System Administration Guide: IP Services

ProcedureHow to Add an IKE Preshared Key for a New Policy Entry in ipsecinit.conf

If you add IPsec policy entries while IPsec and IKE are running, you must read the new policy and IKE rules into the kernel. Starting in the Solaris 10 4/09 release, you restart the policy service and refresh the ike service after you add the new keys.


Note –

To perform this procedure on a release prior to the Solaris 10 4/09 release, see Example 23–3.


Before You Begin

This procedure assumes the following:

  1. On the system console, assume the Primary Administrator role or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.


    Note –

    Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Use the ssh command for secure remote login.


  2. On this system, generate random numbers and construct a key of 64 to 448 bits.

    For details, see How to Generate Random Numbers on a Solaris System. If you are generating a preshared key for a Solaris system that is communicating with an operating system that requires ASCII, see Example 23–1.

  3. By some means, send the key to the administrator of the remote system.

    You both need to add the same preshared key at the same time. Your key is only as safe as the safety of your transmission mechanism. An out-of-band mechanism, such as registered mail or a protected fax machine, is best. You can also use an ssh session to administer both systems.

  4. Create a rule for IKE to manage the keys for enigma and ada.

    1. On the enigma system, add the following rule to the /etc/inet/ike/config file:


      ### ike/config file on enigma, 192.168.116.16
       
      ## The rule to communicate with ada
      
      {label "enigma-to-ada"
       local_addr 192.168.116.16
       remote_addr 192.168.15.7
       p1_xform
       {auth_method preshared oakley_group 5 auth_alg sha1 encr_alg blowfish}
       p2_pfs 5
      	}
    2. On the ada system, add the following rule:


      ### ike/config file on ada, 192.168.15.7
       
      ## The rule to communicate with enigma
      
      {label "ada-to-enigma"
       local_addr 192.168.15.7
       remote_addr 192.168.116.16
       p1_xform
       {auth_method preshared oakley_group 5 auth_alg sha1 encr_alg blowfish}
       p2_pfs 5
      }
  5. Ensure that IKE preshared keys are available at reboot.

    1. On the enigma system, add the following information to the /etc/inet/secret/ike.preshared file:


      # ike.preshared on enigma for the ada interface
      # 
      { localidtype IP
        localid 192.168.116.16
        remoteidtype IP
        remoteid 192.168.15.7
        # enigma and ada's shared key in hex (32 - 448 bits required)
        key 8d1fb4ee500e2bea071deb2e781cb48374411af5a9671714672bb1749ad9364d
      }
    2. On the ada system, add the following information to the ike.preshared file:


      # ike.preshared on ada for the enigma interface
      # 
      { localidtype IP
        localid 192.168.15.7
        remoteidtype IP
        remoteid 192.168.116.16
        # ada and enigma's shared key in hex (32 - 448 bits required)
        key 8d1fb4ee500e2bea071deb2e781cb48374411af5a9671714672bb1749ad9364d
      }
  6. On each system, restart the IPsec policy service to secure the added interface.


    # svcadm restart policy
    
  7. On each system, refresh the ike service.


    # svcadm refresh ike
    
  8. Verify that the systems can communicate.

    See How to Verify That IKE Preshared Keys Are Identical.


Example 23–3 Adding an IKE Preshared Key for a New IPsec Policy Entry

In the following example, the administrator is adding preshared key to a Solaris system that is not running the current Solaris release. The administrator follows the preceding procedure to modify the ike/config and ike.preshared files, and to generate keys and contact the remote system. The administrator uses different commands to read the new IPsec policy and IKE rules into the kernel.