Configuring IPSec with SDX Configuration Editor
You can use SDX Configuration Editor to configure IPSec properties required to protect traffic between the SAE and another system. For information about using SDX Configuration Editor, see SRC-PE Getting Started Guide, Chapter 39, Using SDX Configuration Editor.
To configure IPSec attributes from SDX Configuration Editor:
- In the navigation pane of SDX Configuration Editor, right-click an object, select SDX System Configuration, and then select New Configuration File.
- In the Create a New Configuration File dialog box, enter a filename in the File Name field, select ipSec_conf in the Template field, and click OK.
- In the navigation pane, double-click the name of the new file.
The IPSec Transport Connections pane appears.
- Click Solaris Hosts to expand it, select Host in the drop-down list box, click Create a New Instance of, and enter the Instance Name in the Create a New Instance dialog box.
- Configure host properties. Use the field descriptions in Configuring Host Properties to configure the properties.
- Expand IPSec Connections; then for each connection, select Connection in the drop-down list box, click Create a New Instance of, and enter the Instance Name in the Create a New Instance dialog box.
The new connection instance appears.
- Expand the Connection section for a specified connection, and enter field values. Use the field descriptions in Configuring Connection Properties to configure the properties.
- Expand the IPSec Details section for a specified connection, and enter field values. Use the field descriptions in Configuring IPSec Properties to Establish Key Exchange and SAs to configure the properties.
Configuring Host Properties
Use the host properties area to define IPSec configuration properties for the Solaris platform.
![]()
Host's SSH Address
- IP address or hostname to be used for IPSec configuration on the Solaris platform.
- Value—IP address or fully qualified hostname used for IPSec configuration on the on the Solaris platform; can include the port for an SSH server.
- Default—No value
- Example
IP address with port 22 for SSH—192.0.2.2:22
IKE Lifetime (Phase 1)
- Length of time phase 1 SA can be active for all IPSec connections on the Solaris platform.
- Value—Length of time in seconds
- Guidelines—We recommend a minimum lifetime of 28800 seconds (8 minutes).
- Default—28800
- Property name—ikeNonceLength
IKE Nonce Length (Phase 1)
- Size of the nonce token used during phase 1 of IKE negotiation.
- Value—Number of bytes in the range 1-64
- Guidelines—This property sets this value for all IPSec connections on the Solaris platform.
- Default—64
- Property name—ikeLifeTime
Configuring Connection Properties
Use the Connection properties area to define the source and destination for IPSec-protected communications, and the type of key to use in IKE negotiation.
![]()
Local Endpoint
- IP address for IPSec to use on the local Solaris platform on which the SAE is running.
- Value—<IP address>
- Guidelines—This is a required entry.
- Property name—localEndPt
Remote Endpoint
- IP address to use on the remote system.
- Value—<IP address>
- Guidelines—This is a required entry.
- Property name—RemoteEndPt
Preshared Key
- Value of the key to be shared between the SAE and the remote system. IKE negotiation uses this key.
- Value—A number in hexadecimal notation
- Guidelines—This is a required entry.
The different IKE algorithms support keys of various lengths. In general, longer keys provide more security than shorter keys provide. The length of the key should comply with the security policies at your site.
Protect the value of this key. Unauthorized access to the key value can compromise data that is protected by this key.
Target Ports
- Well-known port numbers associated with applications that participate in IPSec-protected communications.
- Value—Port number associated with an application
We recommend that the field remain blank to have IPSec protect all traffic between the local and remote systems.
If you specify port numbers, you can enter more than one port number, with commas separating the port numbers. The following list shows well-known port numbers for components in a PCMM environment:
- RADIUS server—1812
- RADIUS accounting—1813
- COPS-PR (used for communication between the SAE and CMTS device)—3918
Configuring IPSec Properties to Establish Key Exchange and SAs
Use the IPSec Details pane to configure properties to establish IKE, also referred to a phase 1 IKE exchange, and to set up an SA between peers, also referred to as phase 2 exchange. SDX Configuration Editor supplies default values for all fields. You can change values as needed.
![]()
IKE Authentication Method
- Authentication method used for IKE.
- Value—preshared key
- Guidelines—This is a required entry.
- Property name—ikeAuthMethod
IKE Encryption Algorithm
IKE Authentication Algorithm
IKE Oakley Group
- An Oakley group, the type of Diffie-Hellman key exchange algorithm that the Oakley key exchange protocol uses to distribute keying information during IKE negotiation. The Diffie-Hellman key exchange algorithm provides a way for two parties to exchange keying information and to agree on a shared key.
- Value
Group 1 provides the weakest security and group 5 the strongest security.
IKE Lifetime
- Length of time phase 1 SA can be active.
- Value—Length of time in seconds
- Default—28800
- Property name—ikeLifetime
Phase 2 Encryption Algorithm
- Encryption algorithm for use by IKE and is used during negotiation of the security association between hosts.
- Values
Phase 2 Authentication Algorithm
- Authentication algorithm for use by IKE during negotiation of the security association between hosts.
- Value
Phase 2 Oakley Group
- An Oakley group, the type of Diffie-Hellman key exchange algorithm that the Oakley key exchange protocol uses to distribute keying information during SA negotiation. The Diffie-Hellman key exchange algorithm provides a way for two parties to exchange keying information and to agree on a shared key.
- Value
Group 1 provides the weakest security and group 5 the strongest security.
Phase 2 Lifetime
- How long the SA between hosts can be active. At the end of the interval specified, the system refreshes the encryption key.
- Value— Length of time
- Default—28800 seconds
- Property name—phase2Lifetime
Applying the IPSec Configuration
After you configure IPSec properties, you can export the configuration properties to the Solaris operating system. The properties are applied to IPSec configuration for the Solaris platform on which the SAE is running.
To apply IPSec configuration properties.
- In the navigation pane of SDX Configuration Editor, right-click the IPSec object, select SDX System Configuration, and then select Export IPSec to Host.
- Select the host to which to export the configuration, and provide a password if you are using SSH between hosts.
The Solaris platform activates the IPSec configuration.
Changing IPSec Configuration
To configure IPSec attributes from SDX Configuration Editor:
- In the navigation pane of SDX Configuration Editor, double-click an IPSec object.
- In the IPSec Transport Connections pane, change field values.
- In the navigation pane, right-click the IPSec object, select SDX System Configuration, and then select Export IPSec to Host.
The Solaris platform activates the updated IPSec configuration.