You can view the properties of the IKE service, aspects of the IKE state and IKE daemon object, and certificate validation policy. If you are running both IKE services, you can display information per service or for both services. These commands can be helpful during testing, troubleshooting, and monitoring.
Viewing the properties of the IKE service instances – The output displays the configurable properties of the IKEv2 service, including the names of the configuration files.
% svccfg -s ipsec/ike:ikev2 listprop config config application config/allow_keydump boolean false config/config_file astring /etc/inet/ike/ikev2.config config/ignore_errors boolean false config/kmf_policy astring /etc/inet/ike/kmf-policy.xml config/max_child_sas integer 0 config/max_threads integer 0 config/min_threads integer 0 config/preshared_file astring /etc/inet/ike/ikev2.preshared config/response_wait_time integer 30 config/value_authorization astring solaris.smf.value.ipsec config/debug_logfile astring config/debug_level astring op
The output in the following example displays the configurable properties of the IKEv1 service. Do not specify the :default service instance.
% svccfg -s ipsec/ike listprop config config application config/admin_privilege astring base config/config_file astring /etc/inet/ike/config config/debug_level astring op config/debug_logfile astring /var/log/in.iked.log config/ignore_errors boolean false config/value_authorization astring solaris.smf.value.ipsec
Viewing the current state of the IKE daemon – The output in the following example displays the arguments to the ikeadm command. These arguments display the current state of the daemon.
% ikeadm help
...
get debug|priv|stats|p1|ikesa|rule|preshared|defaults [identifier]
dump p1|ikesa|rule|preshared|certcache|groups|encralgs|authalgs
read rule|preshared [filename]
help [get|set|add|del|dump|flush|read|write|token|help]
Showing the syntax of a specific argument to the ikeadm command – Use the help subcommands to show command argument syntax. For example:
% ikeadm help read
This command reads a new configuration file into
in.iked, discarding the old configuration info.
Sets of data that may be read include:
rule all phase 1/ikesa rules
preshared all preshared keys
A filename may be provided to specify a source file
other than the default.
Viewing preshared keys – You can view preshared keys for IKEv1 and IKEv2.
For IKEv2:
# ikeadm -v2 dump preshared
For IKEv1:
# ikeadm set priv keymat # ikeadm -v1 dump preshared PSKEY: Rule label: "Test PSK 197 to 56" PSKEY: Local pre-shared key (80 bytes): 74206272696c6c696720...3/584 PSKEY: Remote pre-shared key (80 bytes): 74206272696c6c696720...3/584 Completed dump of preshared keys
Viewing IKE SAs – The output includes information about the SA, the transform, the local and remote systems, and other details. If communication has not been requested, no SAs exist, so no information exists to display.
# ikeadm -v2 dump ikesa IKESA: SPIs: Local 0xd3db95689459cca4 Remote 0xb5878717f5cfa877 ... XFORM: Encryption alg: aes-cbc(256..256); Authentication alg: hmac-sha512 ... LOCIP: AF_INET: port 500, 10.1.2.3 (example-3). ... REMIP: AF_INET: port 500, 10.1.4.5 (ex-2). ... LIFTM: SA expires in 11459 seconds (3.18 hours) ... STATS: 0 IKE SA rekeys since initial AUTH. LOCID: Initiator identity, type FQDN ... CHILD: ESP Inbound SPI: 0x94841ca3, Outbound SPI 0x074ae1e5 ... Completed dump of IKE SA info
Viewing active IKE rules – A listed IKE rule might not be in use, but it is available for use.
# ikeadm -v2 dump rule GLOBL: Label 'Test Rule1 for PSK', key manager cookie 1 GLOBL: Local auth method=pre-shared key GLOBL: Remote auth method=pre-shared key GLOBL: childsa_pfs=false GLOBL: authentication_lifetime=86400 seconds (1.00 day) GLOBL: childsa_lifetime=120 seconds (2.00 minutes) GLOBL: childsa_softlife=108 seconds (1.80 minute) GLOBL: childsa_idletime=60 seconds GLOBL: childsa_lifetime_kb=122880 kilobytes (120.00 MB) GLOBL: childsa_softlife_kb=110592 kilobytes (108.00 MB) LOCIP: IP address range(s): LOCIP: 10.142.245.197 REMIP: IP address range(s): REMIP: 10.134.64.56 LOCID: Identity descriptors: LOCID: Includes: LOCID: fqdn="gloria@ms.mag" REMID: Identity descriptors: REMID: Includes: REMID: fqdn="gloria@ms.mag" XFRMS: Available Transforms: XF 0: Encryption alg: aes-cbc(128..256); Authentication alg: hmac-sha512 XF 0: PRF: hmac-sha512 ; Diffie-Hellman Group: 2048-bit MODP (group 14) XF 0: IKE SA lifetime before rekey: 14400 seconds (4.00 hours) Completed dump of policy rules
Viewing certificate validation policy in IKEv2 – You must specify the dbfile value and the policy value.
Dynamically downloaded CRLs might require administrator intervention to adjust the responder timeout.
In the output in the following example, the CRLs are downloaded from the URI that is embedded in the certificate, then the lists are cached. When the cache contains an expired CRL, a new CRL is downloaded to replace the old one.
# kmfcfg list dbfile=/etc/inet/ike/kmf-policy.xml policy=default
…
Validation Policy Information:
Maximum Certificate Revocation Responder Timeout: 10
Ignore Certificate Revocation Responder Timeout: true
…
CRL:
Base filename: [not set]
Directory: /var/user/ikeuser/crls
Download and cache CRL: true
CRL specific proxy override: www-proxy.cagate.example.com:80
Ignore CRL signature: false
Ignore CRL validity date: false
IPsec policy bypass on outgoing connections: true
…
Statically downloaded CRLs require frequent administrator attention.
When the administrator sets the CRL entries to the following values, the administrator is responsible for manually downloading the CRLs, populating the directory, and maintaining current CRLs:
…
Directory: /var/user/ikeuser/crls
Download and cache CRL: false
Proxy: [not set]
…