Difference between revisions of "Sun Solaris"
m (Reverted edits by RobertaHill (Talk) to last revision by Royhills) |
(No difference)
|
Latest revision as of 13:49, 13 January 2012
Contents
- 1 Platform Notes
- 2 Version History
- 3 Backoff Patterns
- 4 Vendor IDs
- 5 Authentication Methods
- 6 ISAKMP SA Lifetime
- 7 Transform Attribute ordering and re-writing
- 8 Aggressive Mode
- 9 Response to Noncompliant and Malformed Packets
- 10 NAT Traversal
- 11 IVEv2
- 12 Remote Access VPN Client
- 13 Other Interesting Behaviour
- 14 Default Configuration
- 15 Discovered Vulnerabilities
Platform Notes
Sun Solaris runs on SPARC and Intel hardware platforms.
Version History
| Version | Release Date | Notes |
|---|---|---|
| Solaris 8 | Feb 2000 | First Solaris version to include IPsec. Manual keying only (no IKE) |
| Solaris 9 | May 2002 | IKE support added |
| Solaris 10 | Jan 2005 | NAT Traversal support added |
IPsec support was first added in Solaris 8. IKE keying support was added in Solaris 9, using the in.iked daemon.
Backoff Patterns
All tested versions of Solaris (currently 9 and 10) have the six-packet IKE backoff pattern:
0, 0.5, 1, 2, 4, 8
Below is an example from Solaris 9 on SPARC. We need to specify a custom transform, as this system won't respond to our default transform set:
$ ike-scan -M --showbackoff --trans=5,1,1,5 192.168.124.158
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.158 Main Mode Handshake returned
HDR=(CKY-R=7e621cfe41000000)
SA=(SPI=7e621cfe41000000 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00007080)
IKE Backoff Patterns:
IP Address No. Recv time Delta Time
192.168.124.158 1 1171722837.002113 0.000000
192.168.124.158 2 1171722837.504497 0.502384
192.168.124.158 3 1171722838.514553 1.010056
192.168.124.158 4 1171722840.524552 2.009999
192.168.124.158 5 1171722844.534720 4.010168
192.168.124.158 6 1171722852.544802 8.010082
Here's an example from Solaris 10 on Intel IA-32, which shows the same backoff pattern:
$ ike-scan -M --trans=5,1,1,5 --showbackoff 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=871c8aba1cf5a0d7)
SA=(SPI=699f1a94e2ac65f8 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00007080)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
IKE Backoff Patterns:
IP Address No. Recv time Delta Time
172.16.3.28 1 1171749705.664218 0.000000
172.16.3.28 2 1171749706.175947 0.511729
172.16.3.28 3 1171749707.190895 1.014948
172.16.3.28 4 1171749709.192046 2.001151
172.16.3.28 5 1171749713.210723 4.018677
172.16.3.28 6 1171749721.211048 8.000325
172.16.3.28 Implementation guess: Sun Solaris
Vendor IDs
Solaris 9 does not return any Vendor IDs.
Solaris 10 returns the following Vendor IDs indicating that it supports NAT Traversal:
- RFC 3947 NAT-T (4a131c81070358455c5728f20e95452f)
- RFC XXXX (810fa565f8ab14369105d706fbd57279)
Authentication Methods
Solaris supports four authentication types:
- Pre-Shared Key
- RSA Signature
- RSA Encryption
- DSS Signature
Pre-Shared Key and RSA Signature are common authentication methods. RSA Encryption and DSS Signature are standard methods, but are less commonly seen.
The syntax used in the /etc/inet/ike/config file is:
auth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}
For authentication types other than Pre-Shared Key, a certificate is needed. In the examples in this document, the following command was used to generate a self-signed certificate on the Solaris 10 system named solaris10:
# ikecert certlocal -ks -m 1024 -t rsa-sha1 -D "C=GB, O=NTA_Monitor OU=Technical_Dept CN=solaris10"
Below are examples of each authentication method. In each case, the Phase-1 transform attributes other than authentication method are always Enc=DES, Hash=MD5, Group=1. For each example, we show the config file followed by the ike-scan output.
