Securing the Network in Oracle^® Solaris 11.3

How to Add a New Peer When Using Preshared Keys in IKEv2

If you add IPsec policy entries to a working configuration between the same peers, you need to refresh the IPsec policy service. You do not need to reconfigure or restart IKE.

If you add a new peer to the IPsec policy, in addition to the IPsec changes, you must modify the IKEv2 configuration.

Before You Begin

You have updated the ipsecinit.conf file and refreshed IPsec policy for the peer systems.

You must become an administrator who is assigned the Network IPsec Management rights profile. You must be typing in a profile shell. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

If you administer remotely, see Example 31, Configuring IPsec Policy Remotely by Using an ssh Connection and How to Remotely Administer ZFS With Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.3 for secure remote login instructions.

1. Create a rule for IKEv2 to manage the keys for the new system that is using IPsec.
   1. For example, on the host1 system, add the following rule to the /etc/inet/ike/ikev2.config file:

      # pfedit ikev2.config
      ## ikev2.config file on host1, 192.0.2.16
      ...
      ## The rule to communicate with host3
      ##  Label must be unique
      {label "host1-host3"
       auth_method preshared
       local_addr  192.0.2.16
       remote_addr 192.0.2.7
      }

      For information about the options to the pfedit command, see the pfedit(1M) man page.

   2. On the host3 system, add the following rule:

      ## ikev2.config file on host3, 192.0.2.7
      ...
      ## The rule to communicate with host1
      {label "host3-host1"
       auth_method preshared
       local_addr  192.0.2.7
       remote_addr 192.0.2.16
      }

2. (Optional) On each system, verify the syntax of the file.

   # /usr/lib/inet/in.ikev2d -c -f /etc/inet/ike/ikev2.config

3. Create an IKEv2 preshared key for the peer systems.
   1. Generate the key on host1.

      $ pktool genkey keystore=file outkey=ikemykey keytype=aes keylen=256 print=y
      Key Value ="2b823670b5aa1a..."

   2. On the host1 system, add the following information to the /etc/inet/ike/ikev2.preshared file:

      # pfedit -s /etc/inet/ike/ikev2.preshared
      ## ikev2.preshared on host1 for the host3 interface
      ...
      ## The rule to communicate with host3 
      ##  Label must match the label of the rule
      { label "host1-host3"
        # host1 and host3's shared key
          key "2b823670b5aa1a..."
      }

      For information about the options to the pfedit command, see the pfedit(1M) man page.

   3. Remove the key file from host1 and send the ikev2.preshared file to host3 by a secure mechanism.
   4. On the host3 system, add the following information to the ikev2.preshared file:

      ## ikev2.preshared on host3 for the host1 interface
      # ...
      { label "host3-host1"
        # host3 and host1's shared key
          key "2b823670b5aa1a..."
      }

4. On each system, read the changes into the kernel.
   • If the service is enabled, refresh it.

     # svcadm refresh ikev2

   • If the service is not enabled, enable it.

     # svcadm enable ikev2

Next Steps

If you have not completed establishing IPsec policy, return to the IPsec procedure to enable or refresh IPsec policy. For examples of IPsec policy protecting VPNs, see Protecting a VPN With IPsec. For other examples of IPsec policy, see How to Secure Network Traffic Between Two Servers With IPsec.