System Administration Commands in.iked(1M) NAME in.iked - daemon for the Internet Key Exchange (IKE) SYNOPSIS /usr/lib/inet/in.iked [-d] [-f filename] [-p level] /usr/lib/inet/in.iked -c [-f filename] DESCRIPTION in.iked performs automated key management for IPsec using the Internet Key Exchange (IKE) protocol. in.iked implements the following: o IKE authentication with either pre-shared keys, DSS signatures, RSA signatures, or RSA encryption. o Diffie-Hellman key derivation using either 768, 1024, or 1536-bit public key moduli. o Authentication protection with cipher choices of AES, DES, Blowfish, or 3DES, and hash choices of either HMAC-MD5 or HMAC-SHA-1. Encryption in in.iked is limited to the IKE authentication and key exchange. See ipsecesp(7P) for information regarding IPsec protection choices. in.iked is managed by the following smf(5) service: svc:/network/ipsec/ike This service is delivered disabled because the configuration file needs to be created before the service can be enabled. See ike.config(4) for the format of this file. See SMF for information on managing the smf(5) service. in.iked listens for incoming IKE requests from the network and for requests for outbound traffic using the PF_KEY socket. See pf_key(7P). SunOS 5.11 Last change: 23 Jun 2006 1 System Administration Commands in.iked(1M) in.iked has two support programs that are used for IKE administration and diagnosis: ikeadm(1M) and ikecert(1M). The ikeadm(1M) command can read the /etc/inet/ike/config file as a rule, then pass the configuration information to the running in.iked daemon using a doors interface. example# ikeadm read rule /etc/inet/ike/config Refreshing the 'ike' smf(5) service provided to manage the in.iked daemon will send a SIGHUP signal to the in.iked daemon which will (re)read /etc/inet/ike/config and reload the certificate database. example# svcadm refresh ike These two commands have the same effect, that is to update the running IKE daemon with the latest configuration. See SMF for more details on managing the in.iked daemon. OPTIONS The following options are supported: -c Check the syntax of a configuration file. -d Use debug mode. The process stays attached to the controlling terminal and produces large amounts of debugging output. This argument is depreciated. See SMF for more details. -f filename Use filename instead of /etc/inet/ike/config. See ike.config(4) for the format of this file. This argument is depreciated. See SMF for more details. -p level Specify privilege level (level). This option sets how much ikeadm(1M) invocations can change or observe about the running in.iked. This argument is depreciated. See SMF for more details. Valid levels are: 0 Base level SunOS 5.11 Last change: 23 Jun 2006 2 System Administration Commands in.iked(1M) 1 Access to preshared key info 2 Access to keying material If -p is not specified, level defaults to 0. SECURITY This program has sensitive private keying information in its image. Care should be taken with any core dumps or system dumps of a running in.iked daemon, as these files contain sensitive keying information. Use the coreadm(1M) command to limit any corefiles produced by in.iked. FILES /etc/inet/ike/config /etc/inet/secret/ike.privatekeys/* Private keys. A private key must have a matching public-key certificate with the same filename in /etc/inet/ike/publickeys/. /etc/inet/ike/publickeys/* Public-key certificates. The names are only important with regard to matching private key names. SunOS 5.11 Last change: 23 Jun 2006 3 System Administration Commands in.iked(1M) /etc/inet/ike/crls/* Public key certificate revocation lists. /etc/inet/secret/ike.preshared IKE pre-shared secrets for Phase I authentication. SMF The IKE daemon (in.iked) is managed by the service management facility, smf(5). The following group of services manage the components of IPsec: svc:/network/ipsec/ipsecalgs (See ipsecalgs(1M)) svc:/network/ipsec/policy (See ipsecconf(1M)) svc:/network/ipsec/manual-key (See ipseckey(1M)) svc:/network/ipsec/ike (see ike.config(4)) The manual-key and ike services are delivered 'disabled' because the system administrator needs to create configuration files for each service as described in the respective man pages. Correct administrative proceedure is to create the configuration file for each service then enable each service using svcadm(1M). The 'ike' service has a dependency on the 'ipsecalgs' and 'policy' services. These services should be enabled before the 'ike' service, failure to do so will result in the 'ike' service entering maintenance mode. If the configuration needs to be changed, edit the configuration file then refresh the service. example# svcadm refresh ike The following properties are defined for the 'ike' service: config/admin_privilege This defines the level that ikeadm(1M) invocations can change or observe the running in.iked. The acceptable values for this property are the same as those for the -p flag - See OPTIONS. config/config_file This defines the configuration file to use, the default value is /etc/inet/ike/config. See ike.config(4) for the format of this file. This property has the same effect as the -f flag - See OPTIONS. config/debug_level This property defines the amount of debug output that is written to the debug_logfile file described below. The default value for this is 'op' or 'operator', this will record information on events such as re-reading the configuration file. Acceptable value for debug_level are listed in the ikadm(1M) man page. The value 'all' is equivelent to the -d flag - See OPTIONS. config/debug_logfile This defines where debug output should be written. The messages written here are from debug code within in.iked, startup error messages are recorded by the smf(5) framework and recorded in a service specific logfile. Use any of the following commands to examine the 'logfile' property: example# svcs -l ike example# svcprop ike example# svccfg -s ike listprop The values for these log file properties may be different, in which case both files should be inspected for errors. config/ignore_errors This is a boolean value which controls in.iked's behaviour should the configuration file have syntax errors. The default value is 'false' - this will cause in.iked to enter maintenance mode if the configuration is invalid. Setting this value to 'true' will cause the 'ike' service to stay online, but correct operation requires the administrator to configure the running daemon with ikeadm(1M). This option is provided for backwards compatability with previous releases. These properties can be modified using svccfg(1M) by users who have been assigned the following authorization: solaris.smf.value.ipsec See auths(1), user_attr(4), rbac(5). The service needs to be refreshed using svcadm(1M) before the new property is effective. General non-modifiable properties can be viewed with the svcprop(1M) command. example# svccfg -s ipsec/ike setprop config/config_file = /new/config_file example# svcadm refresh ike Administrative actions on this service, such as enabling, disabling, refreshing or requesting restart, can be performed using svcadm(1M). A user who has been assigned the following authorization can perform these actions: solaris.smf.manage.ipsec The service's status can be queried using the svcs(1) command. The in.iked daemon is designed to run under smf(5) management. It is possible to run the in.iked from the command line although this is discouraged. Before attempting to run the in.iked daemon from the command line, make sure the 'ike' smf(5) service is disabled first, see svcadm(1M). ATTRIBUTES See attributes(5) for descriptions of the following attri- butes: ____________________________________________________________ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | |_____________________________|_____________________________| | Availability | SUNWcsu | |_____________________________|_____________________________| SEE ALSO coreadm(1M), ikeadm(1M), ikecert(1M), ike.config(4), attri- butes(5), ipsecesp(7P), smf(5), svccfg(1M), svcadm(1M) Harkins, Dan and Carrel, Dave. RFC 2409, Internet Key Exchange (IKE). Network Working Group. November 1998. Maughan, Douglas, Schertler, M., Schneider, M., Turner, J. RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP). Network Working Group. November 1998. Piper, Derrell, RFC 2407, The Internet IP Security Domain of Interpretation for ISAKMP. Network Working Group. November 1998. SunOS 5.11 Last change: 23 Jun 2006 4 System Administration Commands in.iked(1M) SunOS 5.11 Last change: 23 Jun 2006 5