1in.iked(1M)             System Administration Commands             in.iked(1M)
2
3
4

NAME

6       in.iked - daemon for the Internet Key Exchange (IKE)
7

SYNOPSIS

9       /usr/lib/inet/in.iked [-d] [-f filename] [-p level]
10
11
12       /usr/lib/inet/in.iked -c [-f filename]
13
14

DESCRIPTION

16       in.iked  performs automated key management for IPsec using the Internet
17       Key Exchange (IKE) protocol.
18
19
20       in.iked implements the following:
21
22           o      IKE authentication with either pre-shared keys,  DSS  signa‐
23                  tures, RSA signatures, or RSA encryption.
24
25           o      Diffie-Hellman  key  derivation  using  either 768, 1024, or
26                  1536-bit public key moduli.
27
28           o      Authentication protection with cipher choices of  AES,  DES,
29                  Blowfish,  or  3DES,  and hash choices of either HMAC-MD5 or
30                  HMAC-SHA-1. Encryption in in.iked  is  limited  to  the  IKE
31                  authentication and key exchange. See ipsecesp(7P) for infor‐
32                  mation regarding IPsec protection choices.
33
34
35       in.iked is managed by the following smf(5) service:
36
37         svc:/network/ipsec/ike
38
39
40
41
42       This service is delivered disabled because the configuration file needs
43       to  be created before the service can be enabled. See ike.config(4) for
44       the format of this file.
45
46
47       See "Service Management  Facility"  for  information  on  managing  the
48       smf(5) service.
49
50
51       in.iked  listens  for  incoming  IKE  requests from the network and for
52       requests for outbound traffic using the PF_KEY socket. See pf_key(7P).
53
54
55       in.iked has two support programs that are used for  IKE  administration
56       and diagnosis: ikeadm(1M) and ikecert(1M).
57
58
59       The  ikeadm(1M)  command  can  read  the /etc/inet/ike/config file as a
60       rule, then pass the configuration information to  the  running  in.iked
61       daemon using a doors interface.
62
63         example# ikeadm read rule /etc/inet/ike/config
64
65
66
67
68       Refreshing the ike smf(5) service provided to manage the in.iked daemon
69       sends a SIGHUP signal  to  the  in.iked  daemon,  which  will  (re)read
70       /etc/inet/ike/config and reload the certificate database.
71
72
73       The preceding two commands have the same effect, that is, to update the
74       running IKE daemon with the latest configuration. See "Service  Manage‐
75       ment Facility" for more details on managing the in.iked daemon.
76
77   Service Management Facility
78       The IKE daemon (in.iked) is managed by the service management facility,
79       smf(5). The following group of services manage the components of IPsec:
80
81         svc:/network/ipsec/ipsecalgs   (See ipsecalgs(1M))
82         svc:/network/ipsec/policy      (See ipsecconf(1M))
83         svc:/network/ipsec/manual-key  (See ipseckey(1M))
84         svc:/network/ipsec/ike         (see ike.config(4))
85
86
87
88
89       The manual-key and ike services are delivered disabled because the sys‐
90       tem  administrator must create configuration files for each service, as
91       described in the respective man pages listed above.
92
93
94       The correct administrative procedure is  to  create  the  configuration
95       file for each service, then enable each service using svcadm(1M).
96
97
98       The  ike service has a dependency on the ipsecalgs and policy services.
99       These services should be enabled before the ike service. Failure to  do
100       so results in the ike service entering maintenance mode.
101
102
103       If  the  configuration needs to be changed, edit the configuration file
104       then refresh the service, as follows:
105
106         example# svcadm refresh ike
107
108
109
110
111       The following properties are defined for the ike service:
112
113       config/admin_privilege
114
115           Defines the level that ikeadm(1M) invocations can change or observe
116           the  running  in.iked.  The acceptable values for this property are
117           the same as those for the -p option. See the description of  -p  in
118           OPTIONS.
119
120
121       config/config_file
122
123           Defines  the  configuration  file  to  use.  The  default  value is
124           /etc/inet/ike/config. See ike.config(4)  for  the  format  of  this
125           file.  This  property  has  the same effect as the -f flag. See the
126           description of -f in OPTIONS.
127
128
129       config/debug_level
130
131           Defines  the  amount  of  debug  output  that  is  written  to  the
132           debug_logfile  file, described below. The default value for this is
133           op or operator. This property controls the recording of information
134           on  events  such  as  re-reading the configuration file. Acceptable
135           value for debug_level are listed in the ikeadm(1M)  man  page.  The
136           value  all  is equivalent to the -d flag. See the description of -d
137           in OPTIONS.
138
139
140       config/debug_logfile
141
142           Defines where debug output should be written. The messages  written
143           here are from debug code within in.iked. Startup error messages are
144           recorded by the smf(5) framework and recorded in a service-specific
145           log  file. Use any of the following commands to examine the logfile
146           property:
147
148             example# svcs -l ike
149             example# svcprop ike
150             example# svccfg -s ike listprop
151
152
153           The values for these log file properties  might  be  different,  in
154           which case both files should be inspected for errors.
155
156
157       config/ignore_errors
158
159           A boolean value that controls in.iked's behavior should the config‐
160           uration file have syntax errors. The default value is false,  which
161           causes  in.iked  to  enter maintenance mode if the configuration is
162           invalid.
163
164           Setting this value to true causes the IKE service to  stay  online,
165           but  correct  operation requires the administrator to configure the
166           running daemon with ikeadm(1M). This option is provided for compat‐
167           ibility with previous releases.
168
169
170
171       These  properties  can  be  modified using svccfg(1M) by users who have
172       been assigned the following authorization:
173
174         solaris.smf.value.ipsec
175
176
177
178
179       PKCS#11 token objects can be unlocked or locked by using  ikeadm  token
180       login  and  ikeadm  token logout, respectively. Availability of private
181       keying material stored on these PKCS#11 token objects can  be  observed
182       with:  ikeadm  dump certcache. The following authorizations allow users
183       to log into and out of PKCS#11 token objects:
184
185         solaris.network.ipsec.ike.token.login
186         solaris.network.ipsec.ike.token.logout
187
188
189
190
191       See auths(1), ikeadm(1M), user_attr(4), rbac(5).
192
193
194       The service needs to be refreshed using svcadm(1M) before a  new  prop‐
195       erty  value  is  effective.  General,  non-modifiable properties can be
196       viewed with the svcprop(1) command.
197
198         # svccfg -s ipsec/ike setprop config/config_file = \
199         /new/config_file
200         # svcadm refresh ike
201
202
203
204
205       Administrative actions on this service, such  as  enabling,  disabling,
206       refreshing, and requesting restart can be performed using svcadm(1M). A
207       user who has been assigned the authorization shown  below  can  perform
208       these actions:
209
210         solaris.smf.manage.ipsec
211
212
213
214
215       The service's status can be queried using the svcs(1) command.
216
217
218       The in.iked daemon is designed to be run under smf(5) management. While
219       the in.iked command can be run from the command line, this is  discour‐
220       aged.  If  the  in.iked command is to be run from the command line, the
221       ike smf(5) service should be disabled first. See svcadm(1M).
222