{
label "default rule"
local_addr 0.0.0.0/0
remote_addr 0.0.0.0/0
p1_xform {auth_method preshared oakley_group 1 auth_alg md5 encr_alg des}
}
$ ike-scan --trans=1,1,1,1 -M 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=a6d56703fcb2b456)
SA=(SPI=e19f058e051e98c6 Enc=DES Hash=MD5 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration(4)=0x00007080)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
RSA Signature
{
label "default rule"
local_id_type dn
local_id "C=GB O=NTA_Monitor OU=Technical_Dept CN=solaris10"
remote_id "C=GB O=NTA_Monitor OU=Technical_Dept CN=solaris9"
local_addr 0.0.0.0/0
remote_addr 0.0.0.0/0
p1_xform {auth_method rsa_sig oakley_group 1 auth_alg md5 encr_alg des}
}
$ ike-scan --trans=1,1,3,1 -M 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=4895a5c076262fc5)
SA=(SPI=754cb173565a55f6 Enc=DES Hash=MD5 Auth=RSA_Sig Group=1:modp768 LifeType=Seconds LifeDuration(4)=0x00007080)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
RSA Encryption
{
label "default rule"
local_id_type dn
local_id "C=GB O=NTA_Monitor OU=Technical_Dept CN=solaris10"
remote_id "C=GB O=NTA_Monitor OU=Technical_Dept CN=solaris9"
local_addr 0.0.0.0/0
remote_addr 0.0.0.0/0
p1_xform {auth_method rsa_encrypt oakley_group 1 auth_alg md5 encr_alg des}
}
$ ike-scan --trans=1,1,4,1 -M 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=9264a0b930e405fc)
SA=(SPI=c706d01cca2ddc1b Enc=DES Hash=MD5 Auth=RSA_Enc Group=1:modp768 LifeType=Seconds LifeDuration(4)=0x00007080)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
DSS Signature
{
label "default rule"
local_id_type dn
local_id "C=GB O=NTA_Monitor OU=Technical_Dept CN=solaris10"
remote_id "C=GB O=NTA_Monitor OU=Technical_Dept CN=solaris9"
local_addr 0.0.0.0/0
remote_addr 0.0.0.0/0
p1_xform {auth_method dss_sig oakley_group 1 auth_alg md5 encr_alg des}
}
$ ike-scan --trans=1,1,2,1 -M 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=c38d0ac0f21f2bfd)
SA=(SPI=72b2de847e268ee2 Enc=DES Hash=MD5 Auth=DSS Group=1:modp768 LifeType=Seconds LifeDuration(4)=0x00007080)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
ISAKMP SA Lifetime
Lifetime in Seconds
Solaris 10 allows any lifetime in seconds including none at all. However, it does not support variable length attributes with a value length greater than four bytes even if the value is small enough to fit in four bytes.
For no lifetime at all, Solaris will not include any lifetime in its response. For any lifetime between zero and the maximum value that will fit in four bytes, Solaris will return that same lifetime.
$ ike-scan --lifetime=none --trans=5,1,1,5 -M 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=da12237500a28e30)
SA=(SPI=1ad4b0c490fce1cb Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
$ ike-scan --lifetime=0 --trans=5,1,1,5 -M 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=55380e917896c597)
SA=(SPI=46a0b434621a4c85 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00000000)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
$ ike-scan --lifetime=1 --trans=5,1,1,5 -M 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=23b517f2fac77ebe)
SA=(SPI=b5d4db423539e776 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00000001)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
$ ike-scan --lifetime=0xffffffff --trans=5,1,1,5 -M 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=773fe06a23a2490d)
SA=(SPI=3b0f6f54f0d48d90 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0xffffffff)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
$ ike-scan --lifetime=0x0000000000000001 --trans=5,1,1,5 -M 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Notify message 14 (NO-PROPOSAL-CHOSEN)
HDR=(CKY-R=b2523d4015397c1b, msgid=fef45996)
Lifetime in Kilobytes
Solaris also supports a lifetime in kilobytes, and handles it in exactly the same was as a lifetime in seconds.
