1ipseckey(1M) System Administration Commands ipseckey(1M)
2
3
4
6 ipseckey - manually manipulate an IPsec Security Association Database
7 (SADB)
8
10 ipseckey [-nvp]
11
12
13 ipseckey [-nvp] -f filename
14
15
16 ipseckey -c filename
17
18
19 ipseckey [-nvp] [delete | delete-pair | get] SA_TYPE {EXTENSION value...}
20
21
22 ipseckey [-np] [monitor | passive_monitor | pmonitor]
23
24
25 ipseckey [-nvp] flush {SA_TYPE}
26
27
28 ipseckey [-nvp] dump {SA_TYPE}
29
30
31 ipseckey [-nvp] save SA_TYPE {filename}
32
33
34 ipseckey [-nvp] -s filename
35
36
38 The ipseckey command is used to manually manipulate the security asso‐
39 ciation databases of the network security services, ipsecah(7P) and
40 ipsecesp(7P). You can use the ipseckey command to set up security asso‐
41 ciations between communicating parties when automated key management is
42 not available.
43
44
45 While the ipseckey utility has only a limited number of general
46 options, it supports a rich command language. The user may specify
47 requests to be delivered by means of a programmatic interface specific
48 for manual keying. See pf_key(7P). When ipseckey is invoked with no
49 arguments, it will enter an interactive mode which prints a prompt to
50 the standard output and accepts commands from the standard input until
51 the end-of-file is reached. Some commands require an explicit security
52 association ("SA") type, while others permit the SA type to be unspeci‐
53 fied and act on all SA types.
54
55
56 ipseckey uses a PF_KEY socket and the message types SADB_ADD,
57 SADB_DELETE, SADB_GET, SADB_UPDATE, SADB_FLUSH, and SADB_X_PROMISC.
58 Thus, you must be a superuser to use this command.
59
60
61 ipseckey handles sensitive cryptographic keying information. Please
62 read the Security section for details on how to use this command
63 securely.
64
66 -c [filename]
67
68 Analogous to the -f option (see following), except that the input
69 is not executed but only checked for syntactical correctness.
70 Errors are reported to stderr. This option is provided to debug
71 configurations without making changes. See SECURITY and "Service
72 Management Facility" for more information.
73
74
75 -f [filename]
76
77 Read commands from an input file, filename. The lines of the input
78 file are identical to the command line language. The load command
79 provides similar functionality. The -s option or the save command
80 can generate files readable by the -f argument.
81
82
83 -n
84
85 Prevent attempts to print host and network names symbolically when
86 reporting actions. This is useful, for example, when all name
87 servers are down or are otherwise unreachable.
88
89
90 -p
91
92 Paranoid. Do not print any keying material, even if saving SAs.
93 Instead of an actual hexadecimal digit, print an X when this flag
94 is turned on.
95
96
97 -s [filename]
98
99 The opposite of the -f option. If '-' is given for a filename, then
100 the output goes to the standard output. A snapshot of all current
101 SA tables will be output in a form readable by the -f option. The
102 output will be a series of add commands, but with some names not
103 used. This occurs because a single name may often indicate multiple
104 addresses.
105
106
107 -v
108
109 Verbose. Print the messages being sent into the PF_KEY socket, and
110 print raw seconds values for lifetimes.
111
112
114 add
115
116 Add an SA. Because it involves the transfer of keying material, it
117 cannot be invoked from the shell, lest the keys be visible in ps(1)
118 output. It can be used either from the interactive ipseckey> prompt
119 or in a command file specified by the -f command. The add command
120 accepts all extension-value pairs described below.
121
122
123 update
124
125 Update SA lifetime, and in the cases of larval SAs (leftover from
126 aborted automated key management), keying material and other exten‐
127 sions. Like add, this command cannot be invoked from the shell
128 because keying material would be seen by the ps(1) command. It can
129 be used either from the interactive ipseckey> prompt or in a com‐
130 mand file specified by the -f command. The update command accepts
131 all extension-value pairs, but normally is only used for SA life‐
132 time updates.
133
134
135 update-pair
136
137 As update, but apply the update to the SA and its paired SA, if
138 there is one.
