System Administration Guide: IP Services

How to Add New Pre-Shared Keys

On a system running the in.iked daemon, you can add pre-shared keys for interfaces that you have added to the ipsecinit.conf file after the daemon was invoked. This procedure assumes that you have already added the new interfaces to the /etc/hosts file and the /etc/inet/ipsecinit.conf file on both systems, and that you have not yet read the ipsecinit.conf file into each system.

  1. Become superuser on the system console.


    Note –

    Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the total security of the system is reduced to the security of the remote login session.


  2. Check that the in.iked daemon permits you to change keying material.


    # /usr/sbin/ikeadm get priv
    Current privilege level is 0x2, access to keying material enabled

    You can change keying material if the command returns a privilege level of 0x1 or 0x2. Level 0x0 does not permit keying material operations. By default, the in.iked daemon runs at the 0x0 level of privilege.

  3. If the in.iked daemon does not permit you to change keying material, kill the daemon and then start it with the correct privilege level.

    For example,


    # pkill in.iked
    # /usr/lib/inet/in.iked -p 2
    Setting privilege level to 2!
  4. Generate random keys and choose one.

    On a Solaris system, you can use the od command.


    # od -x </dev/random | head -2
    0000000 2d86 b6f6 eb7a e8a9 3d83 58b2 cd17 4164
    0000020 8be4 fea4 b456 933a 46dd 149a 0a10 b2e4
  5. Type the ikeadm command on each system to add the new keying material.

    For example, if you are on enigma, and add the key for host nemesis, 192.163.55.8:


    # ikeadm
    ikeadm> add preshared { localidtype ip localid 192.168.66.1
    remoteidtype ip remoteid 192.163.55.8 ike_mode main
    key 2d86b6f6eb7ae8a93d8358b2cd174164 }
    ikeadm: Successfully created new preshared key.

    On host nemesis, the administrator would add the identical key, as in:


    # ikeadm
    ikeadm> add preshared { localidtype ip localid 192.163.55.8
    remoteidtype ip remoteid 192.168.66.1 ike_mode main
    key 2d86b6f6eb7ae8a93d8358b2cd174164 }
    ikeadm: Successfully created new preshared key.


    Note –

    A message of the form Error: invalid preshared key definition indicates that you have mistyped or omitted a parameter to the add preshared command. Retype the command correctly to add the key.


  6. Exit the ikeadm command mode.


    ikeadm> exit
    #
  7. On each system, lower the privilege level of the in.iked daemon.


    # ikeadm set priv base
    
  8. On each system, activate the ipsecinit.conf file to secure the added interfaces.


    # ipsecconf -a /etc/inet/ipsecinit.conf
    

    Note –

    Read the warning when you execute the command. A socket that is already in use (latched) provides an unsecured back door into the system.