Tribblix: manual page: in.iked.8

IN.IKED(8) Maintenance Commands and Procedures IN.IKED(8)

NAME

in.iked - daemon for the Internet Key Exchange (IKE)

SYNOPSIS

/usr/lib/inet/in.iked [-d] [-f filename] [-p level]

/usr/lib/inet/in.iked -c [-f filename]

DESCRIPTION

in.iked performs automated key management for IPsec using the
Internet Key Exchange (IKE) protocol.

in.iked implements the following:

o IKE authentication with either pre-shared keys, DSS
signatures, RSA signatures, or RSA encryption.

o Diffie-Hellman key derivation using either 768, 1024, or
1536-bit public key moduli.

o Authentication protection with cipher choices of AES, DES,
Blowfish, or 3DES, and hash choices of either HMAC-MD5 or
HMAC-SHA-1. Encryption in in.iked is limited to the IKE
authentication and key exchange. See ipsecesp(4P) for
information regarding IPsec protection choices.

in.iked is managed by the following smf(7) service:

svc:/network/ipsec/ike

This service is delivered disabled because the configuration file
needs to be created before the service can be enabled. See
ike.config(5) for the format of this file.

See "Service Management Facility" for information on managing the
smf(7) service.

in.iked listens for incoming IKE requests from the network and for
requests for outbound traffic using the PF_KEY socket. See
pf_key(4P).

in.iked has two support programs that are used for IKE administration
and diagnosis: ikeadm(8) and ikecert(8).

The ikeadm(8) command can read the /etc/inet/ike/config file as a
rule, then pass the configuration information to the running in.iked
daemon using a doors interface.

example# ikeadm read rule /etc/inet/ike/config

Refreshing the ike smf(7) service provided to manage the in.iked
daemon sends a SIGHUP signal to the in.iked daemon, which will
(re)read /etc/inet/ike/config and reload the certificate database.

The preceding two commands have the same effect, that is, to update
the running IKE daemon with the latest configuration. See "Service
Management Facility" for more details on managing the in.iked daemon.

Service Management Facility

The IKE daemon (in.iked) is managed by the service management
facility, smf(7). The following group of services manage the
components of IPsec:

svc:/network/ipsec/ipsecalgs (See ipsecalgs(8))
svc:/network/ipsec/policy (See ipsecconf(8))
svc:/network/ipsec/manual-key (See ipseckey(8))
svc:/network/ipsec/ike (see ike.config(5))

The manual-key and ike services are delivered disabled because the
system administrator must create configuration files for each
service, as described in the respective man pages listed above.

The correct administrative procedure is to create the configuration
file for each service, then enable each service using svcadm(8).

The ike service has a dependency on the ipsecalgs and policy
services. These services should be enabled before the ike service.
Failure to do so results in the ike service entering maintenance
mode.

If the configuration needs to be changed, edit the configuration file
then refresh the service, as follows:

example# svcadm refresh ike

The following properties are defined for the ike service:

config/admin_privilege

Defines the level that ikeadm(8) invocations can change or
observe the running in.iked. The acceptable values for this
property are the same as those for the -p option. See the
description of -p in OPTIONS.

config/config_file

Defines the configuration file to use. The default value is
/etc/inet/ike/config. See ike.config(5) for the format of this
file. This property has the same effect as the -f flag. See the
description of -f in OPTIONS.

config/debug_level

Defines the amount of debug output that is written to the
debug_logfile file, described below. The default value for this
is op or operator. This property controls the recording of
information on events such as re-reading the configuration file.
Acceptable value for debug_level are listed in the ikeadm(8) man
page. The value all is equivalent to the -d flag. See the
description of -d in OPTIONS.

config/debug_logfile

Defines where debug output should be written. The messages
written here are from debug code within in.iked. Startup error
messages are recorded by the smf(7) framework and recorded in a
service-specific log file. Use any of the following commands to
examine the logfile property:

example# svcs -l ike
example# svcprop ike
example# svccfg -s ike listprop

The values for these log file properties might be different, in
which case both files should be inspected for errors.

config/ignore_errors

A boolean value that controls in.iked's behavior should the
configuration file have syntax errors. The default value is
false, which causes in.iked to enter maintenance mode if the
configuration is invalid.

Setting this value to true causes the IKE service to stay online,
but correct operation requires the administrator to configure the
running daemon with ikeadm(8). This option is provided for
compatibility with previous releases.

These properties can be modified using svccfg(8) by users who have
been assigned the following authorization:

solaris.smf.value.ipsec

PKCS#11 token objects can be unlocked or locked by using ikeadm token
login and ikeadm token logout, respectively. Availability of private
keying material stored on these PKCS#11 token objects can be observed
with: ikeadm dump certcache. The following authorizations allow users
to log into and out of PKCS#11 token objects:

solaris.network.ipsec.ike.token.login
solaris.network.ipsec.ike.token.logout

See auths(1), ikeadm(8), user_attr(5), rbac(7).

The service needs to be refreshed using svcadm(8) before a new
property value is effective. General, non-modifiable properties can
be viewed with the svcprop(1) command.

# svccfg -s ipsec/ike setprop config/config_file = \
/new/config_file
# svcadm refresh ike

Administrative actions on this service, such as enabling, disabling,
refreshing, and requesting restart can be performed using svcadm(8).
A user who has been assigned the authorization shown below can
perform these actions:

solaris.smf.manage.ipsec

The service's status can be queried using the svcs(1) command.

The in.iked daemon is designed to be run under smf(7) management.
While the in.iked command can be run from the command line, this is
discouraged. If the in.iked command is to be run from the command
line, the ike smf(7) service should be disabled first. See svcadm(8).

OPTIONS

The following options are supported:

-c
Check the syntax of a configuration file.

-d
Use debug mode. The process stays attached to the
controlling terminal and produces large amounts of
debugging output. This option is deprecated. See
"Service Management Facility" for more details.

-f filename
Use filename instead of /etc/inet/ike/config. See
ike.config(5) for the format of this file. This option
is deprecated. See "Service Management Facility" for
more details.

-p level
Specify privilege level (level). This option sets how
much ikeadm(8) invocations can change or observe about
the running in.iked.

Valid levels are:

0
Base level

1
Access to preshared key info

2
Access to keying material

If -p is not specified, level defaults to 0.

This option is deprecated. See "Service Management
Facility" for more details.

SECURITY

This program has sensitive private keying information in its image.
Care should be taken with any core dumps or system dumps of a running
in.iked daemon, as these files contain sensitive keying information.
Use the coreadm(8) command to limit any corefiles produced by
in.iked.

FILES

/etc/inet/ike/config

Default configuration file.

/etc/inet/secret/ike.privatekeys/*

Private keys. A private key must have a matching public-key
certificate with the same filename in /etc/inet/ike/publickeys/.

/etc/inet/ike/publickeys/*

Public-key certificates. The names are only important with regard
to matching private key names.

/etc/inet/ike/crls/*

Public key certificate revocation lists.

/etc/inet/secret/ike.preshared

IKE pre-shared secrets for Phase I authentication.