1ipseckey(1M) System Administration Commands ipseckey(1M)
2
6 ipseckey - manually manipulate an IPsec Security Association Database
7 (SADB)
8
10 ipseckey [-nvp]
11 ipseckey [-nvp] -f filename
14 ipseckey -c filename
17 ipseckey [-nvp] [delete | delete-pair | get] SA_TYPE {EXTENSION value...}
20 ipseckey [-np] [monitor | passive_monitor | pmonitor]
23 ipseckey [-nvp] flush {SA_TYPE}
26 ipseckey [-nvp] dump {SA_TYPE}
29 ipseckey [-nvp] save SA_TYPE {filename}
32 ipseckey [-nvp] -s filename
35
38 The ipseckey command is used to manually manipulate the security asso‐
39 ciation databases of the network security services, ipsecah(7P) and
40 ipsecesp(7P). You can use the ipseckey command to set up security asso‐
41 ciations between communicating parties when automated key management is
42 not available.
43 While the ipseckey utility has only a limited number of general
46 options, it supports a rich command language. The user may specify
47 requests to be delivered by means of a programmatic interface specific
48 for manual keying. See pf_key(7P). When ipseckey is invoked with no
49 arguments, it will enter an interactive mode which prints a prompt to
50 the standard output and accepts commands from the standard input until
51 the end-of-file is reached. Some commands require an explicit security
52 association ("SA") type, while others permit the SA type to be unspeci‐
53 fied and act on all SA types.
54 ipseckey uses a PF_KEY socket and the message types SADB_ADD,
57 SADB_DELETE, SADB_GET, SADB_UPDATE, SADB_FLUSH, and SADB_X_PROMISC.
58 Thus, you must be a superuser to use this command.
59 ipseckey handles sensitive cryptographic keying information. Please
62 read the Security section for details on how to use this command
63 securely.
64
66 -c [filename]
67 Analogous to the -f option (see following), except that the input
69 is not executed but only checked for syntactical correctness.
70 Errors are reported to stderr. This option is provided to debug
71 configurations without making changes. See SECURITY and "Service
72 Management Facility" for more information.
73 -f [filename]
76 Read commands from an input file, filename. The lines of the input
78 file are identical to the command line language. The load command
79 provides similar functionality. The -s option or the save command
80 can generate files readable by the -f argument.
81 -n
84 Prevent attempts to print host and network names symbolically when
86 reporting actions. This is useful, for example, when all name
87 servers are down or are otherwise unreachable.
88 -p
91 Paranoid. Do not print any keying material, even if saving SAs.
93 Instead of an actual hexadecimal digit, print an X when this flag
94 is turned on.
95 -s [filename]
98 The opposite of the -f option. If '-' is given for a filename, then
100 the output goes to the standard output. A snapshot of all current
101 SA tables will be output in a form readable by the -f option. The
102 output will be a series of add commands, but with some names not
103 used. This occurs because a single name may often indicate multiple
104 addresses.
105 -v
108 Verbose. Print the messages being sent into the PF_KEY socket, and
110 print raw seconds values for lifetimes.
111
114 add
115 Add an SA. Because it involves the transfer of keying material, it
117 cannot be invoked from the shell, lest the keys be visible in ps(1)
118 output. It can be used either from the interactive ipseckey> prompt
119 or in a command file specified by the -f command. The add command
120 accepts all extension-value pairs described below.
121 update
124 Update SA lifetime, and in the cases of larval SAs (leftover from
126 aborted automated key management), keying material and other exten‐
127 sions. Like add, this command cannot be invoked from the shell
128 because keying material would be seen by the ps(1) command. It can
129 be used either from the interactive ipseckey> prompt or in a com‐
130 mand file specified by the -f command. The update command accepts
131 all extension-value pairs, but normally is only used for SA life‐
132 time updates.
133 update-pair
136 As update, but apply the update to the SA and its paired SA, if
138 there is one.
139 delete
142 Delete a specific SA from a specific SADB. This command requires
144 the spi extension, and the dest extension for IPsec SAs. Other
145 extension-value pairs are superfluous for a delete message. If the
146 SA to be deleted is paired with another SA, the SA is deleted and
147 the paired SA is updated to indicate that it is now unpaired.
148 delete-pair
151 Delete a specific SA from a specific SADB. If the SA is paired with
153 another SA, delete that SA too. This command requires the spi
154 extension and the dest extension for the IPsec SA, or its pair.