139
140
141 delete
142
143 Delete a specific SA from a specific SADB. This command requires
144 the spi extension, and the dest extension for IPsec SAs. Other
145 extension-value pairs are superfluous for a delete message. If the
146 SA to be deleted is paired with another SA, the SA is deleted and
147 the paired SA is updated to indicate that it is now unpaired.
148
149
150 delete-pair
151
152 Delete a specific SA from a specific SADB. If the SA is paired with
153 another SA, delete that SA too. This command requires the spi
154 extension and the dest extension for the IPsec SA, or its pair.
155
156
157 get
158
159 Lookup and display a security association from a specific SADB.
160 Like delete, this command only requires spi and dest for IPsec.
161
162
163 flush
164
165 Remove all SA for a given SA_TYPE, or all SA for all types.
166
167
168 monitor
169
170 Continuously report on any PF_KEY messages. This uses the
171 SADB_X_PROMISC message to enable messages that a normal PF_KEY
172 socket would not receive to be received. See pf_key(7P).
173
174
175 passive_monitor
176
177 Like monitor, except that it does not use the SADB_X_PROMISC mes‐
178 sage.
179
180
181 pmonitor
182
183 Synonym for passive_monitor.
184
185
186 dump
187
188 Will display all SAs for a given SA type, or will display all SAs.
189 Because of the large amount of data generated by this command,
190 there is no guarantee that all SA information will be successfully
191 delivered, or that this command will even complete.
192
193
194 save
195
196 Is the command analog of the -s option. It is included as a command
197 to provide a way to snapshot a particular SA type, for example, esp
198 or ah.
199
200
201 help
202
203 Prints a brief summary of commands.
204
205
206 SA_TYPE
207 all
208
209 Specifies all known SA types. This type is only used for the flush
210 and dump commands. This is equivalent to having no SA type for
211 these commands.
212
213
214 ah
215
216 Specifies the IPsec Authentication Header ("AH") SA.
217
218
219 esp
220
221 Specifies the IPsec Encapsulating Security Payload ("ESP") SA.
222
223
225 Commands like add, delete, get, and update require that certain exten‐
226 sions and associated values be specified. The extensions will be listed
227 here, followed by the commands that use them, and the commands that
228 require them. Requirements are currently documented based upon the
229 IPsec definitions of an SA. Required extensions may change in the
230 future. <number> can be in either hex (0xnnn), decimal (nnn) or octal
231 (0nnn).<string> is a text string. <hexstr> is a long hexadecimal number
232 with a bit-length. Extensions are usually paired with values; however,
233 some extensions require two values after them.
234
235 spi <number>
236
237 Specifies the security parameters index of the SA. This extension
238 is required for the add, delete, get and update commands.
239
240
241 pair-spi <number>
242
243 When pair-spi is used with the add or update commands, the SA being
244 added or updated will be paired with the SA defined by pair-spi. A
245 pair of SAs can be updated or deleted with a single command.
246
247 The two SAs that make up the pair need to be in opposite directions
248 from the same pair of IP addresses. The command will fail if either
249 of the SAs specified are already paired with another SA.
250
251 If the pair-spi token is used in a command and the SA defined by
252 pair-spi does not exist, the command will fail. If the command was
253 add and the pairing failed, the SA to be added will instead be
254 removed.
255
256
257 inbound | outbound
258
259 These optional flags specify the direction of the SA. When the
260 inbound or outbound flag is specified with the add command, the
261 kernel will insert the new SA into the specified hash table for
262 faster lookups. If the flag is omitted, the kernel will decide into
263 which hash table to insert the new SA based on its knowledge the IP
264 addresses specified with the src and dst extensions.
265
266 When these flags are used with the update, delete, update-pair or
267 get commands, the flags provide a hint as to the hash table in
268 which the kernel should find the SA.
269
270
271 replay <number>
272
273 Specifies the replay window size. If not specified, the replay win‐
274 dow size is assumed to be zero. It is not recommended that manually
275 added SAs have a replay window. This extension is used by the add
276 and update commands.
