System Administration Guide: IP Services

How to Refresh Existing Pre-Shared Keys

This procedure assumes that you want to replace an existing pre-shared key. If you use a strong encryption algorithm, such 3DES, AES, or Blowfish, you may be able to schedule key replacement for when you reboot both machines. This procedure is for machines using an algorithm like DES to secure traffic.

  1. Become superuser on the system console.

    Note –

    Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the total security of the system is reduced to the security of the remote login session.

  2. Generate random keys and choose one.

    On a Solaris system, you can use the od command.

    # od -x </dev/random | head -2
    0000000 305e c563 69ca 62c2 ae80 4690 c571 3e18
    0000020 be43 9533 d50f ec49 c7fe cf3c 8f13 91c0
  3. Edit the /etc/inet/secret/ike.preshared file on each system, and replace the current key with a new key.

    For example, on the hosts enigma and partym, you would replace the value of key with a new number, like be439533d50fec49c7fecf3c8f1391c0.

  4. Check that the in.iked daemon permits you to change keying material.

    # /usr/sbin/ikeadm get priv
    Current privilege level is 0x2, access to keying material enabled

    You can change keying material if the command returns a privilege level of 0x1 or 0x2. Level 0x0 does not permit keying material operations. By default, the in.iked daemon runs at the 0x0 level of privilege.

  5. If the in.iked daemon permits you to change keying material, read in the new version of the ike.preshared file.

    For example,

    # ikeadm read preshared
  6. If the in.iked daemon does not permit you to change keying material, kill the daemon and then restart it.

    When the daemon starts, it reads the new version of the ike.preshared file.

    For example,

    # pkill in.iked
    # /usr/lib/inet/in.iked