test

IPsec and IKE Administration Guide

How to Configure IKE With Pre-Shared Keys

  1. On the system console, become superuser or assume an equivalent role.

    Note –

    Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the total security of the system is reduced to the security of the remote login session.

  2. On each system, copy the file /etc/inet/ike/config.sample to /etc/inet/ike/config.

  3. Enter rules and global parameters in the ike/config file on each system.

    The rules and global parameters in this file should permit the IPsec policy in the system's ipsecinit.conf file to succeed. The following ike/config examples work with the ipsecinit.conf examples in How to Secure Traffic Between Two Systems.

    1. For example, modify the /etc/inet/ike/config file on the enigma system:


      ### ike/config file on enigma, 192.168.116.16

## Global parameters
#
## Phase 1 transform defaults
p1_lifetime_secs 14400
p1_nonce_len 40
#
## Defaults that individual rules can override.
p1_xform
  { auth_method preshared oakley_group 5 auth_alg sha encr_alg des }
p2_pfs 2
#
## The rule to communicate with partym

{ label "Enigma-Partym"
  local_addr 192.168.116.16
  remote_addr 192.168.13.213
  p1_xform
   { auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des }
  p2_pfs 5
	}
      Note –

      All arguments to auth_method must be on the same line.

    2. Modify the file on the partym system:


      ### ike/config file on partym, 192.168.13.213
## Global Parameters
#
p1_lifetime_secs 14400
p1_nonce_len 40
#
p1_xform
  { auth_method preshared oakley_group 5 auth_alg sha encr_alg des }
p2_pfs 2

## The rule to communicate with enigma

{ label "Partym-Enigma"
  local_addr 192.168.13.213
  remote_addr 192.168.116.16
  p1_xform
   { auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des }
  p2_pfs 5
}
    Note –

    These system names are examples only. Use the names and addresses of your systems when securing traffic between your systems.

  4. On each system, check the validity of the file:


    # /usr/lib/inet/in.iked -c -f /etc/inet/ike/config

  5. Generate random keys.

    On a Solaris system, you can use the od command. For example, the following command prints two lines of hexadecimal numbers.


    # od -X -A n /dev/random | head -2
         f47cb0f4 32e14480 951095f8 2b735ba8
         0a9467d0 8f92c880 68b6a40e 0efe067d

    For an explanation of the command, see How to Generate Random Numbers and the od(1) man page.

  6. Create the file /etc/inet/secret/ike.preshared on each system. Put the pre-shared key in each file.

    The authentication algorithm in this example is MD5, as shown in Step 3. The size of the hash, that is, the size of the authentication algorithm's output, determines the minimum recommended size of a pre-shared key. The output of the MD5 algorithm is 128 bits, or 32 characters. Since a longer key length is a good idea, the example key is 56 characters long.

    1. For example, on the enigma system, ike.preshared would look like the following:


      # ike.preshared on enigma, 192.168.116.16
#…
{ localidtype IP
	localid 192.168.116.16
	remoteidtype IP
	remoteid 192.168.13.213
	# enigma and partym's shared key in hex (192 bits)
	key f47cb0f432e14480951095f82b735ba80a9467d08f92c88068b6a40e
	}

    2. On the partym system, ike.preshared would look like the following:


      # ike.preshared on partym, 192.168.13.213
#…
{ localidtype IP
	localid 192.168.13.213
	remoteidtype IP
	remoteid 192.168.116.16
	# partym and enigma's shared key in hex (192 bits)
	key f47cb0f432e14480951095f82b735ba80a9467d08f92c88068b6a40e
	}
    Note –

    The pre-shared keys must be identical.

    IKE is now configured for use with IPsec.

Example—Check That the Pre-Shared Keys are Identical

If the pre-shared keys on the communicating systems are not identical, you get the following error message:


# rup system2
system2: RPC: Rpcbind failure

To view the pre-shared key, the in.iked daemon must be running at privilege level 0x2. On each system, use the ikeadm command to dump the pre-shared key information:


# /usr/sbin/ikeadm get priv
Current privilege level is 0x2, access to keying material enabled
# ikeadm dump preshared
PSKEY: Pre-shared key (24 bytes): f47cb…/192
LOCIP: AF_INET: port 0, 192.168.116.16 (enigma).
REMIP: AF_INET: port 0, 192.168.13.213 (partym).

Compare the two dumps. If the pre-shared keys are not identical, replace one key with the other key in the /etc/inet/secret/ike.preshared file.