155 get
158 Lookup and display a security association from a specific SADB.
160 Like delete, this command only requires spi and dest for IPsec.
161 flush
164 Remove all SA for a given SA_TYPE, or all SA for all types.
166 monitor
169 Continuously report on any PF_KEY messages. This uses the
171 SADB_X_PROMISC message to enable messages that a normal PF_KEY
172 socket would not receive to be received. See pf_key(7P).
173 passive_monitor
176 Like monitor, except that it does not use the SADB_X_PROMISC mes‐
178 sage.
179 pmonitor
182 Synonym for passive_monitor.
184 dump
187 Will display all SAs for a given SA type, or will display all SAs.
189 Because of the large amount of data generated by this command,
190 there is no guarantee that all SA information will be successfully
191 delivered, or that this command will even complete.
192 save
195 Is the command analog of the -s option. It is included as a command
197 to provide a way to snapshot a particular SA type, for example, esp
198 or ah.
199 help
202 Prints a brief summary of commands.
204 SA_TYPE
207 all
208 Specifies all known SA types. This type is only used for the flush
210 and dump commands. This is equivalent to having no SA type for
211 these commands.
212 ah
215 Specifies the IPsec Authentication Header ("AH") SA.
217 esp
220 Specifies the IPsec Encapsulating Security Payload ("ESP") SA.
222
225 Commands like add, delete, get, and update require that certain exten‐
226 sions and associated values be specified. The extensions will be listed
227 here, followed by the commands that use them, and the commands that
228 require them. Requirements are currently documented based upon the
229 IPsec definitions of an SA. Required extensions may change in the
230 future. <number> can be in either hex (0xnnn), decimal (nnn) or octal
231 (0nnn).<string> is a text string. <hexstr> is a long hexadecimal number
232 with a bit-length. Extensions are usually paired with values; however,
233 some extensions require two values after them.
234 spi <number>
236 Specifies the security parameters index of the SA. This extension
238 is required for the add, delete, get and update commands.
239 pair-spi <number>
242 When pair-spi is used with the add or update commands, the SA being
244 added or updated will be paired with the SA defined by pair-spi. A
245 pair of SAs can be updated or deleted with a single command.
246 The two SAs that make up the pair need to be in opposite directions
248 from the same pair of IP addresses. The command will fail if either
249 of the SAs specified are already paired with another SA.
250 If the pair-spi token is used in a command and the SA defined by
252 pair-spi does not exist, the command will fail. If the command was
253 add and the pairing failed, the SA to be added will instead be
254 removed.
255 inbound | outbound
258 These optional flags specify the direction of the SA. When the
260 inbound or outbound flag is specified with the add command, the
261 kernel will insert the new SA into the specified hash table for
262 faster lookups. If the flag is omitted, the kernel will decide into
263 which hash table to insert the new SA based on its knowledge the IP
264 addresses specified with the src and dst extensions.
265 When these flags are used with the update, delete, update-pair or
267 get commands, the flags provide a hint as to the hash table in
268 which the kernel should find the SA.
269 replay <number>
272 Specifies the replay window size. If not specified, the replay win‐
274 dow size is assumed to be zero. It is not recommended that manually
275 added SAs have a replay window. This extension is used by the add
276 and update commands.
277 replay_value <number>
280 Specifies the replay value of the SA. This extension is used by the
282 add and update commands.
283 state <string>|<number>
286 Specifies the SA state, either by numeric value or by the strings
288 "larval", "mature", "dying" or "dead". If not specified, the value
289 defaults to mature. This extension is used by the add and update
290 commands.
291 auth_alg <string>|<number>
294 authalg <string>|<number>
295 Specifies the authentication algorithm for an SA, either by numeric
297 value, or by strings indicating an algorithm name. Current authen‐
298 tication algorithms include:
299 HMAC-MD5
301 md5, hmac-md5
303 HMAC-SH-1
306 sha, sha-1, hmac-sha1, hmac-sha
308 HMAC-SHA-256
311 sha256, sha-256, hmac-sha256, hmac-sha-256
313 HMAC-SHA-384
316 sha384, sha-384, hmac-sha384, hmac-sha-384
318 HMAC-SHA-512
321 sha512, sha-512, hmac-sha512, hmac-sha-512
323 Often, algorithm names will have several synonyms. This extension
325 is required by the add command for certain SA types. It is also
326 used by the update command.
