17c478bd9Sstevel@tonic-gate# 27c478bd9Sstevel@tonic-gate# Copyright 2005 Sun Microsystems, Inc. All rights reserved. 37c478bd9Sstevel@tonic-gate# Use is subject to license terms. 47c478bd9Sstevel@tonic-gate# 57c478bd9Sstevel@tonic-gate# CDDL HEADER START 67c478bd9Sstevel@tonic-gate# 77c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the 87c478bd9Sstevel@tonic-gate# Common Development and Distribution License, Version 1.0 only 97c478bd9Sstevel@tonic-gate# (the "License"). You may not use this file except in compliance 107c478bd9Sstevel@tonic-gate# with the License. 117c478bd9Sstevel@tonic-gate# 127c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 137c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing. 147c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions 157c478bd9Sstevel@tonic-gate# and limitations under the License. 167c478bd9Sstevel@tonic-gate# 177c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each 187c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 197c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the 207c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying 217c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner] 227c478bd9Sstevel@tonic-gate# 237c478bd9Sstevel@tonic-gate# CDDL HEADER END 247c478bd9Sstevel@tonic-gate# 257c478bd9Sstevel@tonic-gate# This file should be copied to /etc/inet/ipsecinit.conf to enable IPsec 267c478bd9Sstevel@tonic-gate# systemwide policy (and as a side-effect, load IPsec kernel modules). 277c478bd9Sstevel@tonic-gate# Even if this file has no entries, IPsec will be loaded if 287c478bd9Sstevel@tonic-gate# /etc/inet/ipsecinit.conf exists. 297c478bd9Sstevel@tonic-gate# 307c478bd9Sstevel@tonic-gate# Add entries to protect the traffic using IPSEC. The entries in this 317c478bd9Sstevel@tonic-gate# file are currently configured using ipsecconf from inetinit script 327c478bd9Sstevel@tonic-gate# after /usr is mounted. 337c478bd9Sstevel@tonic-gate# 347c478bd9Sstevel@tonic-gate# For example, 357c478bd9Sstevel@tonic-gate# 367c478bd9Sstevel@tonic-gate# {rport 23} ipsec {encr_algs des encr_auth_algs md5} 377c478bd9Sstevel@tonic-gate# 387c478bd9Sstevel@tonic-gate# Or, in the older (but still usable) syntax 397c478bd9Sstevel@tonic-gate# 407c478bd9Sstevel@tonic-gate# {dport 23} apply {encr_algs des encr_auth_algs md5 sa shared} 417c478bd9Sstevel@tonic-gate# {sport 23} permit {encr_algs des encr_auth_algs md5} 427c478bd9Sstevel@tonic-gate# 437c478bd9Sstevel@tonic-gate# will protect the telnet traffic originating from the host with ESP using 447c478bd9Sstevel@tonic-gate# DES and MD5. Also: 457c478bd9Sstevel@tonic-gate# 467c478bd9Sstevel@tonic-gate# {raddr 10.5.5.0/24} ipsec {auth_algs any} 477c478bd9Sstevel@tonic-gate# 487c478bd9Sstevel@tonic-gate# Or, in the older (but still usable) syntax 497c478bd9Sstevel@tonic-gate# 507c478bd9Sstevel@tonic-gate# {daddr 10.5.5.0/24} apply {auth_algs any sa shared} 517c478bd9Sstevel@tonic-gate# {saddr 10.5.5.0/24} permit {auth_algs any} 527c478bd9Sstevel@tonic-gate# 537c478bd9Sstevel@tonic-gate# will protect traffic to/from the 10.5.5.0 subnet with AH using any available 547c478bd9Sstevel@tonic-gate# algorithm. 557c478bd9Sstevel@tonic-gate# 567c478bd9Sstevel@tonic-gate# To do basic filtering, a drop rule may be used. For example: 577c478bd9Sstevel@tonic-gate# 587c478bd9Sstevel@tonic-gate# {lport 23 dir in} drop {} 597c478bd9Sstevel@tonic-gate# {lport 23 dir out} drop {} 607c478bd9Sstevel@tonic-gate# 617c478bd9Sstevel@tonic-gate# will disallow any remote system from telnetting in. 627c478bd9Sstevel@tonic-gate# 637c478bd9Sstevel@tonic-gate# If you are using IPv6, it may be useful to bypass neighbor discovery 647c478bd9Sstevel@tonic-gate# to allow in.iked to work properly with on-link neighbors. To do that, 657c478bd9Sstevel@tonic-gate# add the following lines: 667c478bd9Sstevel@tonic-gate# 677c478bd9Sstevel@tonic-gate# {ulp ipv6-icmp type 133-137 dir both } pass { } 687c478bd9Sstevel@tonic-gate# 697c478bd9Sstevel@tonic-gate# This will allow neighbor discovery to work normally. 707c478bd9Sstevel@tonic-gate# 717c478bd9Sstevel@tonic-gate# WARNING: This file is read before default routes are established, and 727c478bd9Sstevel@tonic-gate# before any naming services have been started. The 73*bbf21555SRichard Lowe# ipsecconf(8) command attempts to resolve names, but it will 747c478bd9Sstevel@tonic-gate# fail unless the machine uses files, or DNS and the DNS server 75*bbf21555SRichard Lowe# is reachable via routing information before ipsecconf(8) 767c478bd9Sstevel@tonic-gate# invocation. (E.g. the DNS server is on-subnet, or DHCP 777c478bd9Sstevel@tonic-gate# has loaded up the default router already.) 787c478bd9Sstevel@tonic-gate# 797c478bd9Sstevel@tonic-gate# It is suggested that for this file, use hostnames only if 807c478bd9Sstevel@tonic-gate# they are in /etc/hosts, or use numeric IP addresses. 817c478bd9Sstevel@tonic-gate# 827c478bd9Sstevel@tonic-gate# If DNS gets used, the DNS server is implicitly trusted, which 837c478bd9Sstevel@tonic-gate# could lead to compromise of this machine if the DNS server 847c478bd9Sstevel@tonic-gate# has been compromised. 857c478bd9Sstevel@tonic-gate# 86