[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Configuring IPSec with SDX Configuration Editor

You can use SDX Configuration Editor to configure IPSec properties required to protect traffic between the SAE and another system. For information about using SDX Configuration Editor, see SRC-PE Getting Started Guide, Chapter 39, Using SDX Configuration Editor.

To configure IPSec attributes from SDX Configuration Editor:

  1. In the navigation pane of SDX Configuration Editor, right-click an object, select SDX System Configuration, and then select New Configuration File.
  2. In the Create a New Configuration File dialog box, enter a filename in the File Name field, select ipSec_conf in the Template field, and click OK.
  3. In the navigation pane, double-click the name of the new file.

The IPSec Transport Connections pane appears.

  1. Click Solaris Hosts to expand it, select Host in the drop-down list box, click Create a New Instance of, and enter the Instance Name in the Create a New Instance dialog box.

The new instance appears.

  1. Configure host properties. Use the field descriptions in Configuring Host Properties to configure the properties.
  2. Expand IPSec Connections; then for each connection, select Connection in the drop-down list box, click Create a New Instance of, and enter the Instance Name in the Create a New Instance dialog box.

The new connection instance appears.

  1. Expand the Connection section for a specified connection, and enter field values. Use the field descriptions in Configuring Connection Properties to configure the properties.
  2. Expand the IPSec Details section for a specified connection, and enter field values. Use the field descriptions in Configuring IPSec Properties to Establish Key Exchange and SAs to configure the properties.

Configuring Host Properties

Use the host properties area to define IPSec configuration properties for the Solaris platform.

Host's SSH Address

IP address with port 22 for SSH—192.0.2.2:22

Hostname—sae.company.com

IKE Lifetime (Phase 1)

IKE Nonce Length (Phase 1)

Configuring Connection Properties

Use the Connection properties area to define the source and destination for IPSec-protected communications, and the type of key to use in IKE negotiation.

Local Endpoint

Remote Endpoint

Preshared Key

The different IKE algorithms support keys of various lengths. In general, longer keys provide more security than shorter keys provide. The length of the key should comply with the security policies at your site.

Protect the value of this key. Unauthorized access to the key value can compromise data that is protected by this key.

Target Ports

Blank—All port numbers

We recommend that the field remain blank to have IPSec protect all traffic between the local and remote systems.

If you specify port numbers, you can enter more than one port number, with commas separating the port numbers. The following list shows well-known port numbers for components in a PCMM environment:

Configuring IPSec Properties to Establish Key Exchange and SAs

Use the IPSec Details pane to configure properties to establish IKE, also referred to a phase 1 IKE exchange, and to set up an SA between peers, also referred to as phase 2 exchange. SDX Configuration Editor supplies default values for all fields. You can change values as needed.

IKE Authentication Method

IKE Encryption Algorithm

IKE Authentication Algorithm

IKE Oakley Group

Group 1 provides the weakest security and group 5 the strongest security.

IKE Lifetime

Phase 2 Encryption Algorithm

Phase 2 Authentication Algorithm

Phase 2 Oakley Group

Group 1 provides the weakest security and group 5 the strongest security.

Phase 2 Lifetime

Applying the IPSec Configuration

After you configure IPSec properties, you can export the configuration properties to the Solaris operating system. The properties are applied to IPSec configuration for the Solaris platform on which the SAE is running.

To apply IPSec configuration properties.

  1. In the navigation pane of SDX Configuration Editor, right-click the IPSec object, select SDX System Configuration, and then select Export IPSec to Host.
  2. Select the host to which to export the configuration, and provide a password if you are using SSH between hosts.

The Solaris platform activates the IPSec configuration.

Changing IPSec Configuration

To configure IPSec attributes from SDX Configuration Editor:

  1. In the navigation pane of SDX Configuration Editor, double-click an IPSec object.
  2. In the IPSec Transport Connections pane, change field values.
  3. In the navigation pane, right-click the IPSec object, select SDX System Configuration, and then select Export IPSec to Host.

The Solaris platform activates the updated IPSec configuration.

  1. Make corresponding configuration changes on the system with which the SAE has IPSec-protected communication.
  2. Test the updated configuration.

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]