*** in.iked.txt Wed Feb 21 17:16:26 2007 --- in.iked.txt.new Tue Feb 27 13:46:07 2007 *************** *** 49,59 **** ! in.iked starts at boot time if the /etc/inet/ike/config file ! exists. See ike.config(4) for the format of this file. in.iked listens for incoming IKE requests from the network and for requests for outbound traffic using the PF_KEY socket. See pf_key(7P). --- 49,66 ---- ! in.iked is managed by the following smf(5) service: + svc:/network/ipsec/ike + This service is delivered disabled because the configuration + file needs to be created before the service can be enabled. + See ike.config(4) for the format of this file. + See SMF for information on managing the smf(5) service. + + + in.iked listens for incoming IKE requests from the network and for requests for outbound traffic using the PF_KEY socket. See pf_key(7P). *************** *** 74,92 **** in.iked has two support programs that are used for IKE administration and diagnosis: ikeadm(1M) and ikecert(1M). ! The SIGHUP signal causes the IKE daemon to read ! /etc/inet/ike/config and reload the certificate database. ! SIGHUP is equivalent to using ikeadm(1M) to read the ! /etc/inet/ike/config file as a rule, for example: - example# ikeadm read rule /etc/inet/ike/config - - - OPTIONS The following options are supported: --- 81,102 ---- in.iked has two support programs that are used for IKE administration and diagnosis: ikeadm(1M) and ikecert(1M). + The ikeadm(1M) command can read the + /etc/inet/ike/config file as a rule, then pass the configuration + information to the running in.iked daemon using a doors interface. + example# ikeadm read rule /etc/inet/ike/config ! Refreshing the 'ike' smf(5) service provided to manage the in.iked daemon ! will send a SIGHUP signal to the in.iked daemon which will (re)read ! /etc/inet/ike/config and reload the certificate database. + example# svcadm refresh ike + These two commands have the same effect, that is to update the + running IKE daemon with the latest configuration. See SMF for + more details on managing the in.iked daemon. OPTIONS The following options are supported: *************** *** 99,105 **** -d Use debug mode. The process stays attached to the controlling terminal and produces large ! amounts of debugging output. --- 109,116 ---- -d Use debug mode. The process stays attached to the controlling terminal and produces large ! amounts of debugging output. This argument is ! depreciated. See SMF for more details. *************** *** 106,111 **** --- 117,123 ---- -f filename Use filename instead of /etc/inet/ike/config. See ike.config(4) for the format of this file. + This argument is depreciated. See SMF for more details. *************** *** 113,121 **** --- 125,135 ---- -p level Specify privilege level (level). This option sets how much ikeadm(1M) invocations can change or observe about the running in.iked. + This argument is depreciated. See SMF for more details. + Valid levels are: *************** *** 217,224 **** --- 231,344 ---- IKE pre-shared secrets for Phase I authentication. + SMF + The IKE daemon (in.iked) is managed by the service management + facility, smf(5). The following group of services manage + the components of IPsec: + svc:/network/ipsec/ipsecalgs (See ipsecalgs(1M)) + svc:/network/ipsec/policy (See ipsecconf(1M)) + svc:/network/ipsec/manual-key (See ipseckey(1M)) + svc:/network/ipsec/ike (see ike.config(4)) + The manual-key and ike services are delivered 'disabled' + because the system administrator needs to create configuration + files for each service as described in the respective man pages. + + Correct administrative proceedure is to create the + configuration file for each service then enable each + service using svcadm(1M). The 'ike' service has + a dependency on the 'ipsecalgs' and 'policy' services. + + These services should be enabled before the 'ike' + service, failure to do so will result in the 'ike' + service entering maintenance mode. + + If the configuration needs to be changed, edit the + configuration file then refresh the service. + + example# svcadm refresh ike + + The following properties are defined for the 'ike' service: + + config/admin_privilege + + This defines the level that ikeadm(1M) invocations can change + or observe the running in.iked. The acceptable values for this + property are the same as those for the -p flag - See OPTIONS. + + config/config_file + + This defines the configuration file to use, the default value is + /etc/inet/ike/config. See ike.config(4) for the format of this + file. This property has the same effect as the -f flag - See OPTIONS. + + config/debug_level + + This property defines the amount of debug output that is written + to the debug_logfile file described below. The default value for this is 'op' + or 'operator', this will record information on events such as + re-reading the configuration file. Acceptable value for debug_level + are listed in the ikadm(1M) man page. The value 'all' is equivelent + to the -d flag - See OPTIONS. + + config/debug_logfile + + This defines where debug output should be written. The messages written + here are from debug code within in.iked, startup error messages are + recorded by the smf(5) framework and recorded in a service + specific logfile. Use any of the following commands to + examine the 'logfile' property: + + example# svcs -l ike + example# svcprop ike + example# svccfg -s ike listprop + + The values for these log file properties may be different, in which case + both files should be inspected for errors. + + config/ignore_errors + + This is a boolean value which controls in.iked's behaviour should + the configuration file have syntax errors. The default value is + 'false' - this will cause in.iked to enter maintenance mode if + the configuration is invalid. + + Setting this value to 'true' will cause the 'ike' service to + stay online, but correct operation requires the administrator + to configure the running daemon with ikeadm(1M). This option + is provided for backwards compatability with previous releases. + + These properties can be modified using svccfg(1M) by users + who have been assigned the following authorization: + + solaris.smf.value.ipsec + + See auths(1), user_attr(4), rbac(5). + + The service needs to be refreshed using svcadm(1M) before + the new property is effective. General non-modifiable properties + can be viewed with the svcprop(1M) command. + + example# svccfg -s ipsec/ike setprop config/config_file = /new/config_file + example# svcadm refresh ike + + Administrative actions on this service, such as enabling, + disabling, refreshing or requesting restart, can be performed + using svcadm(1M). A user who has been assigned the following + authorization can perform these actions: + + solaris.smf.manage.ipsec + + The service's status can be queried using the svcs(1) command. + + The in.iked daemon is designed to run under smf(5) management. + It is possible to run the in.iked from the command line although + this is discouraged. Before attempting to run the in.iked daemon + from the command line, make sure the 'ike' smf(5) service is + disabled first, see svcadm(1M). + + ATTRIBUTES See attributes(5) for descriptions of the following attri- butes: *************** *** 234,240 **** SEE ALSO coreadm(1M), ikeadm(1M), ikecert(1M), ike.config(4), attri- ! butes(5), ipsecesp(7P) --- 354,360 ---- SEE ALSO coreadm(1M), ikeadm(1M), ikecert(1M), ike.config(4), attri- ! butes(5), ipsecesp(7P), smf(5), svccfg(1M), svcadm(1M) *************** *** 269,281 **** - NOTES - This daemon requires sys_net_config privilege to operate and - thus can run only in the global zone. in.iked can create - security associations that protect traffic for both the glo- - bal zone and non-global zones. - --- 389,395 ----