277
278
279 replay_value <number>
280
281 Specifies the replay value of the SA. This extension is used by the
282 add and update commands.
283
284
285 state <string>|<number>
286
287 Specifies the SA state, either by numeric value or by the strings
288 "larval", "mature", "dying" or "dead". If not specified, the value
289 defaults to mature. This extension is used by the add and update
290 commands.
291
292
293 auth_alg <string>|<number>
294 authalg <string>|<number>
295
296 Specifies the authentication algorithm for an SA, either by numeric
297 value, or by strings indicating an algorithm name. Current authen‐
298 tication algorithms include:
299
300 HMAC-MD5
301
302 md5, hmac-md5
303
304
305 HMAC-SH-1
306
307 sha, sha-1, hmac-sha1, hmac-sha
308
309
310 HMAC-SHA-256
311
312 sha256, sha-256, hmac-sha256, hmac-sha-256
313
314
315 HMAC-SHA-384
316
317 sha384, sha-384, hmac-sha384, hmac-sha-384
318
319
320 HMAC-SHA-512
321
322 sha512, sha-512, hmac-sha512, hmac-sha-512
323
324 Often, algorithm names will have several synonyms. This extension
325 is required by the add command for certain SA types. It is also
326 used by the update command.
327
328 Use the ipsecalgs(1M) command to obtain the complete list of
329 authentication algorithms.
330
331
332 encr_alg <string>|<number>
333 encralg <string>|<number>
334
335 Specifies the encryption algorithm for an SA, either by numeric
336 value, or by strings indicating an algorithm name. Current encryp‐
337 tion algorithms include DES ("des"), Triple-DES ("3des"), Blowfish
338 ("blowfish"), and AES ("aes"). This extension is required by the
339 add command for certain SA types. It is also used by the update
340 command.
341
342 Use the ipsecalgs(1M) command to obtain the complete list of
343 encryption algorithms.
344
345
346
347 The next six extensions are lifetime extensions. There are two vari‐
348 eties, "hard" and "soft". If a hard lifetime expires, the SA will be
349 deleted automatically by the system. If a soft lifetime expires, an
350 SADB_EXPIRE message will be transmitted by the system, and its state
351 will be downgraded to dying from mature. See pf_key(7P). The monitor
352 command to key allows you to view SADB_EXPIRE messages.
353
354 idle_addtime <number>
355 idle_usetime <number>
356
357 Specifies the number of seconds that this SA can exist if the SA is
358 not used before the SA is revalidated. If this extension is not
359 present, the default value is half of the hard_addtime (see below).
360 This extension is used by the add and update commands.
361
362
363 soft_bytes <number>
364 hard_bytes <number>
365
366 Specifies the number of bytes that this SA can protect. If this
367 extension is not present, the default value is zero, which means
368 that the SA will not expire based on the number of bytes protected.
369 This extension is used by the add and update commands.
370
371
372 soft_addtime <number>
373 hard_addtime <number>
374
375 Specifies the number of seconds that this SA can exist after being
376 added or updated from a larval SA. An update of a mature SA does
377 not reset the initial time that it was added. If this extension is
378 not present, the default value is zero, which means the SA will not
379 expire based on how long it has been since it was added. This
380 extension is used by the add and update commands.
381
382
383 soft_usetime <number>
384 hard_usetime <number>
385
386 Specifies the number of seconds this SA can exist after first being
387 used. If this extension is not present, the default value is zero,
388 which means the SA will not expire based on how long it has been
389 since it was added. This extension is used by the add and update
390 commands.
391
392
393 saddr address | name
394 srcaddr address | name
395 saddr6 IPv6 address
396 srcaddr6 IPv6 address
397 src address | name
398 src6 IPv6 address
399
400 srcaddr address and src address are synonyms that indicate the
401 source address of the SA. If unspecified, the source address will
402 either remain unset, or it will be set to a wildcard address if a
403 destination address was supplied. To not specify the source address
404 is valid for IPsec SAs. Future SA types may alter this assumption.
