Yes, I got a chance to work with IPSec in Linux and Solaris. Well, we managed to get a working connection between Linux and Solaris, so in case any of you got any doubts do contact me. I do not know much about the certificates though.
Just an overview of what is IPSec
IPsec is an extension to the IP protocol which provides security to the IP and the upper-layer protocols. It was first developed for the new IPv6 standard and then “backported” to IPv4.
IPsec uses two different protocols - AH and ESP - to ensure the authentication, integrity and confidentiality of the communication. It can protect either the entire IP datagram or only the upper-layer protocols. The appropiate modes are called tunnel mode and transport mode. In tunnel mode the IP datagram is fully encapsulated by a new IP datagram using the IPsec protocol. In transport mode only the payload of the IP datagram is handled by the IPsec protocol inserting the IPsec header between the IP header and the upper-layer protocol header. - www.ipsec-tools.sourceforge.net
Linux and Solaris uses entirely different packages and commands. We can have the keys exchanged automatically(more secure) or by manual preshared key(less secure). For the auto key exchange, Linux uses a "racoon" and Solaris used "ike daemon".
Similarly, for setting up the SA (security association - SAD - Security Association Database) and Policies, Linux used "setkey" where as Solaris uses "ipseckey" and "ipsecconf". The syntax and rules may be different but comparable.
And making it work between Linux and Solaris - that was one hell of a challenge we had!
Added more information at IPSec Linux & Solaris (Cont)
Just an overview of what is IPSec
IPsec is an extension to the IP protocol which provides security to the IP and the upper-layer protocols. It was first developed for the new IPv6 standard and then “backported” to IPv4.
IPsec uses two different protocols - AH and ESP - to ensure the authentication, integrity and confidentiality of the communication. It can protect either the entire IP datagram or only the upper-layer protocols. The appropiate modes are called tunnel mode and transport mode. In tunnel mode the IP datagram is fully encapsulated by a new IP datagram using the IPsec protocol. In transport mode only the payload of the IP datagram is handled by the IPsec protocol inserting the IPsec header between the IP header and the upper-layer protocol header. - www.ipsec-tools.sourceforge.net
Linux and Solaris uses entirely different packages and commands. We can have the keys exchanged automatically(more secure) or by manual preshared key(less secure). For the auto key exchange, Linux uses a "racoon" and Solaris used "ike daemon".
Similarly, for setting up the SA (security association - SAD - Security Association Database) and Policies, Linux used "setkey" where as Solaris uses "ipseckey" and "ipsecconf". The syntax and rules may be different but comparable.
And making it work between Linux and Solaris - that was one hell of a challenge we had!
Added more information at IPSec Linux & Solaris (Cont)
nice! lets dump the whole page into a whitepaper :P
ReplyDeleteI'm interested in setting up a IPsec connection between a RedHat5.5 and Solaris10 machine. Can you help me. Thanks,
ReplyDeleteCiprian
@ciprian.gabor
ReplyDeletePlease let me know what help you need.
--ahamed
How did you do this? Thanks
ReplyDeleteAllen, are you stuck somewhere? Let me know, may be I can help.
ReplyDeleteI will try to put up a working configuration sometime tomorrow.
ReplyDeleteCan you offer advice about your IPSec configuration on Solaris, namely the ike.config, ike.preshared, and ipsecinit.conf files? I've got phase 1 working between Solaris 10 and racoon (m0n0wall), but at phase 2 it seems that Solaris fails to detect an 'ID' and racoon logs 'racoon: ERROR: mismatched ID was returned.'
ReplyDeletePlease respond on your blog (http://enahamed.blogspot.com/) rather than by private email. Thanks for your kind help with IPSec!
Please check http://enahamed.blogspot.in/2012/02/ipsec-linux-and-solaris-cont.html and see if there is any issue in the configuration. The config I have posted is a working one.
ReplyDeleteGood Luck!
forward link is broken
ReplyDeleteWill fix it. Thank you for letting know.
DeleteUpdated the link.
Delete