System Administration Guide: IP Services

IPsec Policy Command

You use the ipsecconf(1M) command to configure the IPsec policy for a host. When you run the command to configure policy, the system creates a temporary file named ipsecpolicy.conf to hold the IPsec policy entries. The system immediately uses the file to check all outbound and inbound IP datagrams for policy. Forwarded datagrams are not subjected to policy checks that are added by using this command. See ifconfig(1M) and tun(7M) for information on how to protect forwarded packets.

You must become superuser to invoke the ipsecconf command. The command accepts entries that protect traffic in both directions, and entries that protect traffic in only one direction.

Policy entries that do not specify a direction and contain the patterns laddr host1 (local address) and raddr host2 (remote address) protect traffic in both directions for the named host. Thus, you need only one entry for each host. A policy entry of the pattern saddr host1 daddr host2 (source address to destination address) protects traffic in only one direction, that is, either outbound or inbound. Thus, to protect traffic in both directions, you need to pass the ipsecconf command another entry, as in saddr host2 daddr host1.

You can see the policies that are configured in the system when you issue the ipsecconf command without any arguments. The command displays each entry with an index followed by a number. You can use the -d option with the index to delete a particular policy in the system. The command displays the entries in the order that they were added, which is not necessarily the order in which the traffic match occurs. To view the order in which the traffic match occurs, use the -l option.

The ipsecpolicy.conf file is deleted when the system shuts down. To ensure that IPsec policy is active when the machine boots, you can create an IPsec policy file, /etc/inet/ipsecinit.conf, that the inetinit script reads during startup.