405 This extension is used by the add, update, get and delete commands.
406
407
408 daddr <address>|<name>
409 dstaddr <address>|<name>
410 daddr6 <IPv6 address>|<name>
411 dstaddr6 <IPv6 address>|<name>
412 dst <addr>|<name>
413 dst6 <IPv6 address>|<name>
414
415 dstaddr <addr> and dst <addr> are synonyms that indicate the desti‐
416 nation address of the SA. If unspecified, the destination address
417 will remain unset. Because IPsec SAs require a specified destina‐
418 tion address and spi for identification, this extension, with a
419 specific value, is required for the add, update, get and delete
420 commands.
421
422 If a name is given, ipseckey will attempt to invoke the command on
423 multiple SAs with all of the destination addresses that the name
424 can identify. This is similar to how ipsecconf handles addresses.
425
426 If dst6 or dstaddr6 is specified, only the IPv6 addresses identi‐
427 fied by a name are used.
428
429
430 sport <portnum>
431
432 sport specifies the source port number for an SA. It should be used
433 in combination with an upper-layer protocol (see below), but it
434 does not have to be.
435
436
437 dport <portnum>
438
439 sport specifies the destination port number for an SA. It should be
440 used in combination with an upper-layer protocol (see below), but
441 it does not have to be.
442
443
444 encap <protocol>
445
446 Identifies the protocol used to encapsulate NAT-traversal IPsec
447 packets. Other NAT-traversal parameters (nat_*) are below. The
448 only acceptable value for <protocol> currently is udp.
449
450
451 proto <protocol number>
452 ulp <protocol number>
453
454 proto, and its synonym ulp, specify the IP protocol number of the
455 SA.
456
457
458 nat_loc <address>|<name>
459
460 If the local address in the SA (source or destination) is behind a
461 NAT, this extension indicates the NAT node's globally-routable
462 address. This address can match the SA's local address if there is
463 a nat_lport (see below) specified.
464
465
466 nat_rem <address>|<name>
467
468 If the remote address in the SA (source or destination) is behind a
469 NAT, this extension indicates that node's internal (that is,
470 behind-the-NAT) address. This address can match the SA's local
471 address if there is a nat_rport (see below) specified.
472
473
474 nat_lport <portnum>
475
476 Identifies the local UDP port on which encapsulation of ESP occurs.
477
478
479 nat_rport <portnum>
480
481 Identifies the remote UDP port on which encapsulation of ESP
482 occurs.
483
484
485 isrc <address> | <name>[/<prefix>]
486 innersrc <address> | <name>[/<prefix>]
487 isrc6 <address> | <name>[/<prefix>]
488 innersrc6 <address> | <name>[/<prefix>]
489 proxyaddr <address> | <name>[/<prefix>]
490 proxy <address> | <name>[/<prefix>]
491
492 isrc <address>[/<prefix>] and innersrc <address>[/<prefix>] are
493 synonyms. They indicate the inner source address for a tunnel-mode
494 SA.
495
496 An inner-source can be a prefix instead of an address. As with
497 other address extensions, there are IPv6-specific forms. In such
498 cases, use only IPv6-specific addresses or prefixes.
499
500 Previous versions referred to this value as the proxy address. The
501 usage, while deprecated, remains.
502
503
504 idst <address> | <name>[/<prefix>]
505 innerdst <address> | <name>[/<prefix>]
506 idst6 <address> | <name>[/<prefix>]
507 innerdst6 <address> | <name>[/<prefix>]
508
509 idst <address>[/<prefix>] and innerdst <address>[/<prefix>] are
510 synonyms. They indicate the inner destination address for a tunnel-
511 mode SA.
512
513 An inner-destination can be a prefix instead of an address. As with
514 other address extensions, there are IPv6-specific forms. In such
515 cases, use only IPv6-specific addresses or prefixes.
516
517
518 innersport <portnum>
519 isport <portnum>
520
521 innersport specifies the source port number of the inner header for
522 a tunnel-mode SA. It should be used in combination with an upper-
523 layer protocol (see below), but it does not have to be.
524
525
526 innerdport <portnum>
527 idport <portnum>
528
529 innerdport specifies the destination port number of the inner
530 header for a tunnel-mode SA. It should be used in combination with
531 an upper-layer protocol (see below), but it does not have to be.
