IPsec and IKE Administration Guide

Configuring IKE With Preshared Keys (Task Map)

Task	Description	For Instructions
Configure IKE with preshared keys	Involves creating a valid IKE policy file and `ike.preshared` file. IPsec files are also set up before booting the system to use the IKE-generated keys.	How to Configure IKE With Preshared Keys
Refresh preshared keys on a running IKE system	Involves checking the IKE privilege level and adding fresh keying material to the `ipseckeys` file on communicating systems.	How to Refresh Existing Preshared Keys
Add preshared keys to a running IKE system	Involves checking the IKE privilege level and running the `ikeadm` command with fresh keying material on communicating systems.	How to Add a New Preshared Key
Check that preshared keys are identical	Involves dumping the preshared keys on both systems.	How to Verify That the Preshared Keys Are Identical

How to Configure IKE With Preshared Keys

The IKE implementation offers algorithms whose keys vary in length. The key length that you choose is determined by site security. In general, longer keys provide more security than shorter keys.

These procedures use the system names enigma and partym. Substitute the names of your systems for the names enigma and partym.

On the system console, become superuser or assume an equivalent role.

Note –
Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session.

On each system, copy the file /etc/inet/ike/config.sample to the file /etc/inet/ike/config.

Enter rules and global parameters in the ike/config file on each system.

The rules and global parameters in this file should permit the IPsec policy in the system's ipsecinit.conf file to succeed. The following ike/config examples work with the ipsecinit.conf examples in How to Secure Traffic Between Two Systems.

For example, modify the /etc/inet/ike/config file on the enigma system:

### ike/config file on enigma, 192.168.116.16

## Global parameters
#
## Phase 1 transform defaults
p1_lifetime_secs 14400
p1_nonce_len 40
#
## Defaults that individual rules can override.
p1_xform
  { auth_method preshared oakley_group 5 auth_alg sha encr_alg des }
p2_pfs 2
#
## The rule to communicate with partym

{ label "enigma-partym"  Label must be unique
  local_addr 192.168.116.16
  remote_addr 192.168.13.213
  p1_xform
   { auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des }
  p2_pfs 5
}

Note –

All arguments to the auth_method parameter must be on the same line.

Modify the /etc/inet/ike/config file on the partym system:

### ike/config file on partym, 192.168.13.213
## Global Parameters
#
p1_lifetime_secs 14400
p1_nonce_len 40
#
p1_xform
  { auth_method preshared oakley_group 5 auth_alg sha encr_alg des }
p2_pfs 2

## The rule to communicate with enigma

{ label "partym-enigma" Label must be unique
  local_addr 192.168.13.213
  remote_addr 192.168.116.16
  p1_xform
   { auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des }
  p2_pfs 5
}

On each system, check the validity of the file.

# /usr/lib/inet/in.iked -c -f /etc/inet/ike/config

Generate random numbers for use as keying material.

If your site has a random number generator, use that generator. On a Solaris system, you can use the od command. For example, the following command prints two lines of hexadecimal numbers:
% od -X -A n /dev/random | head -2 f47cb0f4 32e14480 951095f8 2b735ba8 0a9467d0 8f92c880 68b6a40e 0efe067d
For an explanation of the od command, see How to Generate Random Numbers and the od(1) man page.

From the output of Step 5, construct one key.
f47cb0f432e14480951095f82b735ba80a9467d08f92c88068b6a40e
The authentication algorithm in this procedure is MD5, as shown in Step 3. The size of the hash, that is, the size of the authentication algorithm's output, determines the minimum recommended size of a preshared key. The output of the MD5 algorithm is 128 bits, or 32 characters. The example key is 56 characters long, which is longer than the recommended minimum.

Create the file /etc/inet/secret/ike.preshared on each system. Put the preshared key in each file.

For example, on the enigma system, the ike.preshared file would appear similar to the following:

# ike.preshared on enigma, 192.168.116.16
#…
{ localidtype IP
	localid 192.168.116.16
	remoteidtype IP
	remoteid 192.168.13.213
	# enigma and partym's shared key in hex (192 bits)
	key f47cb0f432e14480951095f82b735ba80a9467d08f92c88068b6a40e
	}

On the partym system, the ike.preshared file would appear similar to the following:

# ike.preshared on partym, 192.168.13.213
#…
{ localidtype IP
	localid 192.168.13.213
	remoteidtype IP
	remoteid 192.168.116.16
	# partym and enigma's shared key in hex (192 bits)
	key f47cb0f432e14480951095f82b735ba80a9467d08f92c88068b6a40e
	}

Note –

The preshared keys on each system must be identical.

