How to Configure IKEv2 With Preshared Keys

Substitute the names of your systems for the names enigma and partym in this procedure. You configure both IKE endpoints.

Before You Begin

You must become an administrator who is assigned the Network IPsec Management rights profile. You must be typing in a profile shell. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

If you administer remotely, see Example 7–1 and How to Remotely Administer ZFS With Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.2 for secure remote login instructions.

1. On each system, edit the /etc/inet/ike/ikev2.config file.

   # pfedit /etc/inet/ike/ikev2.config

2. In the file, create a rule that uses preshared keys.

   ---

   Note -  You will create the keys in Step 4.

   ---

   The rules and global parameters in this file must manage the keys in the IPsec policy in the system's ipsecinit.conf file. The following IKEv2 configuration examples manage the keys of the ipsecinit.conf examples in How to Secure Network Traffic Between Two Servers With IPsec.

   1. For example, modify the ikev2.config file on the enigma system:

      ---

      Note - This example shows two transforms in the global parameters section. A peer can be configured with either of these transforms. To require a particular transform, include that transform in the rule.

      ---

      ### ikev2.config file on enigma, 192.168.116.16
      
      ## Global parameters
      # This default value will apply to all transforms that follow
      #
      ikesa_lifetime_secs 3600
      #
      # Global transform definitions.  The algorithm choices are
      # based on RFC 4921.
      #
      ## Two transforms are acceptable to this system, Group 20 and Group 19.
      ## A peer can be configured with 19 or 20.
      ## To ensure that a particular peer uses a specific transform,
      ## include the transform in the rule.
      ## 
      # Group 20 is 384-bit ECP - Elliptic Curve over Prime
      ikesa_xform { encr_alg aes(256..256) auth_alg sha384 dh_group 20 }
      # Group 19 is 256-bit ECP
      ikesa_xform { encr_alg aes(128..128) auth_alg sha256 dh_group 19 }
      #
      ## The rule to communicate with partym
      ##  Label must be unique
      { label "enigma-partym"
        auth_method preshared
        local_addr  192.168.116.16
        remote_addr 192.168.13.213
      }

   2. Modify the ikev2.config file on the partym system:

      ## ikev2.config file on partym, 192.168.13.213
      ## Global Parameters
      #
      ...
      ikesa_xform { encr_alg aes(256..256) auth_alg sha384 dh_group 20 }
      ikesa_xform { encr_alg aes(128..128) auth_alg sha256 dh_group 19 }
      ...
      ## The rule to communicate with enigma
      ##  Label must be unique
      { label "partym-enigma"
        auth_method preshared
        local_addr  192.168.13.213
        remote_addr 192.168.116.16
      }

3. On each system, verify the syntax of the file.

   # /usr/lib/inet/in.ikev2d -c

4. Put the preshared key in the /etc/inet/ike/ikev2.preshared file on each system.

   ---

   Caution  -  This file has special permissions and is owned by ikeuser. Never delete or replace this file. Instead, use the pfedit command to edits its contents so that the file retains its original properties.

   ---

   1. For example, on the enigma system, the ikev2.preshared file would appear similar to the following:

      # pfedit -s /etc/inet/ike/ikev2.preshared
      ## ikev2.preshared on enigma, 192.168.116.16
      #…
      ## label must match the rule that uses this key
      { label "enigma-partym"
      ## The preshared key can also be represented in hex
      ## as in 0xf47cb0f432e14480951095f82b
         key "This is an ASCII Cqret phrAz, use str0ng p@ssword tekniques"
      }

      For information about the options to the pfedit command, see the pfedit(1M) man page.

   2. On the partym system, the ikev2.preshared file is similar except for its unique label:

      ## ikev2.preshared on partym, 192.168.13.213
      #…
      ## label must match the label of the rule that uses this key
      { label "partym-enigma"
      ## The preshared key can also be represented in hex
      ## as in 0xf47cb0f432e14480951095f82b
      	key "This is an ASCII Cqret phrAz, use str0ng p@ssword tekniques"
      	}

5. Enable the IKEv2 service instance.

   # svcadm enable ipsec/ike:ikev2

   When replacing the preshared key, edit the preshared key files on the peer systems and restart the ikev2 service.

   # svcadm restart ikev2

In this example, the IKEv2 administrators create a preshared key per system, exchange them, and add each key to the preshared key file. The label of the preshared key entry matches the label in a rule in the ikev2.config file. Then, they restart the in.ikev2d daemons.

After receiving the other system's preshared key, the administrator edits the ikev2.preshared file. The file on partym is the following:

# pfedit -s /etc/inet/ike/ikev2.preshared
#…
{ label "partym-enigma"
## local and remote preshared keys 
local_key  "P-LongISH key Th@t m^st Be Ch*angEd \'reguLarLy)"
remote_key "E-CHaNge lEyeGhtB+lBs et KeeS b4 2LoOoOoOoOng"
}

Therefore, the ikev2.preshared keys file on enigma must be the following:

#…
{ label "enigma-partym"
## local and remote preshared keys 
local_key  "E-CHaNge lEyeGhtB+lBs et KeeS b4 2LoOoOoOoOng"
remote_key "P-LongISH key Th@t m^st Be Ch*angEd \'reguLarLy)"
}

The administrators restart the IKEv2 service instance on each system.

# svcadm restart ikev2

Next Steps

If you have not completed establishing IPsec policy, return to the IPsec procedure to enable or refresh IPsec policy. For examples of IPsec policy protecting VPNs, see Protecting a VPN With IPsec. For other examples of IPsec policy, see How to Secure Network Traffic Between Two Servers With IPsec.

For more examples, see the ikev2.config (4) and ikev2.preshared (4) man pages.