OPTIONS

224       The following options are supported:
225
226       -c             Check the syntax of a configuration file.
227
228
229       -d             Use debug mode. The process stays attached to  the  con‐
230                      trolling  terminal  and produces large amounts of debug‐
231                      ging output. This option  is  deprecated.  See  "Service
232                      Management Facility" for more details.
233
234
235       -f filename    Use   filename   instead  of  /etc/inet/ike/config.  See
236                      ike.config(4) for the format of this file.  This  option
237                      is  deprecated.  See  "Service  Management Facility" for
238                      more details.
239
240
241       -p level       Specify privilege level (level). This  option  sets  how
242                      much  ikeadm(1M) invocations can change or observe about
243                      the running in.iked.
244
245                      Valid levels are:
246
247                      0    Base level
248
249
250                      1    Access to preshared key info
251
252
253                      2    Access to keying material
254
255                      If -p is not specified, level defaults to 0.
256
257                      This  option  is  deprecated.  See  "Service  Management
258                      Facility" for more details.
259
260

SECURITY

262       This  program  has  sensitive  private keying information in its image.
263       Care should be taken with any core dumps or system dumps of  a  running
264       in.iked  daemon,  as  these files contain sensitive keying information.
265       Use the coreadm(1M) command to limit any corefiles produced by in.iked.
266

FILES

268       /etc/inet/ike/config
269
270           Default configuration file.
271
272
273       /etc/inet/secret/ike.privatekeys/*
274
275           Private keys. A private key must have a  matching  public-key  cer‐
276           tificate with the same filename in /etc/inet/ike/publickeys/.
277
278
279       /etc/inet/ike/publickeys/*
280
281           Public-key  certificates.  The names are only important with regard
282           to matching private key names.
283
284
285       /etc/inet/ike/crls/*
286
287           Public key certificate revocation lists.
288
289
290       /etc/inet/secret/ike.preshared
291
292           IKE pre-shared secrets for Phase I authentication.
293
294

ATTRIBUTES

296       See attributes(5) for descriptions of the following attributes:
297
298
299
300
301       ┌─────────────────────────────┬─────────────────────────────┐
302       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
303       ├─────────────────────────────┼─────────────────────────────┤
304       │Availability                 │SUNWcsu                      │
305       └─────────────────────────────┴─────────────────────────────┘
306

SEE ALSO

308       svcs(1), coreadm(1M), ikeadm(1M), ikecert(1M), svccfg(1M),  svcadm(1M),
309       ike.config(4), attributes(5), smf(5), ipsecesp(7P), pf_key(7P)
310
311
312       Harkins,  Dan  and Carrel, Dave. RFC 2409, Internet Key Exchange (IKE).
313       Network Working Group. November 1998.
314
315
316       Maughan, Douglas, Schertler, M., Schneider, M., Turner,  J.  RFC  2408,
317       Internet  Security  Association  and  Key Management Protocol (ISAKMP).
318       Network Working Group. November 1998.
319
320
321       Piper, Derrell, RFC 2407, The Internet IP Security Domain of  Interpre‐
322       tation for ISAKMP. Network Working Group. November 1998.
323
324
325
326SunOS 5.11                        27 Jan 2009                      in.iked(1M)
Impressum