How to Refresh Existing Preshared Keys

This procedure assumes that you want to replace an existing preshared key at regular intervals without rebooting. If you use a strong encryption algorithm, such 3DES or Blowfish, you might want to schedule key replacement for when you reboot both machines.

1. On the system console, become superuser or assume an equivalent role.

   ---

   Note –

   Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session.

   ---

2. Generate random numbers and construct a key of the appropriate length.

   For details, see How to Generate Random Numbers.

3. Edit the /etc/inet/secret/ike.preshared file on each system, and replace the current key with a new key.

   For example, on the hosts enigma and partym, you would replace the value of key with a new number of the same length.

4. Check that the in.iked daemon permits you to change keying material.

   # /usr/sbin/ikeadm get priv Current privilege level is 0x2, access to keying material enabled

   You can change keying material if the command returns a privilege level of 0x1 or 0x2. Level 0x0 does not permit keying material operations. By default, the in.iked daemon runs at the 0x0 level of privilege.

5. If the in.iked daemon permits you to change keying material, read in the new version of the ike.preshared file.

   # ikeadm read preshared

6. If the in.iked daemon does not permit you to change keying material, kill the daemon and then restart the daemon.

   # pkill in.iked # /usr/lib/inet/in.iked

   When the daemon restarts, the daemon reads the new version of the ike.preshared file.