532
533
534 iproto <protocol number>iulp <protocol number>
535
536 iproto, and its synonym iulp, specify the IP protocol number of the
537 inner header of a tunnel-mode SA.
538
539
540 authkey <hexstring>
541
542 Specifies the authentication key for this SA. The key is expressed
543 as a string of hexadecimal digits, with an optional / at the end,
544 for example, 123/12. Bits are counted from the most-significant
545 bits down. For example, to express three '1' bits, the proper syn‐
546 tax is the string "e/3". For multi-key algorithms, the string is
547 the concatenation of the multiple keys. This extension is used by
548 the add and update commands.
549
550
551 encrkey <hexstring>
552
553 Specifies the encryption key for this SA. The syntax of the key is
554 the same as authkey. A concrete example of a multi-key encryption
555 algorithm is 3des, which would express itself as a 192-bit key,
556 which is three 64-bit parity-included DES keys. This extension is
557 used by the add and update commands.
558
559
560
561 Certificate identities are very useful in the context of automated key
562 management, as they tie the SA to the public key certificates used in
563 most automated key management protocols. They are less useful for manu‐
564 ally added SAs. Unlike other extensions, srcidtype takes two values, a
565 type, and an actual value. The type can be one of the following:
566
567 prefix
568
569 An address prefix.
570
571
572 fqdn
573
574 A fully-qualified domain name.
575
576
577 domain
578
579 Domain name, synonym for fqdn.
580
581
582 user_fqdn
583
584 User identity of the form user@fqdn.
585
586
587 mailbox
588
589 Synonym for user_fqdn.
590
591
592
593 The value is an arbitrary text string that should identify the certifi‐
594 cate.
595
596 srcidtype <type, value>
597
598 Specifies a source certificate identity for this SA. This extension
599 is used by the add and update commands.
600
601
602 dstidtype <type, value>
603
604 Specifies a destination certificate identity for this SA. This
605 extension is used by the add and update commands
606
607
608 Tunnel Mode versus Transport Mode SAs
609 An IPsec SA is a Tunnel Mode SA if the "proto" value is either 4 (ipip)
610 or 41 (ipv6) and there is an inner-address or inner-port value speci‐
611 fied. Otherwise, the SA is a Transport Mode SA.
612
614 Keying material is very sensitive and should be generated as randomly
615 as possible. Some algorithms have known weak keys. IPsec algorithms
616 have built-in weak key checks, so that if a weak key is in a newly
617 added SA, the add command will fail with an invalid value.
618
619
620 The ipseckey command allows a privileged user to enter cryptographic
621 keying information. If an adversary gains access to such information,
622 the security of IPsec traffic is compromised. The following issues
623 should be taken into account when using the ipseckey command.
624
625 1. Is the TTY going over a network (interactive mode)?
626
627 o If it is, then the security of the keying material is
628 the security of the network path for this TTY's traffic.
629 Using ipseckey over a clear-text telnet or rlogin ses‐
630 sion is risky.
631
632 o Even local windows might be vulnerable to attacks where
633 a concealed program that reads window events is present.
634
635 2. Is the file accessed over the network or readable to the
636 world (-f option)?
637
638 o A network-mounted file can be sniffed by an adversary as
639 it is being read.
640
641 o A world-readable file with keying material in it is also
642 risky.
643
644 3. The ipseckey command is designed to be managed by the man‐
645 ual-key smf(5) service. Because the smf(5) log files are
646 world-readable, the ipseckey does not record any syntax
647 errors in the log files, as these errors might include
648 secret information.
649
650 If a syntax error is found when the manual-key smf(5) ser‐
651 vice is enabled, the service enters maintenance mode. The
652 log file will indicate that there was a syntax error, but
653 will not specify what the error was.
654
655 The administrator should use ipeckey -c filename from the
656 command line to discover the cause of the errors. See
657 OPTIONS.
658
659
660 If your source address is a host that can be looked up over the network
661 and your naming system itself is compromised, then any names used will
662 not be trustworthy.
663
664
665 Security weaknesses often lie in misapplication of tools, not in the
666 tools themselves. Administrators are urged to be cautious when using
667 ipseckey. The safest mode of operation is probably on a console or
668 other hard-connected TTY.
