System Administration Guide: IP Services

ProcedureHow to Refresh IKE Preshared Keys

This procedure assumes that you want to replace an existing preshared key at regular intervals.

  1. On the system console, assume the Primary Administrator role or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

    Note –

    Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Use the ssh command for secure remote login.

  2. Generate random numbers and construct a key of the appropriate length.

    For details, see How to Generate Random Numbers on a Solaris System. If you are generating a preshared key for a Solaris system that is communicating with an operating system that requires ASCII, see Example 23–1.

  3. Replace the current key with a new key.

    For example, on the hosts enigma and partym, you would replace the value of key in the /etc/inet/secret/ike.preshared file with a new number of the same length.

  4. Read the new key into the kernel.

    • Starting in the Solaris 10 4/09 release, refresh the ike service.

      # svcadm refresh ike
    • If you are running a release prior to the Solaris 10 4/09 release, kill and restart the in.iked daemon.

      1. Check the privilege level of the in.iked daemon.

        # /usr/sbin/ikeadm get priv
        Current privilege level is 0x0, base privileges enabled

        You can change the keying material if the command returns a privilege level of 0x1 or 0x2. Level 0x0 does not permit operations to modify or view keying material. By default, the in.iked daemon runs at the 0x0 level of privilege.

      2. If the privilege level is 0x0, kill and restart the daemon.

        When the daemon restarts, it reads the new version of the ike.preshared file.

        # pkill in.iked
        # /usr/lib/inet/in.iked
      3. If the privilege level is 0x1 or 0x2, read in the new version of the ike.preshared file.

        # ikeadm read preshared