327 Use the ipsecalgs(1M) command to obtain the complete list of
329 authentication algorithms.
330 encr_alg <string>|<number>
333 encralg <string>|<number>
334 Specifies the encryption algorithm for an SA, either by numeric
336 value, or by strings indicating an algorithm name. Current encryp‐
337 tion algorithms include DES ("des"), Triple-DES ("3des"), Blowfish
338 ("blowfish"), and AES ("aes"). This extension is required by the
339 add command for certain SA types. It is also used by the update
340 command.
341 Use the ipsecalgs(1M) command to obtain the complete list of
343 encryption algorithms.
344 The next six extensions are lifetime extensions. There are two vari‐
348 eties, "hard" and "soft". If a hard lifetime expires, the SA will be
349 deleted automatically by the system. If a soft lifetime expires, an
350 SADB_EXPIRE message will be transmitted by the system, and its state
351 will be downgraded to dying from mature. See pf_key(7P). The monitor
352 command to key allows you to view SADB_EXPIRE messages.
353 idle_addtime <number>
355 idle_usetime <number>
356 Specifies the number of seconds that this SA can exist if the SA is
358 not used before the SA is revalidated. If this extension is not
359 present, the default value is half of the hard_addtime (see below).
360 This extension is used by the add and update commands.
361 soft_bytes <number>
364 hard_bytes <number>
365 Specifies the number of bytes that this SA can protect. If this
367 extension is not present, the default value is zero, which means
368 that the SA will not expire based on the number of bytes protected.
369 This extension is used by the add and update commands.
370 soft_addtime <number>
373 hard_addtime <number>
374 Specifies the number of seconds that this SA can exist after being
376 added or updated from a larval SA. An update of a mature SA does
377 not reset the initial time that it was added. If this extension is
378 not present, the default value is zero, which means the SA will not
379 expire based on how long it has been since it was added. This
380 extension is used by the add and update commands.
381 soft_usetime <number>
384 hard_usetime <number>
385 Specifies the number of seconds this SA can exist after first being
387 used. If this extension is not present, the default value is zero,
388 which means the SA will not expire based on how long it has been
389 since it was added. This extension is used by the add and update
390 commands.
391 saddr address | name
394 srcaddr address | name
395 saddr6 IPv6 address
396 srcaddr6 IPv6 address
397 src address | name
398 src6 IPv6 address
399 srcaddr address and src address are synonyms that indicate the
401 source address of the SA. If unspecified, the source address will
402 either remain unset, or it will be set to a wildcard address if a
403 destination address was supplied. To not specify the source address
404 is valid for IPsec SAs. Future SA types may alter this assumption.
405 This extension is used by the add, update, get and delete commands.
406 daddr <address>|<name>
409 dstaddr <address>|<name>
410 daddr6 <IPv6 address>|<name>
411 dstaddr6 <IPv6 address>|<name>
412 dst <addr>|<name>
413 dst6 <IPv6 address>|<name>
414 dstaddr <addr> and dst <addr> are synonyms that indicate the desti‐
416 nation address of the SA. If unspecified, the destination address
417 will remain unset. Because IPsec SAs require a specified destina‐
418 tion address and spi for identification, this extension, with a
419 specific value, is required for the add, update, get and delete
420 commands.
421 If a name is given, ipseckey will attempt to invoke the command on
423 multiple SAs with all of the destination addresses that the name
424 can identify. This is similar to how ipsecconf handles addresses.
425 If dst6 or dstaddr6 is specified, only the IPv6 addresses identi‐
427 fied by a name are used.
428 sport <portnum>
431 sport specifies the source port number for an SA. It should be used
433 in combination with an upper-layer protocol (see below), but it
434 does not have to be.
435 dport <portnum>
438 sport specifies the destination port number for an SA. It should be
440 used in combination with an upper-layer protocol (see below), but
441 it does not have to be.
442 encap <protocol>
445 Identifies the protocol used to encapsulate NAT-traversal IPsec
447 packets. Other NAT-traversal parameters (nat_*) are below. The
448 only acceptable value for <protocol> currently is udp.
449 proto <protocol number>
452 ulp <protocol number>
453 proto, and its synonym ulp, specify the IP protocol number of the
455 SA.
456 nat_loc <address>|<name>
459 If the local address in the SA (source or destination) is behind a
461 NAT, this extension indicates the NAT node's globally-routable
462 address. This address can match the SA's local address if there is
463 a nat_lport (see below) specified.