669
670
671 For further thoughts on this subject, see the afterward by Matt Blaze
672 in Bruce Schneier's Applied Cryptography: Protocols, Algorithms, and
673 Source Code in C.
674
675 Service Management Facility
676 IPsec manual keys are managed by the service management facility,
677 smf(5). The services listed below manage the components of IPsec. These
678 services are delivered as follows:
679
680 svc:/network/ipsec/policy:default (enabled)
681 svc:/network/ipsec/ipsecalgs:default (enabled)
682 svc:/network/ipsec/manual-key:default (disabled)
683 svc:/network/ipsec/ike:default (disabled)
684
685
686
687
688 The manual-key service is delivered disabled. The system administrator
689 must create manual IPsec Security Associations (SAs), as described in
690 this man page, before enabling that service.
691
692
693 The policy service is delivered enabled, but without a configuration
694 file, so that, as a starting condition, packets are not protected by
695 IPsec. After you create the configuration file /etc/inet/ipsecinit.conf
696 and refresh the service (svcadm refresh, see below), the policy con‐
697 tained in the configuration file is applied. If there is an error in
698 this file, the service enters maintenance mode. See ipsecconf(1M).
699
700
701 Services that are delivered disabled are delivered that way because the
702 system administrator must create configuration files for those services
703 before enabling them. See ike.config(4) for the ike service.
704
705
706 See ipsecalgs(1M) for the ipsecalgs service.
707
708
709 The correct administrative procedure is to create the configuration
710 file for each service, then enable each service using svcadm(1M).
711
712
713 If the configuration needs to be changed, edit the configuration file
714 then refresh the service, as follows:
715
716 example# svcadm refresh manual-key
717
718
719
720
721 Warning: To prevent ipseckey complaining about duplicate Associations,
722 the ipseckey command flushes the Security Association Data Base (SADB)
723 when the ipseckey command is run from smf(5), before adding any new
724 Security Associations defined in the configuration file. This differs
725 from the command line behavior where the SADB is not flushed before
726 adding new Security Associations.
727
728
729 The smf(5) framework will record any errors in the service-specific log
730 file. Use any of the following commands to examine the logfile prop‐
731 erty:
732
733 example# svcs -l manual-key
734 example# svcprop manual-key
735 example# svccfg -s manual-key listprop
736
737
738
739
740 The following property is defined for the manual-key service:
741
742 config/config_file
743
744
745
746
747 This property can be modified using svccfg(1M) by users who have been
748 assigned the following authorization:
749
750 solaris.smf.value.ipsec
751
752
753
754
755 See auths(1), user_attr(4), rbac(5).
756
757
758 The service needs to be refreshed using svcadm(1M) before the new prop‐
759 erty is effective. General non-modifiable properties can be viewed with
760 the svcprop(1) command.
761
762 # svccfg -s ipsec/manual-key setprop config/config_file = \
763 /new/config_file
764 # svcadm refresh manual-key
765
766
767
768
769 Administrative actions on this service, such as enabling, disabling,
770 refreshing, and requesting restart can be performed using svcadm(1M). A
771 user who has been assigned the authorization shown below can perform
772 these actions:
773
774 solaris.smf.manage.ipsec
775
776
777
778
779 The service's status can be queried using the svcs(1) command.
780
781
782 The ipseckey command is designed to be run under smf(5) management.
783 While the ipsecconf command can be run from the command line, this is
784 discouraged. If the ipseckey command is to be run from the command
785 line, the manual-key smf(5) service should be disabled first. See
786 svcadm(1M).
