1in.iked(1M) System Administration Commands in.iked(1M)
2
3
4
6 in.iked - daemon for the Internet Key Exchange (IKE)
7
9 /usr/lib/inet/in.iked [-d] [-f filename] [-p level]
10
11
12 /usr/lib/inet/in.iked -c [-f filename]
13
14
16 in.iked performs automated key management for IPsec using the Internet
17 Key Exchange (IKE) protocol.
18
19
20 in.iked implements the following:
21
22 o IKE authentication with either pre-shared keys, DSS signa‐
23 tures, RSA signatures, or RSA encryption.
24
25 o Diffie-Hellman key derivation using either 768, 1024, or
26 1536-bit public key moduli.
27
28 o Authentication protection with cipher choices of AES, DES,
29 Blowfish, or 3DES, and hash choices of either HMAC-MD5 or
30 HMAC-SHA-1. Encryption in in.iked is limited to the IKE
31 authentication and key exchange. See ipsecesp(7P) for infor‐
32 mation regarding IPsec protection choices.
33
34
35 in.iked is managed by the following smf(5) service:
36
37 svc:/network/ipsec/ike
38
39
40
41
42 This service is delivered disabled because the configuration file needs
43 to be created before the service can be enabled. See ike.config(4) for
44 the format of this file.
45
46
47 See "Service Management Facility" for information on managing the
48 smf(5) service.
49
50
51 in.iked listens for incoming IKE requests from the network and for
52 requests for outbound traffic using the PF_KEY socket. See pf_key(7P).
53
54
55 in.iked has two support programs that are used for IKE administration
56 and diagnosis: ikeadm(1M) and ikecert(1M).
57
58
59 The ikeadm(1M) command can read the /etc/inet/ike/config file as a
60 rule, then pass the configuration information to the running in.iked
61 daemon using a doors interface.
62
63 example# ikeadm read rule /etc/inet/ike/config
64
65
66
67
68 Refreshing the ike smf(5) service provided to manage the in.iked daemon
69 sends a SIGHUP signal to the in.iked daemon, which will (re)read
70 /etc/inet/ike/config and reload the certificate database.
71
72
73 The preceding two commands have the same effect, that is, to update the
74 running IKE daemon with the latest configuration. See "Service Manage‐
75 ment Facility" for more details on managing the in.iked daemon.
76
77 Service Management Facility
78 The IKE daemon (in.iked) is managed by the service management facility,
79 smf(5). The following group of services manage the components of IPsec:
80
81 svc:/network/ipsec/ipsecalgs (See ipsecalgs(1M))
82 svc:/network/ipsec/policy (See ipsecconf(1M))
83 svc:/network/ipsec/manual-key (See ipseckey(1M))
84 svc:/network/ipsec/ike (see ike.config(4))
85
86
87
88
89 The manual-key and ike services are delivered disabled because the sys‐
90 tem administrator must create configuration files for each service, as
91 described in the respective man pages listed above.
92
93
94 The correct administrative procedure is to create the configuration
95 file for each service, then enable each service using svcadm(1M).
96
97
98 The ike service has a dependency on the ipsecalgs and policy services.
99 These services should be enabled before the ike service. Failure to do
100 so results in the ike service entering maintenance mode.
101
102
103 If the configuration needs to be changed, edit the configuration file
104 then refresh the service, as follows:
105
106 example# svcadm refresh ike
107
108
109
110
111 The following properties are defined for the ike service:
112
113 config/admin_privilege
114
115 Defines the level that ikeadm(1M) invocations can change or observe
116 the running in.iked. The acceptable values for this property are
117 the same as those for the -p option. See the description of -p in
118 OPTIONS.
119
120
121 config/config_file
122
123 Defines the configuration file to use. The default value is
124 /etc/inet/ike/config. See ike.config(4) for the format of this
125 file. This property has the same effect as the -f flag. See the
126 description of -f in OPTIONS.
127
128
129 config/debug_level
130
131 Defines the amount of debug output that is written to the
132 debug_logfile file, described below. The default value for this is
133 op or operator. This property controls the recording of information
134 on events such as re-reading the configuration file. Acceptable
135 value for debug_level are listed in the ikeadm(1M) man page. The
136 value all is equivalent to the -d flag. See the description of -d
137 in OPTIONS.
138
139
140 config/debug_logfile
141
142 Defines where debug output should be written. The messages written
143 here are from debug code within in.iked. Startup error messages are
144 recorded by the smf(5) framework and recorded in a service-specific
145 log file. Use any of the following commands to examine the logfile
146 property:
147
148 example# svcs -l ike
149 example# svcprop ike
150 example# svccfg -s ike listprop
151
152
153 The values for these log file properties might be different, in
154 which case both files should be inspected for errors.