464 nat_rem <address>|<name>
467 If the remote address in the SA (source or destination) is behind a
469 NAT, this extension indicates that node's internal (that is,
470 behind-the-NAT) address. This address can match the SA's local
471 address if there is a nat_rport (see below) specified.
472 nat_lport <portnum>
475 Identifies the local UDP port on which encapsulation of ESP occurs.
477 nat_rport <portnum>
480 Identifies the remote UDP port on which encapsulation of ESP
482 occurs.
483 isrc <address> | <name>[/<prefix>]
486 innersrc <address> | <name>[/<prefix>]
487 isrc6 <address> | <name>[/<prefix>]
488 innersrc6 <address> | <name>[/<prefix>]
489 proxyaddr <address> | <name>[/<prefix>]
490 proxy <address> | <name>[/<prefix>]
491 isrc <address>[/<prefix>] and innersrc <address>[/<prefix>] are
493 synonyms. They indicate the inner source address for a tunnel-mode
494 SA.
495 An inner-source can be a prefix instead of an address. As with
497 other address extensions, there are IPv6-specific forms. In such
498 cases, use only IPv6-specific addresses or prefixes.
499 Previous versions referred to this value as the proxy address. The
501 usage, while deprecated, remains.
502 idst <address> | <name>[/<prefix>]
505 innerdst <address> | <name>[/<prefix>]
506 idst6 <address> | <name>[/<prefix>]
507 innerdst6 <address> | <name>[/<prefix>]
508 idst <address>[/<prefix>] and innerdst <address>[/<prefix>] are
510 synonyms. They indicate the inner destination address for a tunnel-
511 mode SA.
512 An inner-destination can be a prefix instead of an address. As with
514 other address extensions, there are IPv6-specific forms. In such
515 cases, use only IPv6-specific addresses or prefixes.
516 innersport <portnum>
519 isport <portnum>
520 innersport specifies the source port number of the inner header for
522 a tunnel-mode SA. It should be used in combination with an upper-
523 layer protocol (see below), but it does not have to be.
524 innerdport <portnum>
527 idport <portnum>
528 innerdport specifies the destination port number of the inner
530 header for a tunnel-mode SA. It should be used in combination with
531 an upper-layer protocol (see below), but it does not have to be.
532 iproto <protocol number>iulp <protocol number>
535 iproto, and its synonym iulp, specify the IP protocol number of the
537 inner header of a tunnel-mode SA.
538 authkey <hexstring>
541 Specifies the authentication key for this SA. The key is expressed
543 as a string of hexadecimal digits, with an optional / at the end,
544 for example, 123/12. Bits are counted from the most-significant
545 bits down. For example, to express three '1' bits, the proper syn‐
546 tax is the string "e/3". For multi-key algorithms, the string is
547 the concatenation of the multiple keys. This extension is used by
548 the add and update commands.
549 encrkey <hexstring>
552 Specifies the encryption key for this SA. The syntax of the key is
554 the same as authkey. A concrete example of a multi-key encryption
555 algorithm is 3des, which would express itself as a 192-bit key,
556 which is three 64-bit parity-included DES keys. This extension is
557 used by the add and update commands.
558 Certificate identities are very useful in the context of automated key
562 management, as they tie the SA to the public key certificates used in
563 most automated key management protocols. They are less useful for manu‐
564 ally added SAs. Unlike other extensions, srcidtype takes two values, a
565 type, and an actual value. The type can be one of the following:
566 prefix
568 An address prefix.
570 fqdn
573 A fully-qualified domain name.
575 domain
578 Domain name, synonym for fqdn.
580 user_fqdn
583 User identity of the form user@fqdn.
585 mailbox
588 Synonym for user_fqdn.
590 The value is an arbitrary text string that should identify the certifi‐
594 cate.
595 srcidtype <type, value>
597 Specifies a source certificate identity for this SA. This extension
599 is used by the add and update commands.
600 dstidtype <type, value>
603 Specifies a destination certificate identity for this SA. This
605 extension is used by the add and update commands
606 Tunnel Mode versus Transport Mode SAs
609 An IPsec SA is a Tunnel Mode SA if the "proto" value is either 4 (ipip)
610 or 41 (ipv6) and there is an inner-address or inner-port value speci‐
611 fied. Otherwise, the SA is a Transport Mode SA.
