=myorg, C=US" If you prefer to also use a subject alt name, e.g. # ikecert certlocal -ks -t rsa-sha1 -m 4096 -D "CN=myinternethost, O=myorg, C=US" -A EMAIL="[email protected]" then you are free to use the distinguished name, as above, or the alt name, i.e. cert_trust "[email protected]" The -A is just a different convenient way to refer to a certificate rather than having to enter the more cumbersome distinguished name. Hopefully this helps get you started. In a situation like this, we interoperate well with MacOS and Linux as clients, which use racoon. We haven't really been able to figure out how to get Windows to function as an end-node with its native IPsec implementation where it is an endpoint and is assigned an "internal" address. -Paul _______________________________________________ security-discuss mailing list [email protected]