787
789 Example 1 Emptying Out All SAs
790
791
792 To empty out all SA:
793
794
795 example# ipseckey flush
796
797
798
799 Example 2 Flushing Out IPsec AH SAs Only
800
801
802 To flush out only IPsec AH SAs:
803
804
805 example# ipseckey flush ah
806
807
808
809 Example 3 Saving All SAs To Standard Output
810
811
812 To save all SAs to the standard output:
813
814
815 example# ipseckey save all
816
817
818
819 Example 4 Saving ESP SAs To The File /tmp/snapshot
820
821
822 To save ESP SAs to the file /tmp/snapshot:
823
824
825 example# ipseckey save esp /tmp/snapshot
826
827
828
829 Example 5 Deleting an IPsec SA
830
831
832 To delete an IPsec SA, only the SPI and the destination address are
833 needed:
834
835
836 example# ipseckey delete esp spi 0x2112 dst 224.0.0.1
837
838
839
840
841 An alternative would be to delete the SA and the SAs pair if it has
842 one:
843
844
845 example# ipseckey delete-pair esp spi 0x2112 dst 224.0.0.1
846
847
848
849 Example 6 Getting Information on an IPsec SA
850
851
852 Likewise, getting information on a SA only requires the destination
853 address and SPI:
854
855
856 example# ipseckey get ah spi 0x5150 dst mypeer
857
858
859
860 Example 7 Adding or Updating IPsec SAs
861
862
863 Adding or updating SAs requires entering interactive mode:
864
865
866 example# ipseckey
867 ipseckey> add ah spi 0x90125 src me.domain.com dst you.domain.com \
868 authalg md5 authkey 1234567890abcdef1234567890abcdef
869 ipseckey> update ah spi 0x90125 dst you.domain.com hard_bytes \
870 16000000
871 ipseckey> exit
872
873
874
875
876 Adding two SAs that are linked together as a pair:
877
878
879 example# ipseckey
880 ipseckey> add esp spi 0x2345 src me.domain.com dst you.domain.com \
881 authalg md5 authkey bde359723576fdea08e56cbe876e24ad \
882 encralg des encrkey be02938e7def2839
883 ipseckey> add esp spi 0x5432 src me.domain.com dst you.domain.com \
884 authalg md5 authkey bde359723576fdea08e56cbe876e24ad \
885 encralg des encrkey be02938e7def2839 pair-spi 0x2345
886 ipseckey> exit
887
888
889
890 Example 8 Adding an SA in the Opposite Direction
891
892
893 In the case of IPsec, SAs are unidirectional. To communicate securely,
894 a second SA needs to be added in the opposite direction. The peer
895 machine also needs to add both SAs.
896
897
898 example# ipseckey
899 ipseckey> add ah spi 0x2112 src you.domain.com dst me.domain.com \
900 authalg md5 authkey bde359723576fdea08e56cbe876e24ad \
901 hard_bytes 16000000
902 ipseckey> exit
903
904
905
906 Example 9 Monitoring PF_KEY Messages
907
908
909 Monitoring for PF_KEY messages is straightforward:
910
911
912 example# ipseckey monitor
913
914
915
916 Example 10 Using Commands in a File
917
918
919 Commands can be placed in a file that can be parsed with the -f option.
920 This file may contain comment lines that begin with the "#" symbol. For
921 example:
922
923
924 # This is a sample file for flushing out the ESP table and
925 # adding a pair of SAs.
926
927 flush esp
928
929 ### Watch out! I have keying material in this file. See the
930 ### SECURITY section in this manual page for why this can be
931 ### dangerous .
932
933 add esp spi 0x2112 src me.domain.com dst you.domain.com \
934 authalg md5 authkey bde359723576fdea08e56cbe876e24ad \
935 encralg des encrkey be02938e7def2839 hard_usetime 28800
936 add esp spi 0x5150 src you.domain.com dst me.domain.com \
937 authalg md5 authkey 930987dbe09743ade09d92b4097d9e93 \
938 encralg des encrkey 8bd4a52e10127deb hard_usetime 28800
939
940 ## End of file - This is a gratuitous comment
941
942
943 Example 11 Adding SAs for IPv6 Addresses
944
945
946 The following commands from the interactive-mode create an SA to pro‐
947 tect IPv6 traffic between the site-local addresses
948
949
950 example # ipseckey
951 ipseckey> add esp spi 0x6789 src6 fec0:bbbb::4483 dst6 fec0:bbbb::7843\
952 authalg md5 authkey bde359723576fdea08e56cbe876e24ad \
953 encralg des encrkey be02938e7def2839 hard_usetime 28800
954 ipseckey>exit
955
956
957
958 Example 12 Linking Two SAs as a Pair
959
960
961 The following command links two SAs together, as a pair:
962
963
964 example# ipseckey update esp spi 0x123456 dst 192.168.99.2 \
965 pair-spi 0x654321
966
967
968
970 /etc/inet/secret/ipseckeys
971
972 Default configuration file used at boot time. See "Service Manage‐
973 ment Facility" and SECURITY for more information.