612
614 Keying material is very sensitive and should be generated as randomly
615 as possible. Some algorithms have known weak keys. IPsec algorithms
616 have built-in weak key checks, so that if a weak key is in a newly
617 added SA, the add command will fail with an invalid value.
618 The ipseckey command allows a privileged user to enter cryptographic
621 keying information. If an adversary gains access to such information,
622 the security of IPsec traffic is compromised. The following issues
623 should be taken into account when using the ipseckey command.
624 1. Is the TTY going over a network (interactive mode)?
626 o If it is, then the security of the keying material is
628 the security of the network path for this TTY's traffic.
629 Using ipseckey over a clear-text telnet or rlogin ses‐
630 sion is risky.
631 o Even local windows might be vulnerable to attacks where
633 a concealed program that reads window events is present.
634 2. Is the file accessed over the network or readable to the
636 world (-f option)?
637 o A network-mounted file can be sniffed by an adversary as
639 it is being read.
640 o A world-readable file with keying material in it is also
642 risky.
643 3. The ipseckey command is designed to be managed by the man‐
645 ual-key smf(5) service. Because the smf(5) log files are
646 world-readable, the ipseckey does not record any syntax
647 errors in the log files, as these errors might include
648 secret information.
649 If a syntax error is found when the manual-key smf(5) ser‐
651 vice is enabled, the service enters maintenance mode. The
652 log file will indicate that there was a syntax error, but
653 will not specify what the error was.
654 The administrator should use ipeckey -c filename from the
656 command line to discover the cause of the errors. See
657 OPTIONS.
658 If your source address is a host that can be looked up over the network
661 and your naming system itself is compromised, then any names used will
662 not be trustworthy.
663 Security weaknesses often lie in misapplication of tools, not in the
666 tools themselves. Administrators are urged to be cautious when using
667 ipseckey. The safest mode of operation is probably on a console or
668 other hard-connected TTY.
669 For further thoughts on this subject, see the afterward by Matt Blaze
672 in Bruce Schneier's Applied Cryptography: Protocols, Algorithms, and
673 Source Code in C.
674 Service Management Facility
676 IPsec manual keys are managed by the service management facility,
677 smf(5). The services listed below manage the components of IPsec. These
678 services are delivered as follows:
679 svc:/network/ipsec/policy:default (enabled)
681 svc:/network/ipsec/ipsecalgs:default (enabled)
682 svc:/network/ipsec/manual-key:default (disabled)
683 svc:/network/ipsec/ike:default (disabled)
684 The manual-key service is delivered disabled. The system administrator
689 must create manual IPsec Security Associations (SAs), as described in
690 this man page, before enabling that service.
691 The policy service is delivered enabled, but without a configuration
694 file, so that, as a starting condition, packets are not protected by
695 IPsec. After you create the configuration file /etc/inet/ipsecinit.conf
696 and refresh the service (svcadm refresh, see below), the policy con‐
697 tained in the configuration file is applied. If there is an error in
698 this file, the service enters maintenance mode. See ipsecconf(1M).
699 Services that are delivered disabled are delivered that way because the
702 system administrator must create configuration files for those services
703 before enabling them. See ike.config(4) for the ike service.
704 See ipsecalgs(1M) for the ipsecalgs service.
707 The correct administrative procedure is to create the configuration
710 file for each service, then enable each service using svcadm(1M).
711 If the configuration needs to be changed, edit the configuration file
714 then refresh the service, as follows:
715 example# svcadm refresh manual-key
717 Warning: To prevent ipseckey complaining about duplicate Associations,
722 the ipseckey command flushes the Security Association Data Base (SADB)
723 when the ipseckey command is run from smf(5), before adding any new
724 Security Associations defined in the configuration file. This differs
725 from the command line behavior where the SADB is not flushed before
726 adding new Security Associations.
727 The smf(5) framework will record any errors in the service-specific log
730 file. Use any of the following commands to examine the logfile prop‐
731 erty:
732 example# svcs -l manual-key
734 example# svcprop manual-key
735 example# svccfg -s manual-key listprop
736 The following property is defined for the manual-key service:
741 config/config_file
743 This property can be modified using svccfg(1M) by users who have been
748 assigned the following authorization:
749 solaris.smf.value.ipsec
751 See auths(1), user_attr(4), rbac(5).
756 The service needs to be refreshed using svcadm(1M) before the new prop‐
759 erty is effective. General non-modifiable properties can be viewed with
760 the svcprop(1) command.