155
156
157 config/ignore_errors
158
159 A boolean value that controls in.iked's behavior should the config‐
160 uration file have syntax errors. The default value is false, which
161 causes in.iked to enter maintenance mode if the configuration is
162 invalid.
163
164 Setting this value to true causes the IKE service to stay online,
165 but correct operation requires the administrator to configure the
166 running daemon with ikeadm(1M). This option is provided for compat‐
167 ibility with previous releases.
168
169
170
171 These properties can be modified using svccfg(1M) by users who have
172 been assigned the following authorization:
173
174 solaris.smf.value.ipsec
175
176
177
178
179 PKCS#11 token objects can be unlocked or locked by using ikeadm token
180 login and ikeadm token logout, respectively. Availability of private
181 keying material stored on these PKCS#11 token objects can be observed
182 with: ikeadm dump certcache. The following authorizations allow users
183 to log into and out of PKCS#11 token objects:
184
185 solaris.network.ipsec.ike.token.login
186 solaris.network.ipsec.ike.token.logout
187
188
189
190
191 See auths(1), ikeadm(1M), user_attr(4), rbac(5).
192
193
194 The service needs to be refreshed using svcadm(1M) before a new prop‐
195 erty value is effective. General, non-modifiable properties can be
196 viewed with the svcprop(1) command.
197
198 # svccfg -s ipsec/ike setprop config/config_file = \
199 /new/config_file
200 # svcadm refresh ike
201
202
203
204
205 Administrative actions on this service, such as enabling, disabling,
206 refreshing, and requesting restart can be performed using svcadm(1M). A
207 user who has been assigned the authorization shown below can perform
208 these actions:
209
210 solaris.smf.manage.ipsec
211
212
213
214
215 The service's status can be queried using the svcs(1) command.
216
217
218 The in.iked daemon is designed to be run under smf(5) management. While
219 the in.iked command can be run from the command line, this is discour‐
220 aged. If the in.iked command is to be run from the command line, the
221 ike smf(5) service should be disabled first. See svcadm(1M).
222
224 The following options are supported:
225
226 -c Check the syntax of a configuration file.
227
228
229 -d Use debug mode. The process stays attached to the con‐
230 trolling terminal and produces large amounts of debug‐
231 ging output. This option is deprecated. See "Service
232 Management Facility" for more details.
233
234
235 -f filename Use filename instead of /etc/inet/ike/config. See
236 ike.config(4) for the format of this file. This option
237 is deprecated. See "Service Management Facility" for
238 more details.
239
240
241 -p level Specify privilege level (level). This option sets how
242 much ikeadm(1M) invocations can change or observe about
243 the running in.iked.
244
245 Valid levels are:
246
247 0 Base level
248
249
250 1 Access to preshared key info
251
252
253 2 Access to keying material
254
255 If -p is not specified, level defaults to 0.
256
257 This option is deprecated. See "Service Management
258 Facility" for more details.
259
260
262 This program has sensitive private keying information in its image.
263 Care should be taken with any core dumps or system dumps of a running
264 in.iked daemon, as these files contain sensitive keying information.
265 Use the coreadm(1M) command to limit any corefiles produced by in.iked.
266
268 /etc/inet/ike/config
269
270 Default configuration file.
271
272
273 /etc/inet/secret/ike.privatekeys/*
274
275 Private keys. A private key must have a matching public-key cer‐
276 tificate with the same filename in /etc/inet/ike/publickeys/.
277
278
279 /etc/inet/ike/publickeys/*
280
281 Public-key certificates. The names are only important with regard
282 to matching private key names.
283
284
285 /etc/inet/ike/crls/*
286
287 Public key certificate revocation lists.
288
289
290 /etc/inet/secret/ike.preshared
291
292 IKE pre-shared secrets for Phase I authentication.
293
294
296 See attributes(5) for descriptions of the following attributes:
297
298
299
300
301 ┌─────────────────────────────┬─────────────────────────────┐
302 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
303 ├─────────────────────────────┼─────────────────────────────┤
304 │Availability │SUNWcsu │
305 └─────────────────────────────┴─────────────────────────────┘
306
308 svcs(1), coreadm(1M), ikeadm(1M), ikecert(1M), svccfg(1M), svcadm(1M),
309 ike.config(4), attributes(5), smf(5), ipsecesp(7P), pf_key(7P)
310
311
312 Harkins, Dan and Carrel, Dave. RFC 2409, Internet Key Exchange (IKE).
313 Network Working Group. November 1998.
314
315
316 Maughan, Douglas, Schertler, M., Schneider, M., Turner, J. RFC 2408,
317 Internet Security Association and Key Management Protocol (ISAKMP).
318 Network Working Group. November 1998.
319
320
321 Piper, Derrell, RFC 2407, The Internet IP Security Domain of Interpre‐
322 tation for ISAKMP. Network Working Group. November 1998.
323
324
325
326SunOS 5.11 27 Jan 2009 in.iked(1M)