$ ike-scan --lifetime=none --lifesize=0 --trans=5,1,1,5 -M 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=877d54e81d8446e9)
SA=(SPI=e16ef93d5921e2fd Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Kilobytes LifeDuration(4)=0x00000000)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
$ ike-scan --lifetime=none --lifesize=1 --trans=5,1,1,5 -M 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=32fca270ef4cd858)
SA=(SPI=e99a5915faf3c7d3 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Kilobytes LifeDuration(4)=0x00000001)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
$ ike-scan --lifetime=none --lifesize=0xffffffff --trans=5,1,1,5 -M 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=b520d53b2e15130d)
SA=(SPI=72d33124491bd808 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Kilobytes LifeDuration(4)=0xffffffff)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
$ ike-scan --lifetime=none --lifesize=0x0000000000000001 --trans=5,1,1,5 -M 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Notify message 14 (NO-PROPOSAL-CHOSEN)
HDR=(CKY-R=25674e9cbc30a328, msgid=dfe20db5)
Solaris also supports both a lifetime in seconds and a lifetime in kilobytes.
$ ike-scan --lifetime=0xffffffff --lifesize=0xffffffff --trans=5,1,1,5 -M 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=0c95195c4375cac1)
SA=(SPI=fc539a291bfa7abe Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0xffffffff LifeType=Kilobytes LifeDuration(4)=0xffffffff)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
Transform Attribute ordering and re-writing
Solaris generally returns the transform attributes in the order that they are supplied by the initiator.
In the example below, we specify the four mandatory transform attributes in order Enc, Hash, Auth, Group and then in reverse order Group, Auth, Hash, Enc, and observe that in both cases the target returns the attributes in the same order as the initiator specified them.
$ ike-scan -M --trans="(1=5,2=1,3=1,4=5)" 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=8cd1ca4882160673)
SA=(SPI=8c144da430ece0a8 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
$ ike-scan -M --trans="(4=5,3=1,2=1,1=5)" 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=d3eb20b057f117c1)
SA=(SPI=80ef8605abb52093 Group=5:modp1536 Auth=PSK Hash=MD5 Enc=3DES)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
Here is another example, this time including a lifetime in seconds, and a lifetime in kilobytes. Again, the attributes are returned in the same order that the initiator sent them.
$ ike-scan -M --trans="(11=2,12=123,11=1,12=456,4=5,3=1,2=1,1=5)" 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=501ec56ba6834f6e)
SA=(SPI=8fa327272a8d983e LifeType=Kilobytes LifeDuration=123 LifeType=Seconds LifeDuration=456 Group=5:modp1536 Auth=PSK Hash=MD5 Enc=3DES)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
Aggressive Mode
Sun Solaris supports IKE Aggressive Mode in addition to Main Mode.
Below in an example Aggressive Mode response from Solaris 9 on SPARC:
$ ike-scan -M -A --trans=5,1,1,5 192.168.124.158
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.158 Aggressive Mode Handshake returned
HDR=(CKY-R=3ea5319cdb000000)
SA=(SPI=3ea5319cdb000000 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00007080)
KeyExchange(192 bytes)
Nonce(32 bytes)
ID(Type=ID_IPV4_ADDR, Value=192.168.124.158)
Hash(16 bytes)
Below is an example Aggressive Mode response from Solaris 10 on Intel:
$ ike-scan -A --trans=5,1,1,5 -M 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Aggressive Mode Handshake returned
HDR=(CKY-R=9506ca7541f4bddc)
SA=(SPI=a12e4bf7890d82b3 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00007080)
KeyExchange(192 bytes)
Nonce(20 bytes)
ID(Type=ID_IPV4_ADDR, Value=172.16.3.28)
Hash(16 bytes)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
Response to Noncompliant and Malformed Packets
The responses below are from Solaris 10 unless indicated otherwise.
No acceptable transforms
$ ike-scan -M --trans=1,1,1,1 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Notify message 14 (NO-PROPOSAL-CHOSEN)
HDR=(CKY-R=c817c7fd688ba3a3, msgid=657d7cd6)
Bad IKE version
Solaris uses the bad version number in the header of the response message.
