How to Add a New Pre-Shared Key
If you are using pre-shared keys, you must have one pre-shared key for every policy entry in the ipsecinit.conf file. If you add new policy entries while IPsec and IKE are running, the in.iked daemon can read in new keys. This procedure assumes the following:
-
The in.iked daemon is running
-
The interface that you want to protect with IPsec is an entry in the /etc/hosts file on both systems, for example:
192.168.15.7 ada
-
You have added a new policy entry to the /etc/inet/ipsecinit.conf file on both systems. For example, the entry on enigma looks something like the following:
{laddr enigma raddr ada} ipsec {auth_algs any encr_algs any sa shared}For example, the entry on ada looks something like the following:
{laddr ada raddr enigma} ipsec {auth_algs any encr_algs any sa shared} -
You have created a rule for the interface on ada in the /etc/inet/ike/config file on both systems. For example, the rule on enigma looks something like the following:
### ike/config file on enigma, 192.168.116.16 … ## The rule to communicate with partym-15 { label "Enigma-ada" local_addr 192.168.116.16 remote_addr 192.168.15.7 p1_xform { auth_method preshared oakley_group 5 auth_alg md5 encr_alg blowfish } p2_pfs 5 }For example, the rule on ada looks something like the following:
### ike/config file on ada, 192.168.15.7 … ## The rule to communicate with enigma { label "ada-to-Enigma" local_addr 192.168.15.7 remote_addr 192.168.116.16 p1_xform { auth_method preshared oakley_group 5 auth_alg md5 encr_alg blowfish } p2_pfs 5 }
Note –All arguments to auth_method must be on the same line.
-
On the system console, become superuser or assume an equivalent role.
Note –Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the total security of the system is reduced to the security of the remote login session.
-
Check that the in.iked daemon permits you to change keying material.
# /usr/sbin/ikeadm get priv Current privilege level is 0x2, access to keying material enabled
You can change keying material if the command returns a privilege level of 0x1 or 0x2. Level 0x0 does not permit keying material operations. By default, the in.iked daemon runs at the 0x0 level of privilege.
-
If the in.iked daemon does not permit you to change keying material, kill the daemon. After killing the daemon, restart the daemon with the correct privilege level.
For example,
# pkill in.iked # /usr/lib/inet/in.iked -p 2 Setting privilege level to 2!
-
Generate random keys and combine the output to create a key of 64 to 448 bits.
On a Solaris system, you can use the od command.
# od -X -A n /dev/random | head -4 0fb834c5 8d1fb4ee 500e2bea 071deb2e 781cb483 74411af5 a9671714 672bb174 9ad9364d 53574f27 4aacea56 c34861bb b4509514 145c1845 f857ff2b 6e5e3766For an explanation of the command, see How to Generate Random Numbers and the od(1) man page.
-
By some means, send the key to the administrator of the communicating system.
You are both going to add the same pre-shared key at the same time.
-
Add the new keying material with the add preshared subcommand in the ikeadm command mode.
ikeadm> add preshared { localidtype id-type localid id remoteidtype id-type remoteid id ike_mode mode key key }id-type
The type of the id.
id
IP address when id-type is IP.
mode
The IKE mode. main is the only accepted value.
key
The pre-shared key in hexadecimal format.
For example, on host enigma, you add the key for the new interface, ada, 192.168.15.7
# ikeadm ikeadm> add preshared { localidtype ip localid 192.168.116.16 remoteidtype ip remoteid 192.168.15.7 ike_mode main key 8d1fb4ee500e2bea071deb2e781cb48374411af5a9671714672bb1749ad9364d } ikeadm: Successfully created new preshared key.On host ada, the administrator would add the identical key, as in:
# ikeadm ikeadm> add preshared { localidtype ip localid 192.168.15.7 remoteidtype ip remoteid 192.168.116.16 ike_mode main key 8d1fb4ee500e2bea071deb2e781cb48374411af5a9671714672bb1749ad9364d } ikeadm: Successfully created new preshared key.
Note –A message of the form Error: invalid preshared key definition indicates that you gave incorrect arguments to the add preshared command. You might have mistyped a parameter. You might have omitted a parameter. Retype the command correctly to add the key.
-
Exit the ikeadm command mode.
ikeadm> exit #
-
On each system, lower the privilege level of the in.iked daemon.
# ikeadm set priv base
-
On each system, activate the ipsecinit.conf file to secure the added interface.
# ipsecconf -a /etc/inet/ipsecinit.conf
Note –Read the warning when you execute the command. A socket that is already latched, that is, the socket is in use, provides an unsecured back door into the system.
-
On each system, read in the new rules by using the ikeadm command.
A sample of the new rules for ada and enigma are at the start of the procedure. Because the rules are in the /etc/inet/ike/config file, the name of the file does not have to be specified.
# ikeadm read rules
-
To ensure that IKE pre-shared keys are available at reboot, edit the /etc/inet/secret/ike.preshared file.
Enter the arguments to the add preshared command into the file on each system, as shown in the following substeps.
-
For example, on the enigma system, you would add the following keying information to the ike.preshared file:
# ike.preshared on enigma for the ada interface #… { localidtype IP localid 192.168.116.16 remoteidtype IP remoteid 192.168.15.7 # enigma and ada's shared key in hex (32 - 448 bits required) key 04413a3e68854b732742024d19995f7972136a2f33e5d302bdd7b2624e4c6429 } -
On the ada system, you would add the following keying information to the ike.preshared file:
# ike.preshared for the ada interface, 192.168.15.7 #… { localidtype IP localid 192.168.15.7 remoteidtype IP remoteid 192.168.116.16 # ada and enigma's shared key in hex (32 - 448 bits required) key 04413a3e68854b732742024d19995f7972136a2f33e5d302bdd7b2624e4c6429 }
-
- © 2010, Oracle Corporation and/or its affiliates