System Administration Guide: IP Services

IPsec Utilities and Files

Table 19–3 describes the files, commands, and service identifiers that are used to configure and manage IPsec. For completeness, the table includes key management files, socket interfaces, and commands.

Starting in the Solaris 10 4/09 release, IPsec is managed by SMF. For more information about service identifiers, see Chapter 18, Managing Services (Overview), in System Administration Guide: Basic Administration.

For instructions on implementing IPsec on your network, see Protecting Traffic With IPsec (Task Map).
For more details about IPsec utilities and files, see Chapter 21, IP Security Architecture (Reference).

Table 19–3 List of Selected IPsec Utilities and Files


IPsec Utility, File, or Service	Description	Man Page
`svc:/network/ipsec/ipsecalgs`	In the current release, the SMF service that manages IPsec algorithms.	smf(5), ipsecalgs(1M)
`svc:/network/ipsec/manual-key`	In the current release, the SMF service that manages manual security associations (SAs).	smf(5), ipseckey(1M)
`svc:/network/ipsec/policy`	In the current release, the SMF service that manages IPsec policy.	smf(5), ipsecconf(1M)
`svc:/network/ipsec/ike`	In the current release, the SMF service for the automatic management of IPsec SAs.	smf(5), in.iked(1M)
`/etc/inet/ipsecinit.conf` file	IPsec policy file. In releases prior to the Solaris 10 4/09 release, if this file exists, IPsec is activated at boot time. In the current release, the SMF `policy` service uses this file to configure IPsec policy at system boot.	ipsecconf(1M)
`ipsecconf` command	IPsec policy command. Useful for viewing and modifying the current IPsec policy, and for testing. In releases prior to the Solaris 10 4/09 release, the boot scripts use `ipsecconf` to read the `/etc/inet/ipsecinit.conf` file and activate IPsec. In the current release, `ipsecconf` is used by the SMF `policy` service to configure IPsec policy at system boot.	ipsecconf(1M)
`PF_KEY` socket interface	Interface for the security associations database (SADB). Handles manual key management and automatic key management.	pf_key(7P)
`ipseckey` command	IPsec SAs keying command. `ipseckey` is a command-line front end to the `PF_KEY` interface. `ipseckey` can create, destroy, or modify SAs.	ipseckey(1M)
`/etc/inet/secret/ipseckeys` file	Keys for IPsec SAs. In releases prior to the Solaris 10 4/09 release, if the `ipsecinit.conf` file exists, the `ipseckeys` file is automatically read at boot time. In the current release, `ipseckeys` is used by the SMF `manual-key` service to configure SAs manually at system boot.
`ipsecalgs` command	IPsec algorithms command. Useful for viewing and modifying the list of IPsec algorithms and their properties. In the current release, is used by the SMF `ipsecalgs` service to synchronize known IPsec algorithms with the kernel at system boot.	ipsecalgs(1M)
`/etc/inet/ipsecalgs` file	Contains the configured IPsec protocols and algorithm definitions. This file is managed by the `ipsecalgs` command and must never be edited manually.
`/etc/inet/ike/config` file	IKE configuration and policy file. By default, this file does not exist. In releases prior to the Solaris 10 4/09 release, if this file exists, the IKE daemon, `in.iked`, provides automatic key management. The management is based on rules and global parameters in the `/etc/inet/ike/config` file. See IKE Utilities and Files. In the current release, if this file exists, the `svc:/network/ipsec/ike` service starts the IKE daemon, `in.iked`, to provide automatic key management.	ike.config(4)