--- ipsecalgs.txt Tue Feb 20 12:17:12 2007 +++ ipsecalgs.txt.new Wed Feb 21 17:06:12 2007 @@ -145,11 +145,11 @@ update the contents of the /etc/inet/ipsecalgs configuration file. In order for the new definitions to be used for IPsec processing, the changes must be communicated to the kernel - using the -s option. This synchronization is also done - automatically when the host is started. + using the -s option. See NOTES for a description of how + the ipsecalgs configuration is synchronized with the kernel + at system restart. - When invoked without arguments, ipsecalgs displays the list of mappings that are currently defined in /etc/inet/ipsecalgs. You can obtain the corresponding kernel @@ -383,7 +383,9 @@ -s Synchronizes the kernel with the contents of /etc/inet/ipsecalgs. The contents of /etc/inet/ipsecalgs are always updated, but new information is not passed on - to the kernel unless the -s is used. + to the kernel unless the -s is used. See NOTES for a description + of how the ipsecalgs configuration is synchronized with + the kernel at system restart. @@ -400,7 +402,6 @@ System Administration Commands ipsecalgs(1M) - EXAMPLES Example 1 Adding a Protocol for IPsec Encryption @@ -434,7 +435,7 @@ - example# ipsecalgs -s + example# svcadm refresh ipsecalgs @@ -479,7 +480,7 @@ SEE ALSO cryptoadm(1M), getipsecalgbyname(3NSL), getipsecprotobyname(3NSL), attributes(5), ipsecah(7P), - ipsecesp(7P) + ipsecesp(7P), ipsecconf(1M), ipseckey(1M), svcadm(1M), smf(5). @@ -496,25 +497,64 @@ tocol is removed, then IPsec cannot encrypt and decrypt packets. + Synchronization of the ipsecalgs configuration with the kernel + at system startup is provided by the following smf(5) + service: + svc:/network/ipsec/ipsecalgs:default - This command requires sys_net_config privilege to operate - and thus can run only in the global zone. All zones share - the same available set of algorithms; however, you can use - ipsecconf(1M) to set up system policy that uses differing - algorithms for various zones. + This service is delivered disabled because the following + dependent services are also delivered disabled: + svc:/network/ipsec/policy (See ipsecconf(1M)) + svc:/network/ipsec/manual-key (See ipseckey(1M)) + svc:/network/ipsec/ike (see ike.config(4)) + These services are delivered disabled because the + system administrator needs to create configuration files + for each service as described in the respective man pages. + Correct administrative proceedure is to create the + configuration file for each service then enable each + service using svcadm(1M). + example# svcadm enable ipsecalgs + The service's status can be queried using the svcs(1) command. + If the ipsecalgs configuration is modified, then this new + configuration should be re-synchronized thus: + example# svcadm refresh ipsecalgs + Administrative actions on this service, such as enabling, + disabling, refreshing or requesting restart, can be performed + using svcadm(1M). A user who has been assigned the following + authorization can perform these actions: + solaris.smf.manage.ipsec + See auths(1), user_attr(4), rbac(5). + The ipsecalgs smf(5) service does not have any user configurable properties. + The smf(5) framework will record any errors in the service + specific logfile. Use any of the following commands to + examine the 'logfile' property: + + + example# svcs -l ipsecalgs + example# svcprop ipsecalgs + example# svccfg -s ipsecalgs listprop + + + This command requires sys_net_config privilege to operate + and thus can run only in the global zone. All zones share + the same available set of algorithms; however, you can use + ipsecconf(1M) to set up system policy that uses differing + algorithms for various zones. + +