How to View IKE Preshared Keys

By default, the ikeadm command prevents you from viewing the actual keys in a dump of a Phase 1 SA. Viewing the keys is useful during debugging.

To view the actual keys, you must increase the privilege level of the daemon. For a description of the privilege levels, see IKE Administration Command.

To perform this procedure on a release prior to the Solaris 10 4/09 release, see Example 23–2.

Before You Begin

IKE is configured and the ike service is running.

1. View the IKE preshared keys.

   # ikeadm ikeadm> dump preshared

2. If you get an error, increase the privilege level of the in.iked daemon.

   1. Increase the privilege level of the in.iked daemon in the SMF repository.

      # svcprop -p config/admin_privilege ike base # svccfg -s ike setprop config/admin_privilege=keymat

   2. Increase the privilege level of the running in.iked daemon.

      # svcadm refresh ike ; svcadm restart ike

   3. (Optional) Confirm that the privilege level is keymat.

      # svcprop -p config/admin_privilege ike keymat

   4. View the keys by running Step 1 again.

3. Return the IKE daemon to the base privilege level.

   1. After you view the keys, return the privilege level to the default.

      # svccfg -s ike setprop config/admin_privilege=base

   2. Refresh and then restart IKE.

      # svcadm refresh ike ; svcadm restart ike

Example 23–2 Verifying IKE Preshared Keys in a Release Prior to the Solaris 10 4/09 Release

In the following example, the administrator is viewing keys on a Solaris system that is not running the current Solaris release. The administrator wants to verify that the keys on this system are identical to the keys on the communicating system. After verifying that the keys on the two systems are identical, the administrator restores the privilege level to 0.

• First, the administrator determines the privilege level of the in.iked daemon.

  adm1 # /usr/sbin/ikeadm get priv Current privilege level is 0x0, base privileges enabled

• Because the privilege level is not 0x1 or 0x2, the administrator stops the in.iked daemon, then increases the privilege level to 2.

  adm1 # pkill in.iked adm1 # /usr/lib/inet/in.iked -p 2 Setting privilege level to 2

• The administrator displays the keys.

  adm1 # ikeadm dump preshared PSKEY: Preshared key (24 bytes): f47cb…/192 LOCIP: AF_INET: port 0, 192.168.116.16 (adm1). REMIP: AF_INET: port 0, 192.168.13.213 (com1).

• The administrator remotely logs in to the communicating system and determines that the keys are identical.

• Then, the administrator restores the base level of privilege.

  # ikeadm set priv base