in.iked performs automated key management for IPsec using the Internet Key Exchange (IKE) protocol.
IKE authentication with either pre-shared keys, DSS signatures, RSA signatures, or RSA encryption.
Diffie-Hellman key derivation using either 768, 1024, or 1536-bit public key moduli.
Authentication protection with cipher choices of DES, Blowfish, or 3DES, and hash choices of either HMAC-MD5 or HMAC-SHA-1. Encryption in in.iked is limited to the IKE authentication and key exchange. See ipsecesp(7P) for information regarding IPsec protection choices.
in.iked starts at boot time if the /etc/inet/ike/config file exists. \ ike.config(4) for the format of this file.
in.iked listens for incoming IKE requests from the network and for requests for outbound traffic using the PF_KEY socket. See pf_key(7P).
IKE only works for IPv4.
The SIGHUP signal causes the IKE daemon to read /etc/inet/ike/config and reload the certificate database. SIGHUP is equivalent to using ikeadm(1M) to read the /etc/inet/ike/config file as a rule, for example:
example# ikeadm read rule /etc/inet/ike/config
The following options are supported:
Check the syntax of a configuration file.
Use debug mode. The process stays attached to the controlling terminal and produces large amounts of debugging output.
Use filename instead of /etc/inet/ike/config. See ike.config(4) for the format of this file.
Specify privilege level (level). This option sets how much ikeadm(1M) invocations can change or observe about the running in.iked.
Valid levels are:
Access to preshared key info
Access to keying material
If -p is not specified, level defaults to 0.
This program has sensitive private keying information in its image. Care should be taken with any core dumps or system dumps of a running in.iked, as these files contain sensitive keying information. Use the coreadm(1M) command to limit any corefiles produced by in.iked.
Private keys. A private key must have a matching public-key certificate with the same filename in /etc/inet/ike/publickeys/.
Public-key certificates. The names are only important with regard to matching private key names.
Public key certificate revocation lists.
IKE pre-shared secrets for Phase I authentication.
See attributes(5) for descriptions of the following attributes:
Harkins, Dan and Carrel, Dave. RFC 2409, Internet Key Exchange (IKE). Network Working Group. November 1998.
Maughan, Douglas, Schertler, M., Schneider, M., Turner, J. RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP). Network Working Group. November 1998.
Piper, Derrell, RFC 2407, The Internet IP Security Domain of Interpretation for ISAKMP. Netwrok Working Group. November 1998.