1*7c478bd9Sstevel@tonic-gate# 2*7c478bd9Sstevel@tonic-gate#ident "%Z%%M% %I% %E% SMI" 3*7c478bd9Sstevel@tonic-gate# 4*7c478bd9Sstevel@tonic-gate# Copyright 2005 Sun Microsystems, Inc. All rights reserved. 5*7c478bd9Sstevel@tonic-gate# Use is subject to license terms. 6*7c478bd9Sstevel@tonic-gate# 7*7c478bd9Sstevel@tonic-gate# CDDL HEADER START 8*7c478bd9Sstevel@tonic-gate# 9*7c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the 10*7c478bd9Sstevel@tonic-gate# Common Development and Distribution License, Version 1.0 only 11*7c478bd9Sstevel@tonic-gate# (the "License"). You may not use this file except in compliance 12*7c478bd9Sstevel@tonic-gate# with the License. 13*7c478bd9Sstevel@tonic-gate# 14*7c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 15*7c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing. 16*7c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions 17*7c478bd9Sstevel@tonic-gate# and limitations under the License. 18*7c478bd9Sstevel@tonic-gate# 19*7c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each 20*7c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 21*7c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the 22*7c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying 23*7c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner] 24*7c478bd9Sstevel@tonic-gate# 25*7c478bd9Sstevel@tonic-gate# CDDL HEADER END 26*7c478bd9Sstevel@tonic-gate# 27*7c478bd9Sstevel@tonic-gate# This file should be copied to /etc/inet/ipsecinit.conf to enable IPsec 28*7c478bd9Sstevel@tonic-gate# systemwide policy (and as a side-effect, load IPsec kernel modules). 29*7c478bd9Sstevel@tonic-gate# Even if this file has no entries, IPsec will be loaded if 30*7c478bd9Sstevel@tonic-gate# /etc/inet/ipsecinit.conf exists. 31*7c478bd9Sstevel@tonic-gate# 32*7c478bd9Sstevel@tonic-gate# Add entries to protect the traffic using IPSEC. The entries in this 33*7c478bd9Sstevel@tonic-gate# file are currently configured using ipsecconf from inetinit script 34*7c478bd9Sstevel@tonic-gate# after /usr is mounted. 35*7c478bd9Sstevel@tonic-gate# 36*7c478bd9Sstevel@tonic-gate# For example, 37*7c478bd9Sstevel@tonic-gate# 38*7c478bd9Sstevel@tonic-gate# {rport 23} ipsec {encr_algs des encr_auth_algs md5} 39*7c478bd9Sstevel@tonic-gate# 40*7c478bd9Sstevel@tonic-gate# Or, in the older (but still usable) syntax 41*7c478bd9Sstevel@tonic-gate# 42*7c478bd9Sstevel@tonic-gate# {dport 23} apply {encr_algs des encr_auth_algs md5 sa shared} 43*7c478bd9Sstevel@tonic-gate# {sport 23} permit {encr_algs des encr_auth_algs md5} 44*7c478bd9Sstevel@tonic-gate# 45*7c478bd9Sstevel@tonic-gate# will protect the telnet traffic originating from the host with ESP using 46*7c478bd9Sstevel@tonic-gate# DES and MD5. Also: 47*7c478bd9Sstevel@tonic-gate# 48*7c478bd9Sstevel@tonic-gate# {raddr 10.5.5.0/24} ipsec {auth_algs any} 49*7c478bd9Sstevel@tonic-gate# 50*7c478bd9Sstevel@tonic-gate# Or, in the older (but still usable) syntax 51*7c478bd9Sstevel@tonic-gate# 52*7c478bd9Sstevel@tonic-gate# {daddr 10.5.5.0/24} apply {auth_algs any sa shared} 53*7c478bd9Sstevel@tonic-gate# {saddr 10.5.5.0/24} permit {auth_algs any} 54*7c478bd9Sstevel@tonic-gate# 55*7c478bd9Sstevel@tonic-gate# will protect traffic to/from the 10.5.5.0 subnet with AH using any available 56*7c478bd9Sstevel@tonic-gate# algorithm. 57*7c478bd9Sstevel@tonic-gate# 58*7c478bd9Sstevel@tonic-gate# To do basic filtering, a drop rule may be used. For example: 59*7c478bd9Sstevel@tonic-gate# 60*7c478bd9Sstevel@tonic-gate# {lport 23 dir in} drop {} 61*7c478bd9Sstevel@tonic-gate# {lport 23 dir out} drop {} 62*7c478bd9Sstevel@tonic-gate# 63*7c478bd9Sstevel@tonic-gate# will disallow any remote system from telnetting in. 64*7c478bd9Sstevel@tonic-gate# 65*7c478bd9Sstevel@tonic-gate# If you are using IPv6, it may be useful to bypass neighbor discovery 66*7c478bd9Sstevel@tonic-gate# to allow in.iked to work properly with on-link neighbors. To do that, 67*7c478bd9Sstevel@tonic-gate# add the following lines: 68*7c478bd9Sstevel@tonic-gate# 69*7c478bd9Sstevel@tonic-gate# {ulp ipv6-icmp type 133-137 dir both } pass { } 70*7c478bd9Sstevel@tonic-gate# 71*7c478bd9Sstevel@tonic-gate# This will allow neighbor discovery to work normally. 72*7c478bd9Sstevel@tonic-gate# 73*7c478bd9Sstevel@tonic-gate# WARNING: This file is read before default routes are established, and 74*7c478bd9Sstevel@tonic-gate# before any naming services have been started. The 75*7c478bd9Sstevel@tonic-gate# ipsecconf(1M) command attempts to resolve names, but it will 76*7c478bd9Sstevel@tonic-gate# fail unless the machine uses files, or DNS and the DNS server 77*7c478bd9Sstevel@tonic-gate# is reachable via routing information before ipsecconf(1m) 78*7c478bd9Sstevel@tonic-gate# invocation. (E.g. the DNS server is on-subnet, or DHCP 79*7c478bd9Sstevel@tonic-gate# has loaded up the default router already.) 80*7c478bd9Sstevel@tonic-gate# 81*7c478bd9Sstevel@tonic-gate# It is suggested that for this file, use hostnames only if 82*7c478bd9Sstevel@tonic-gate# they are in /etc/hosts, or use numeric IP addresses. 83*7c478bd9Sstevel@tonic-gate# 84*7c478bd9Sstevel@tonic-gate# If DNS gets used, the DNS server is implicitly trusted, which 85*7c478bd9Sstevel@tonic-gate# could lead to compromise of this machine if the DNS server 86*7c478bd9Sstevel@tonic-gate# has been compromised. 87*7c478bd9Sstevel@tonic-gate# 88