$ ike-scan -M --trans=5,1,1,5 --headerver=0x30 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Notify message 5 (INVALID-MAJOR-VERSION)
HDR=(CKY-R=3ad5d91e76ad5314, version=0x30, msgid=c4f53ca1)
$ ike-scan -M --trans=5,1,1,5 --headerver=0x11 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Notify message 6 (INVALID-MINOR-VERSION)
HDR=(CKY-R=a78ed8e586b8cb27, version=0x11, msgid=2769fe27)
Invalid DOI
$ ike-scan -M --trans=5,1,1,5 --doi=2 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Notify message 2 (DOI-NOT-SUPPORTED)
HDR=(CKY-R=b41de8c5c3313e35, msgid=2bd87c0f)
Invalid Situation
Solaris reports PAYLOAD-MALFORMED rather than SITUATION-NOT-SUPPORTED.
$ ike-scan -M --trans=5,1,1,5 --situation=2 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Notify message 16 (PAYLOAD-MALFORMED)
HDR=(CKY-R=48ce342e2d841189, msgid=21a6056c)
Invalid Initiator Cookie
Solaris ignores an invalid cookie, or perhaps it considers a zero initiator cookie as valid. Note that the SPI in the SA uses the value from the initiator cookie.
$ ike-scan -M --trans=5,1,1,5 --cookie=0000000000000000 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=f2e306962322f86c)
SA=(SPI=0000000000000000 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00007080)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
Invalid Flags
$ ike-scan -M --trans=5,1,1,5 --hdrflags=255 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Notify message 8 (INVALID-FLAGS)
HDR=(CKY-R=c230666316059330, msgid=7f4b873f)
Invalid Protocol
Solaris ignores an invalid protocol number in the SA proposal.
$ ike-scan -M --protocol=2 --trans=5,1,1,5 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=44e6f3fa77df750e)
SA=(SPI=c4e677e48afd99cf Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00007080)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
Invalid SPI
Solaris ignores an invalid SPI length.
$ ike-scan -M --spisize=32 --trans=5,1,1,5 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=b83b7b5012b3cbcd)
SA=(SPI=0e948281684af0cf Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00007080)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
Non-Zero Reserved Fields
$ ike-scan -M --mbz=255 --trans=5,1,1,5 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Notify message 16 (PAYLOAD-MALFORMED)
HDR=(CKY-R=6d579021798fb502, msgid=3d317617)
NAT Traversal
Solaris 10 supports NAT Traversal. However, it does not respond to ike-scan with the --nat-t option because it uses source port 500 for the response packet rather than using the actual source port. Here is a tcpdump trace which shows this behaviour:
18:51:55.955646 IP 192.168.124.7.4500 > 172.16.3.28.4500: UDP, length: 88 18:51:55.980394 IP 172.16.3.28.500 > 192.168.124.7.4500: isakmp: phase 1 ? ident
It is not known if this constitutes a bug that prevents NAT Traversal working in real applications.
IVEv2
Sun Solaris does not support IKEv2 as of Solaris 10.
Remote Access VPN Client
There is no separate Remote Access VPN client for Solaris.
Other Interesting Behaviour
Last 24 bits of responder cookie is counter on Solaris 9
On Solaris 9, the last three bytes (24-bits) of the responder cookie are a counter. Below are twenty Solaris 9 responder cookies, sampled immediately after in.iked was restarted.
23788f3c53000000 6d2effb3ea000001 a2679fff31000002 ba64e960e2000003 873545b0c3000004 a88d37b3ed000005 7c4e8d8fff000006 0863ccb21c000007 0b01e70871000008 1d0f8f9bfb000009 6defb378ab00000a 93a621380100000b 562a4f16f700000c 298895f01f00000d 1f09280d7e00000e ee5f35b0ba00000f 1072a4a88e000010 d805b9c006000011 33aeccd084000012 58a2c09d3a000013
The following command was used to obtain these responder cookie values:
perl -e 'print "192.168.124.158\n" x 20' | ike-scan -M --trans=5,1,1,5 -f -
This behaviour does not occur with Solaris 10, which has apparently random cookies. Below are ten cookies samples from Solaris 10 running on IA-32, obtained with a similar command:
3d49ae1f5533a10d 728e6ae4e568dc29 de708263348f01f3 70ce3ce1db2dab42 688ceabc6bf6ce4a f4e461b1e3766505 85450b28dc1920b7 eaf882c3787684dd 8c232d8c3e15f926 d3f993df7439d6a7
Solaris 9 uses responder cookie as SPI and Solaris 10 uses initiator cookie
Solaris 9 adds an 8-byte SPI with the same value as the responder cookie to the responder SA.
