Securing the Network in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014
 
 

Comparison of IKEv2 and IKEv1

The following table compares the implementation of the IKEv2 and IKEv1 versions on an Oracle Solaris system.

Table 8-1  IKEv2 and IKEv1 Implementation in Oracle Solaris
Feature
IKEv2
IKEv1
Certificate chain of trust
Implicit based on objects in keystore
cert_trust parameter in ike/config file
Certificate creation
ikev2cert command
ikecert certlocal command
Certificate import
ikev2cert import command can import certificates and keys into PKCS #11 keystore
ikecert certdb command can import standalone certificates into IKE keystore
Certificate owner
ikeuser
root
Certificate policy file
kmf-policy.xml
Some policy in ike/config file
Certificate storage
PKCS #11 softtoken library
Local IKEv1 databases
Configuration file directory
/etc/inet/ike/
/etc/inet/ike/ and /etc/inet/secret/
Configuration owner
ikeuser account
root account
Daemon
in.ikev2d
in.iked
FIPS 140 algorithms for traffic between daemons

The Cryptographic Framework feature of Oracle Solaris 11.1 SRU 5.5 and SRU 3 is validated for FIPS 140-2, Level 1. If FIPS 140 mode is enabled and the Cryptographic Framework is being used, then FIPS 140-validated algorithms are used. By default, FIPS 140 mode is not enabled.

IKE SAs use the Cryptographic Framework
Not all exchanges use the Cryptographic Framework
FIPS 140 algorithms for IPsec traffic
Use the Cryptographic Framework
Use the Cryptographic Framework
IKE policy file
ike/ikev2.config
ike/config
IKE preshared keys
ike/ikev2.preshared
secret/ike.preshared
NAT port
UDP port 4500
UDP port 4500
Port
UDP port 500
UDP port 500
Rights profile
Network IPsec Management
Network IPsec Management
Service name (FMRI)
svc:/ipsec/ike:ikev2
svc:/ipsec/ike:default