Table 19–3 describes the files, commands, and service identifiers that are used to configure and manage IPsec. For completeness, the table includes key management files, socket interfaces, and commands.
Starting in the Solaris 10 4/09 release, IPsec is managed by SMF. For more information about service identifiers, see Chapter 18, Managing Services (Overview), in System Administration Guide: Basic Administration.
For instructions on implementing IPsec on your network, see Protecting Traffic With IPsec (Task Map).
For more details about IPsec utilities and files, see Chapter 21, IP Security Architecture (Reference).
IPsec Utility, File, or Service |
Description |
Man Page |
---|---|---|
svc:/network/ipsec/ipsecalgs |
In the current release, the SMF service that manages IPsec algorithms. | |
svc:/network/ipsec/manual-key |
In the current release, the SMF service that manages manual security associations (SAs). | |
svc:/network/ipsec/policy |
In the current release, the SMF service that manages IPsec policy. | |
svc:/network/ipsec/ike |
In the current release, the SMF service for the automatic management of IPsec SAs. | |
/etc/inet/ipsecinit.conf file |
IPsec policy file. In releases prior to the Solaris 10 4/09 release, if this file exists, IPsec is activated at boot time. In the current release, the SMF policy service uses this file to configure IPsec policy at system boot. | |
ipsecconf command |
IPsec policy command. Useful for viewing and modifying the current IPsec policy, and for testing. In releases prior to the Solaris 10 4/09 release, the boot scripts use ipsecconf to read the /etc/inet/ipsecinit.conf file and activate IPsec. In the current release, ipsecconf is used by the SMF policy service to configure IPsec policy at system boot. | |
PF_KEY socket interface |
Interface for the security associations database (SADB). Handles manual key management and automatic key management. | |
ipseckey command |
IPsec SAs keying command. ipseckey is a command-line front end to the PF_KEY interface. ipseckey can create, destroy, or modify SAs. | |
/etc/inet/secret/ipseckeys file |
Keys for IPsec SAs. In releases prior to the Solaris 10 4/09 release, if the ipsecinit.conf file exists, the ipseckeys file is automatically read at boot time. In the current release, ipseckeys is used by the SMF manual-key service to configure SAs manually at system boot. | |
ipsecalgs command |
IPsec algorithms command. Useful for viewing and modifying the list of IPsec algorithms and their properties. In the current release, is used by the SMF ipsecalgs service to synchronize known IPsec algorithms with the kernel at system boot. | |
/etc/inet/ipsecalgs file |
Contains the configured IPsec protocols and algorithm definitions. This file is managed by the ipsecalgs command and must never be edited manually. | |
/etc/inet/ike/config file |
IKE configuration and policy file. By default, this file does not exist. In releases prior to the Solaris 10 4/09 release, if this file exists, the IKE daemon, in.iked, provides automatic key management. The management is based on rules and global parameters in the /etc/inet/ike/config file. See IKE Utilities and Files. In the current release, if this file exists, the svc:/network/ipsec/ike service starts the IKE daemon, in.iked, to provide automatic key management. |