$ ike-scan -M --trans=5,1,1,5 192.168.124.158
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.158 Main Mode Handshake returned
HDR=(CKY-R=b982f8bd6b000014)
SA=(SPI=b982f8bd6b000014 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00007080)
Solaris 10 also adds an 8-byte SPI, but it uses the initiator cookie instead.
$ ike-scan -M --cookie=0102030405060708 --trans=5,1,1,5 172.16.3.28
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.28 Main Mode Handshake returned
HDR=(CKY-R=72dcdd5203dd75de)
SA=(SPI=0102030405060708 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00007080)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=810fa565f8ab14369105d706fbd57279
Default Configuration
The IKE configuration is defined in the file /etc/inet/ike/config. If this file exists, then in.iked will start at boot time and use the configuration contained in it.
Solaris contains a sample file /etc/inet/ike/config.sample, which can be used as a template. This sample file is shown below.
In practice, most if not all users will need to customise this file, so there will be no such thing as a default configuration.
#
#ident "@(#)config.sample 1.5 02/08/30 SMI"
#
# Copyright 2001-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
##
## This file should be copied into /etc/inet/ike/config to enable the
## launch of the IKE daemon, in.iked(1m), at boot time. You can also
## launch the IKE daemon after creating this file without rebooting by
## invoking /usr/lib/inet/in.iked with a root shell.
##
# Consult the ike.config(4) man page for further details. Here is a small
# example from the man page.
### BEGINNING OF FILE
### First some global parameters...
## Optional hardware acceleration parameters...
## Use the pathname of a library that supports PKCS#11 in quotes.
## The example path is for the Sun Crypto Accelerator 1000.
# pkcs11_path "/opt/SUNWconn/lib/libpkcs11.so"
## certificate parameters...
# Root certificates. I SHOULD use a full Distinguished Name.
# I MUST have this certificate in my local filesystem, see ikecert(1m).
cert_root "C=US, O=Sun Microsystems\\, Inc., CN=Sun CA"
# Explicitly trusted certs that need no signatures, or perhaps self-signed
# ones. Like root certificates, use full DNs for them for now.
cert_trust "EMAIL=root@domain.org"
# Where do I send LDAP requests?
ldap_server "ldap1.domain.org,ldap2.domain.org:389"
# Some PKI-specific tweaks...
# If you wish to ignore CRLs, uncomment this:
#ignore_crls
# If you wish to use HTTP (with name resolution) for URLs inside certs,
# uncomment this:
#use_http
# HTTP proxy and socks URLs should also be indicated if needed...
socks "socks://socks-relay.domain.org"
#proxy "http://http-proxy.domain.org:8080"
## Phase 1 transform defaults...
p1_lifetime_secs 14400
p1_nonce_len 20
## Parameters that may also show up in rules.
p1_xform { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
p2_pfs 2
### Now some rules...
{
label "simple inheritor"
local_id_type ip
local_addr 10.1.1.1
remote_addr 10.1.1.2
}
{
# an index-only rule. If I'm a receiver, and all I
# have are index-only rules, what do I do about inbound IKE requests?
# Answer: Take them all!
label "default rule"
# Use whatever "host" (e.g. IP address) identity is appropriate
local_id_type ipv4
local_addr 0.0.0.0/0
remote_addr 0.0.0.0/0
p2_pfs 5
# Now I'm going to have the p1_xforms
p1_xform
{auth_method preshared oakley_group 5 auth_alg md5 encr_alg blowfish }
p1_xform
{auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des }
# After said list, another keyword (or a '}') will stop xform parsing.
}
{
# Let's try something a little more conventional.
label "host to .80 subnet"
local_id_type ip
local_id "10.1.86.51"
remote_id "" # Take any, use remote_addr for access control.
local_addr 10.1.86.51
remote_addr 10.1.80.0/24
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg 3des }
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg md5 encr_alg blowfish }
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg 3des }
p1_xform
{ auth_method rsa_sig oakley_group 5 auth_alg sha1 encr_alg blowfish }
}
