IPsec and IKE Administration Guide

IKE Utilities and Files

This section describes the configuration files for IKE policy, and the various commands that implement IKE. For instructions about how to implement IKE for your network, see Configuring IKE (Task Map).

Table 3–1 IKE Configuration Files and Commands


File or Command	Description
`in.iked` daemon	Internet Key Exchange (IKE) daemon. Activates automated key management.
`ikeadm` command	IKE administration command for viewing and modifying the IKE policy.
`ikecert` command	Certificate database management command for manipulating local publickey certificate databases. The databases can also be stored on an attached Sun Crypto Accelerator 4000 board.
`/etc/inet/ike/config` file	Configuration file for the IKE policy. Contains the site's rules for matching inbound IKE requests and preparing outbound IKE requests. If this file exists, the `in.iked` daemon starts automatically at boot time.
`/etc/inet/secret/ike.preshared` file	Preshared keys file. Contains secret keying material for authentication in the Phase 1 exchange. Used when configuring IKE with preshared keys.
`/etc/inet/secret/ike.privatekeys` file	Private keys directory. Contains the private keys that are part of a public-private key pair.
`/etc/inet/ike/publickeys` directory	Directory that holds public keys and certificate files. Contains the public key part of a public-private key pair.
`/etc/inet/ike/crls` directory	Directory that holds revocation lists for public keys and certificate files.
Sun Crypto Accelerator 1000 board	Hardware that accelerates public key operations by off-loading the operations from the operating system.
Sun Crypto Accelerator 4000 board	Hardware that accelerates public key operations by off-loading the operations from the operating system. The board also stores public keys, private keys, and public key certificates.

IKE Daemon

The in.iked daemon automates the management of cryptographic keys for IPsec on a Solaris system. The daemon negotiates with a remote system that is running the same protocol to provide authenticated keying materials for security associations in a protected manner. The daemon must be running on all systems that plan to communicate securely.

The IKE daemon is automatically loaded at boot time if the configuration file for the IKE policy, /etc/inet/ike/config, exists. The daemon checks the syntax of the configuration file.

When the IKE daemon runs, the system authenticates itself to its peer IKE entity in the Phase 1 exchange. The peer is defined in the IKE policy file, as are the authentication methods. The daemon then establishes the keys for the Phase 2 exchange. At an interval specified in the policy file, the IKE keys are refreshed automatically. The in.iked daemon listens for incoming IKE requests from the network and for requests for outbound traffic through the PF_KEY socket. See the pf_key(7P) man page for more information.

Two commands support the IKE daemon. The ikeadm command enables you to view and modify the IKE policy. The ikecert command enables you to view and manage the publickey databases. This command manages the local databases, ike.privatekeys and publickeys. This command also manages public key operations and the storage of public keys on hardware.

IKE Policy File

The configuration file for the IKE policy, /etc/inet/ike/config, provides the keying rules and global parameters for the IKE daemon itself, and for the IPsec SAs that the file manages. The IKE daemon itself requires keying material in the Phase 1 exchange. Rules in the ike/config file establish the keying material. A valid rule in the policy file contains a label. The rule identifies the systems or networks that the keying material secures, and specifies the authentication method. See Configuring IKE With Preshared Keys (Task Map) for examples of valid policy files. For examples and descriptions of its entries, see the ike.config(4) man page.

The IPsec SAs are used on the IP datagrams that are protected according to policies that are set up in the configuration file for the IPsec policy, /etc/inet/ipsecinit.conf. The IKE policy file determines if PFS is used when creating the IPsec SAs.

The ike/config file can include the path to a library that is implemented according to the following standard: RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki). IKE uses this PKCS #11 library to access hardware for key acceleration and key storage.

The security considerations for the ike/config file are similar to the considerations for the ipsecinit.conf file. See Security Considerations for ipsecinit.conf and ipsecconf for details.

