IPsec Policy Command

You use the ipsecconf(1M) command to configure the IPsec policy for a host. When you run the command to configure policy, the system creates a temporary file that is named ipsecpolicy.conf. This file holds the IPsec policy entries that were set in the kernel by the ipsecconf command. The system uses the in-kernel IPsec policy entries to check all outbound and inbound IP datagrams for policy. Forwarded datagrams are not subjected to policy checks that are added by using this command. See the ifconfig(1M) and tun(7M) man pages about how to protect forwarded packets.

You must become superuser or assume an equivalent role to invoke the ipsecconf command. The command accepts entries that protect traffic in both directions, and entries that protect traffic in only one direction.

Policy entries with a format of local address and remote address can protect traffic in both directions with a single policy entry. For example, entries that contain the patterns laddr host1 and raddr host2, protect traffic in both directions if no direction is specified for the named host. Thus, you need only one policy entry for each host. Policy entries with a format of source address to destination address protect traffic in only one direction. For example, a policy entry of the pattern saddr host1 daddr host2 protects inbound traffic or outbound traffic, not both directions. Thus, to protect traffic in both directions, you need to pass the ipsecconf command another entry, as in saddr host2 daddr host1.

You can see the policies that are configured in the system when you issue the ipsecconf command without any arguments. The command displays each entry with an index followed by a number. You can use the -d option with the index to delete a particular policy in the system. The command displays the entries in the order that the entries were added, which is not necessarily the order in which the traffic match occurs. To view the order in which the traffic match occurs, use the -l option.

The ipsecpolicy.conf file is deleted when the system shuts down. To ensure that IPsec policy is active when the machine boots, you can create an IPsec policy file, /etc/inet/ipsecinit.conf, that the inetinit script reads during startup.