What's New in IPsec?

Solaris 10 4/09: Starting in this release, the Service Management Facility (SMF) manages IPsec as a set of services.

By default, two IPsec services are enabled at system boot:

• svc:/network/ipsec/policy:default

• svc:/network/ipsec/ipsecalgs:default

By default, the key management services are disabled at system boot:

• svc:/network/ipsec/manual-key:default

• svc:/network/ipsec/ike:default

To activate IPsec policies under SMF, you perform the following steps:

1. Add IPsec policy entries to the ipsecinit.conf file.

2. Configure the Internet Key Exchange (IKE) or manually configure keys.

3. Refresh the IPsec policy service.

4. Enable the key management service.

For more information about SMF, see Chapter 18, Managing Services (Overview), in System Administration Guide: Basic Administration. Also see the smf(5) and svcadm(1M) man pages.

Starting in this release, the ipsecconf and ipseckey commands have a -c option for checking the syntax of their respective configuration files. Also, the Network IPsec Management rights profile is provided for administering IPsec and IKE.

Solaris 10 7/07: Starting in this release, IPsec fully implements tunnels in tunnel mode, and the utilities that support tunnels are modified.

• IPsec implements tunnels in tunnel mode for virtual private networks (VPNs). In tunnel mode, IPsec supports multiple clients behind a single NAT. In tunnel mode, IPsec is interoperable with implementations of IP-in-IP tunnels by other vendors. IPsec continues to support tunnels in transport mode, so it is compatible with earlier Solaris releases.

• The syntax to create a tunnel is simplified. To manage IPsec policy, the ipsecconf command has been expanded. The ifconfig command is deprecated for managing IPsec policy.

• Starting in this release, the /etc/ipnodes file is removed. Use the /etc/hosts file to configure network IPv6 addresses.

Solaris 10 1/06: Starting in this release, IKE is fully compliant with NAT-Traversal support as described in RFC 3947 and RFC 3948. IKE operations use the PKCS #11 library from the cryptographic framework, which improves performance.

The cryptographic framework provides a softtoken keystore for applications that use the metaslot. When IKE uses the metaslot, you have the option of storing the keys on disk, on an attached board, or in the softtoken keystore.

• To use the softtoken keystore, see the cryptoadm(1M) man page.

• For a complete listing of new Solaris features and a description of Solaris releases, see Oracle Solaris 10 9/10 What’s New.