IKE Administration Command

You can use the ikeadm command to do the following:

View aspects of the IKE daemon process
Change the parameters that are passed to the IKE daemon
Display statistics on SA creation during the Phase 1 exchange
Debug IKE processes

See the ikeadm(1M) man page for examples and a full description of this command's options. The privilege level of the running IKE daemon determines which aspects of the IKE daemon can be viewed and modified. You can choose from three levels of privilege.

0x0, or base level: At the base level of privilege, you cannot view or modify keying material. The base level is the default level at which the in.iked daemon runs.
0x1, or modkeys level: At the modkeys level of privilege, you can remove, change, and add preshared keys.
0x2, or keymat level: At the keymat level of privilege, you can view the actual keying material with the ikeadm command.

The security considerations for the ikeadm command are similar to the considerations for the ipseckey command. See Security Considerations for ipseckey for details.

Preshared Keys Files

The /etc/inet/secret directory contains the preshared keys for ISAKMP SAs and IPsec SAs. When you create preshared keys manually, the ike.preshared file contains the preshared keys for ISAKMP SAs, and the ipseckeys file contains the preshared keys for IPsec SAs. The secret directory is protected at 0700. The files in the secret directory are protected at 0600.

You create an ike.preshared file when you configure the ike/config file to require preshared keys. You enter keying material for ISAKMP SAs, that is, for IKE authentication, in the ike.preshared file. Because the preshared keys are used to authenticate the Phase 1 exchange, the file must be valid before the in.iked daemon starts.
The ipseckeys file contains keying material for IPsec SAs. See How to Manually Create IPsec Security Associations for examples of manually managing the file. The IKE daemon does not use this file. The keying material that IKE generates for IPsec SAs is stored in the kernel.

Note –

Preshared keys cannot take advantage of hardware storage. Preshared keys are generated and stored on the system.

IKE Public Key Databases and Commands

The ikecert command manipulates the local system's publickey databases. You use this command when the ike/config file requires public key certificates. Because IKE uses these databases to authenticate the Phase 1 exchange, the databases must be populated before activating the in.iked daemon. Three subcommands handle each of the three databases: certlocal, certdb, and certrldb.

The ikecert command also handles key storage on the Sun Crypto Accelerator 4000 board. The tokens argument to the ikecert command lists the token IDs that are available on the board. The command finds the board through the PKCS #11 library that is specified in the /etc/inet/ike/config file. The PKCS #11 entry must be present. Otherwise, the -T option to the ikecert commands cannot work. The entry appears similar to the following:

pkcs11_path "/opt/SUNWconn/lib/libpkcs11.so"

For more information, see the ikecert(1M) man page.

`ikecert tokens` Command

The tokens argument lists the token IDs that are available on the Sun Crypto Accelerator 4000 board. Token IDs enable the ikecert certlocal and ikecert certdb commands to generate public key certificates and certificate requests on the board.

`ikecert certlocal` Command

The certlocal subcommand manages the private-key database. Options to this subcommand enable you to add, view, and remove private keys. This subcommand also creates either a self-signed certificate or a certificate request. The -ks option creates a self-signed certificate. The -kc option creates a certificate request. Keys are stored on the system in the /etc/inet/secret/ike.privatekeys directory, or on attached hardware with the -T option..

When you create a private key, the ikecert command relies on entries in the ike/config file. The correspondences between ikecert options and ike/config entries are shown in the following table.