974
975
977 See attributes(5) for descriptions of the following attributes:
978
979
980
981
982 ┌─────────────────────────────┬─────────────────────────────┐
983 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
984 ├─────────────────────────────┼─────────────────────────────┤
985 │Availability │SUNWcsu │
986 │Interface Stability │Committed │
987 └─────────────────────────────┴─────────────────────────────┘
988
990 ps(1), svcprop(1), svcs(1), ipsecconf(1M), ipsecalgs(1M), route(1M),
991 svcadm(1M), svccfg(1M), ike.config(4), attributes(5), smf(5),
992 ipsec(7P), ipsecah(7P), ipsecesp(7P), pf_key(7P)
993
994
995 Schneier, B., Applied Cryptography: Protocols, Algorithms, and Source
996 Code in C. Second ed. New York, New York: John Wiley & Sons, 1996.
997
999 The ipseckey command parses the configuration file and reports any
1000 errors. In the case of multiple errors, ipseckey reports as many of
1001 these as possible.
1002
1003
1004 The ipseckey command does not attempt to use a COMMAND that has a syn‐
1005 tax error. A COMMAND might be syntactically correct but can neverthe‐
1006 less generate an error because the kernel rejected the request made to
1007 pf_key(7P). This might occur because a key had an invalid length or
1008 because an unsupported algorithm was specified.
1009
1010
1011 If there are any errors in the configuration file, ipseckey reports the
1012 number of valid COMMANDS and the total number of COMMANDS parsed.
1013
1014 Parse error on line N.
1015
1016 If an interactive use of ipseckey would print usage information,
1017 this would print instead. Usually proceeded by another diagnostic.
1018 Because COMMANDS can cover more than a single line in the configu‐
1019 ration file by using the backslash character to delimit lines, its
1020 not always possible to pinpoint in the configuration file the exact
1021 line that caused the error.
1022
1023
1024 Unexpected end of command line.
1025
1026 An additional argument was expected on the command line.
1027
1028
1029 Unknown
1030
1031 A value for a specific extension was unknown.
1032
1033
1034 Address type N not supported.
1035
1036 A name-to-address lookup returned an unsupported address family.
1037
1038
1039 N is not a bit specifier
1040 bit length N is too big for
1041 string is not a hex string
1042
1043 Keying material was not entered appropriately.
1044
1045
1046 Can only specify single
1047
1048 A duplicate extension was entered.
1049
1050
1051 Don't use extension for <string> for <command>.
1052
1053 An extension not used by a command was used.
1054
1055
1056 One of the entered values is incorrect: Diagnostic code NN:<msg>
1057
1058 This is a general invalid parameter error. The diagnostic code and
1059 message provides more detail about what precise value was incorrect
1060 and why.
1061
1062
1064 In spite of its IPsec-specific name, ipseckey is analogous to
1065 route(1M), in that it is a command-line interface to a socket-based
1066 administration engine, in this case, PF_KEY. PF_KEY was originally
1067 developed at the United States Naval Research Laboratory.
1068
1069
1070 To have machines communicate securely with manual keying, SAs need to
1071 be added by all communicating parties. If two nodes wish to communicate
1072 securely, both nodes need the appropriate SAs added.
1073
1074
1075 In the future ipseckey may be invoked under additional names as other
1076 security protocols become available to PF_KEY.
1077
1078
1079 This command requires sys_ip_config privilege to operate and thus can
1080 run in the global zone and in exclusive-IP zones. The global zone can
1081 set up security associations with ipseckey to protect traffic for
1082 shared-IP zones on the system.
1083
1084
1085
1086SunOS 5.11 25 Sep 2008 ipseckey(1M)