Example—Replacing Security Associations in ipseckeys Files (System Administration Guide: IP Services)

System Administration Guide: IP Services

Example—Replacing Security Associations in `ipseckeys` Files

The following example refreshes the keys on the systems partym and enigma, whose traffic was secured in How to Secure Traffic Between Two Systems. The assumption is that both systems are using the SHA1 algorithm for AH, and both systems are using IPv6 addresses.

Flush the current keys.

Edit the ipseckeys file on both systems to replace existing SPI and authkey values.

Edit the ipseckeys file on partym:

# for inbound packets
add ah spi 0x55142 dst partym authalg sha1 \
	    authkey 012345678921001234abcdeffedcba9876543210
# for outbound packets
add ah spi 0x235211 dst enigma authalg sha1 \
	    authkey 21001234abcdef98765432100123456789fedcba

Edit the ipseckeys file on enigma:

# for inbound packets
add ah spi 0x235235 dst enigma authalg sha1 \
	    authkey 123456780123456789abcdeffedcba9876543210
# for outbound packets
add ah spi 0x123456 dst partym authalg sha1 \
	    authkey abcdef98765432100123456789fed12345678bac

To make sure that latched sockets use the new keys, reboot both systems. The ipseckeys file is read automatically at boot time.
# /usr/sbin/reboot
If you are testing, you can place the new keys into the security database on each system without rebooting:
# ipseckey -f /etc/inet/secret/ipseckeys