Table 3–2 Correspondences Between ikecert Options and ike/config Entries


`ikecert` Options	`ike/config` Entry	Notes
`-A` `subject-alternate-name`	`cert_trust` `subject-alternate-name`	A nickname that uniquely identifies the certificate. Possible values are an IP address, an email address, or a domain name.
`-D` `X.509-distinguished-name`	`X.509-distinguished-name`	The full name of the certificate authority that includes the Country, Organization name, Organizational Unit, and Common Name.
`-t dsa-sha1`	`auth_method dss_sig`	An authentication method that is slightly slower than RSA. Is not patented.
`-t rsa-md5`, and `-t rsa-sha1`	`auth_method rsa_sig`	An authentication method that is slightly faster than DSA. Patent expired in September 2000. The RSA public key must be large enough to encrypt the biggest payload. Typically, an identity payload, such as the X.509 distinguished name, is the biggest payload.
`-t rsa-md5`, and `-t rsa-sha1`	`auth_method rsa_encrypt`	RSA encryption hides identities in IKE from eavesdroppers, but requires that the IKE peers know each other's public keys.
`-T`	`pkcs11_path`	The PKCS #11 library handles key acceleration on the Sun Crypto Accelerator 1000 board and the Sun Crypto Accelerator 4000 board. The library also provides the tokens that handle key storage on the Sun Crypto Accelerator 4000 board.

If you issue a certificate request with the ikecert certlocal –kc command, you send the output of the command to a PKI organization or a certificate authority (CA). If your company runs its own PKI, you send the output to your PKI administrator. The PKI organization, the CA, or your PKI administrator then creates certificates. The certificates that the PKI or CA returns to you are input to the certdb subcommand. The CRL that the PKI returns to you is input for the certrldb subcommand.

`ikecert certdb` Command

The certdb subcommand manages the publickey database. Options to the subcommand enable you to add, view, and remove certificates and public keys. The command accepts, as input, certificates that were generated by the ikecert certlocal –ks command on a remote system. See How to Configure IKE With Self-Signed Public Key Certificates for the procedure. This command also accepts the certificate that you receive from a PKI or CA as input. See How to Configure IKE With Certificates Signed by a CA for the procedure.

On the system, the certificates and public keys are stored in the /etc/inet/ike/publickeys directory. The -T option stores the certificates, private keys, and public keys on attached hardware.

`ikecert certrldb` Command

The certrldb subcommand manages the certificate revocation list (CRL) database, /etc/inet/ike/crls. The crls database maintains the revocation lists for public keys. Certificates that are no longer valid are on this list. When PKIs provide you with CRLs, you install the CRLs in the CRL database with the ikecert certrldb command. See How to Handle a Certificate Revocation List for the procedure.

`/etc/inet/ike/publickeys` Directory

The /etc/inet/ike/publickeys directory contains the public part of a public-private key pair and its certificate in files, or slots. The /etc/inet/ike directory is protected at 0755. The ikecert certdb command populates the directory. The -T option stores the keys on the Sun Crypto Accelerator 4000 board rather than in the publickeys directory.

The slots contain, in encoded form, the X.509 distinguished name of a certificate that was generated on another system. If you are using self-signed certificates, you use the certificate that you receive from the administrator of the remote system as input to the command. If you are using certificates from a PKI, you install two pieces of keying material from the PKI into this database. You install a certificate that is based on material that you sent to the PKI. You also install a CA from the PKI.

`/etc/inet/secret/ike.privatekeys` Directory

The /etc/inet/secret/ike.privatekeys directory holds private key files that are part of a public-private key pair, which is keying material for ISAKMP SAs. The directory is protected at 0700. The ikecert certlocal command populates the ike.privatekeys directory. Private keys are not effective until their public key counterparts, self-signed certificates or CAs, are installed. The public key counterparts are stored in the /etc/inet/ike/publickeys directory or on a Sun Crypto Accelerator 4000 board.

`/etc/inet/ike/crls` Directory

The /etc/inet/ike/crls directory contains certificate revocation list (CRL) files. Each file corresponds to a public certificate file in the /etc/inet/ike/publickeys directory. PKI organizations provide the CRLs for their certificates. You use the ikecert certrldb command to populate the database.

IKE Utilities and Files

IKE Daemon

IKE Policy File

IKE Administration Command

Preshared Keys Files

IKE Public Key Databases and Commands

ikecert tokens Command

ikecert certlocal Command

ikecert certdb Command

ikecert certrldb Command

/etc/inet/ike/publickeys Directory

/etc/inet/secret/ike.privatekeys Directory