761 # svccfg -s ipsec/manual-key setprop config/config_file = \
763 /new/config_file
764 # svcadm refresh manual-key
765 Administrative actions on this service, such as enabling, disabling,
770 refreshing, and requesting restart can be performed using svcadm(1M). A
771 user who has been assigned the authorization shown below can perform
772 these actions:
773 solaris.smf.manage.ipsec
775 The service's status can be queried using the svcs(1) command.
780 The ipseckey command is designed to be run under smf(5) management.
783 While the ipsecconf command can be run from the command line, this is
784 discouraged. If the ipseckey command is to be run from the command
785 line, the manual-key smf(5) service should be disabled first. See
786 svcadm(1M).
787
789 Example 1 Emptying Out All SAs
790 To empty out all SA:
793 example# ipseckey flush
796 Example 2 Flushing Out IPsec AH SAs Only
800 To flush out only IPsec AH SAs:
803 example# ipseckey flush ah
806 Example 3 Saving All SAs To Standard Output
810 To save all SAs to the standard output:
813 example# ipseckey save all
816 Example 4 Saving ESP SAs To The File /tmp/snapshot
820 To save ESP SAs to the file /tmp/snapshot:
823 example# ipseckey save esp /tmp/snapshot
826 Example 5 Deleting an IPsec SA
830 To delete an IPsec SA, only the SPI and the destination address are
833 needed:
834 example# ipseckey delete esp spi 0x2112 dst 224.0.0.1
837 An alternative would be to delete the SA and the SAs pair if it has
842 one:
843 example# ipseckey delete-pair esp spi 0x2112 dst 224.0.0.1
846 Example 6 Getting Information on an IPsec SA
850 Likewise, getting information on a SA only requires the destination
853 address and SPI:
854 example# ipseckey get ah spi 0x5150 dst mypeer
857 Example 7 Adding or Updating IPsec SAs
861 Adding or updating SAs requires entering interactive mode:
864 example# ipseckey
867 ipseckey> add ah spi 0x90125 src me.domain.com dst you.domain.com \
868 authalg md5 authkey 1234567890abcdef1234567890abcdef
869 ipseckey> update ah spi 0x90125 dst you.domain.com hard_bytes \
870 16000000
871 ipseckey> exit
872 Adding two SAs that are linked together as a pair:
877 example# ipseckey
880 ipseckey> add esp spi 0x2345 src me.domain.com dst you.domain.com \
881 authalg md5 authkey bde359723576fdea08e56cbe876e24ad \
882 encralg des encrkey be02938e7def2839
883 ipseckey> add esp spi 0x5432 src me.domain.com dst you.domain.com \
884 authalg md5 authkey bde359723576fdea08e56cbe876e24ad \
885 encralg des encrkey be02938e7def2839 pair-spi 0x2345
886 ipseckey> exit
887 Example 8 Adding an SA in the Opposite Direction
891 In the case of IPsec, SAs are unidirectional. To communicate securely,
894 a second SA needs to be added in the opposite direction. The peer
895 machine also needs to add both SAs.
896 example# ipseckey
899 ipseckey> add ah spi 0x2112 src you.domain.com dst me.domain.com \
900 authalg md5 authkey bde359723576fdea08e56cbe876e24ad \
901 hard_bytes 16000000
902 ipseckey> exit
903 Example 9 Monitoring PF_KEY Messages
907 Monitoring for PF_KEY messages is straightforward:
910 example# ipseckey monitor
913 Example 10 Using Commands in a File
917 Commands can be placed in a file that can be parsed with the -f option.
920 This file may contain comment lines that begin with the "#" symbol. For
921 example:
922 # This is a sample file for flushing out the ESP table and
925 # adding a pair of SAs.
926 flush esp
928 ### Watch out! I have keying material in this file. See the
930 ### SECURITY section in this manual page for why this can be
931 ### dangerous .
932 add esp spi 0x2112 src me.domain.com dst you.domain.com \
934 authalg md5 authkey bde359723576fdea08e56cbe876e24ad \
935 encralg des encrkey be02938e7def2839 hard_usetime 28800
936 add esp spi 0x5150 src you.domain.com dst me.domain.com \
937 authalg md5 authkey 930987dbe09743ade09d92b4097d9e93 \
938 encralg des encrkey 8bd4a52e10127deb hard_usetime 28800
939 ## End of file - This is a gratuitous comment
941 Example 11 Adding SAs for IPv6 Addresses
944 The following commands from the interactive-mode create an SA to pro‐
947 tect IPv6 traffic between the site-local addresses
948 example # ipseckey
951 ipseckey> add esp spi 0x6789 src6 fec0:bbbb::4483 dst6 fec0:bbbb::7843\
952 authalg md5 authkey bde359723576fdea08e56cbe876e24ad \
953 encralg des encrkey be02938e7def2839 hard_usetime 28800
954 ipseckey>exit
955 Example 12 Linking Two SAs as a Pair
959 The following command links two SAs together, as a pair:
962 example# ipseckey update esp spi 0x123456 dst 192.168.99.2 \
965 pair-spi 0x654321
966
970 /etc/inet/secret/ipseckeys
971 Default configuration file used at boot time. See "Service Manage‐
973 ment Facility" and SECURITY for more information.
974
977 See attributes(5) for descriptions of the following attributes:
978 ┌─────────────────────────────┬─────────────────────────────┐
983 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
984 ├─────────────────────────────┼─────────────────────────────┤
985 │Availability │SUNWcsu │
986 │Interface Stability │Committed │
987 └─────────────────────────────┴─────────────────────────────┘
988
990 ps(1), svcprop(1), svcs(1), ipsecconf(1M), ipsecalgs(1M), route(1M),
991 svcadm(1M), svccfg(1M), ike.config(4), attributes(5), smf(5),
992 ipsec(7P), ipsecah(7P), ipsecesp(7P), pf_key(7P)
993 Schneier, B., Applied Cryptography: Protocols, Algorithms, and Source
996 Code in C. Second ed. New York, New York: John Wiley & Sons, 1996.
997
999 The ipseckey command parses the configuration file and reports any
1000 errors. In the case of multiple errors, ipseckey reports as many of
1001 these as possible.
1002 The ipseckey command does not attempt to use a COMMAND that has a syn‐
1005 tax error. A COMMAND might be syntactically correct but can neverthe‐
1006 less generate an error because the kernel rejected the request made to
1007 pf_key(7P). This might occur because a key had an invalid length or
1008 because an unsupported algorithm was specified.
1009 If there are any errors in the configuration file, ipseckey reports the
1012 number of valid COMMANDS and the total number of COMMANDS parsed.
1013 Parse error on line N.
1015 If an interactive use of ipseckey would print usage information,
1017 this would print instead. Usually proceeded by another diagnostic.
1018 Because COMMANDS can cover more than a single line in the configu‐
1019 ration file by using the backslash character to delimit lines, its
1020 not always possible to pinpoint in the configuration file the exact
1021 line that caused the error.
1022 Unexpected end of command line.
1025 An additional argument was expected on the command line.
1027 Unknown
1030 A value for a specific extension was unknown.
1032 Address type N not supported.
1035 A name-to-address lookup returned an unsupported address family.
1037 N is not a bit specifier
1040 bit length N is too big for
1041 string is not a hex string
1042 Keying material was not entered appropriately.
1044 Can only specify single
1047 A duplicate extension was entered.
1049 Don't use extension for <string> for <command>.
1052 An extension not used by a command was used.
1054 One of the entered values is incorrect: Diagnostic code NN:<msg>
1057 This is a general invalid parameter error. The diagnostic code and
1059 message provides more detail about what precise value was incorrect
1060 and why.
1061
1064 In spite of its IPsec-specific name, ipseckey is analogous to
1065 route(1M), in that it is a command-line interface to a socket-based
1066 administration engine, in this case, PF_KEY. PF_KEY was originally
1067 developed at the United States Naval Research Laboratory.
1068 To have machines communicate securely with manual keying, SAs need to
1071 be added by all communicating parties. If two nodes wish to communicate
1072 securely, both nodes need the appropriate SAs added.
1073 In the future ipseckey may be invoked under additional names as other
1076 security protocols become available to PF_KEY.
1077 This command requires sys_ip_config privilege to operate and thus can
1080 run in the global zone and in exclusive-IP zones. The global zone can
1081 set up security associations with ipseckey to protect traffic for
1082 shared-IP zones on the system.
1083SunOS 5.11 25 Sep 2008 ipseckey(1M)