How to Refresh Existing Preshared Keys

This procedure assumes that you want to replace an existing preshared key at regular intervals without rebooting. If you use a strong encryption algorithm, such 3DES or Blowfish, you might want to schedule key replacement for when you reboot both machines.

On the system console, become superuser or assume an equivalent role.

Note –
Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session.

Generate random numbers and construct a key of the appropriate length.

For details, see How to Generate Random Numbers.

Edit the /etc/inet/secret/ike.preshared file on each system, and replace the current key with a new key.

For example, on the hosts enigma and partym, you would replace the value of key with a new number of the same length.

Check that the in.iked daemon permits you to change keying material.
# /usr/sbin/ikeadm get priv Current privilege level is 0x2, access to keying material enabled
You can change keying material if the command returns a privilege level of 0x1 or 0x2. Level 0x0 does not permit keying material operations. By default, the in.iked daemon runs at the 0x0 level of privilege.

If the in.iked daemon permits you to change keying material, read in the new version of the ike.preshared file.
# ikeadm read preshared

If the in.iked daemon does not permit you to change keying material, kill the daemon and then restart the daemon.
# pkill in.iked # /usr/lib/inet/in.iked
When the daemon restarts, the daemon reads the new version of the ike.preshared file.

How to Add a New Preshared Key

You must have one preshared key for every policy entry in the ipsecinit.conf file. If you add a new policy entry while IPsec and IKE are running, the in.iked daemon can read in new keys. This procedure assumes the following:

The systems are named enigma and ada. Substitute your system names for these names.
The in.iked daemon is running on both systems.
The interface that you want to protect with IPsec is included as an entry in the /etc/hosts file on both systems. The following entry is an example.
192.168.15.7 ada
This procedure also works with an IPv6 address in the /etc/inet/ipnodes file.
You have added a new policy entry to the /etc/inet/ipsecinit.conf file on both systems. For example, the new entry on the enigma system appears similar to the following:
{laddr enigma raddr ada} ipsec {auth_algs any encr_algs any sa shared}
The entry on the ada system appears similar to the following:
{laddr ada raddr enigma} ipsec {auth_algs any encr_algs any sa shared}

You have created a rule for the enigma and ada systems to communicate securely in the /etc/inet/ike/config file on both systems. For example, the rule on the enigma system appears similar to the following:

### ike/config file on enigma, 192.168.116.16
…
## The rule to communicate with ada

{ label "enigma-to-ada"
  local_addr 192.168.116.16
  remote_addr 192.168.15.7
  p1_xform
  { auth_method preshared oakley_group 5 auth_alg md5 encr_alg blowfish }
  p2_pfs 5
	}

The rule on the ada system appears similar to the following:

### ike/config file on ada, 192.168.15.7
…
## The rule to communicate with enigma

{ label "ada-to-enigma"
  local_addr 192.168.15.7
  remote_addr 192.168.116.16
  p1_xform
  { auth_method preshared oakley_group 5 auth_alg md5 encr_alg blowfish }
  p2_pfs 5
}

On the system console, become superuser or assume an equivalent role.

Note –
Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session.

Check that the in.iked daemon permits you to change keying material.
# /usr/sbin/ikeadm get priv Current privilege level is 0x0, base privileges enabled
You can change keying material if the command returns a privilege level of 0x1 or 0x2. Level 0x0 does not permit keying material operations. By default, the in.iked daemon runs at the 0x0 level of privilege.

If the in.iked daemon does not permit you to change keying material, kill the daemon. Then, restart the daemon with the correct privilege level.
# pkill in.iked # /usr/lib/inet/in.iked -p 2 Setting privilege level to 2!

Generate random numbers and construct a key of 64 to 448 bits.

For details, see How to Generate Random Numbers.

By some means, send the key to the administrator of the remote system.

You both need to add the same preshared key at the same time.

Add the new keying material with the add preshared subcommand in ikeadm command mode.

ikeadm> add preshared { localidtype id-type localid id
remoteidtype id-type remoteid id ike_mode mode key key }

id-type: Specifies the type of the id.
id: Specifies the IP address when id-type is IP.
mode: Specifies the IKE mode. The only accepted value is main.
key: Specifies the preshared key in hexadecimal format.

For example, on host enigma, you would add the key for the new interface, ada.

# ikeadm
ikeadm> add preshared { localidtype ip localid 192.168.116.16
remoteidtype ip remoteid 192.168.15.7 ike_mode main
key 8d1fb4ee500e2bea071deb2e781cb48374411af5a9671714672bb1749ad9364d }
ikeadm: Successfully created new preshared key.

On host ada, you would add the identical key.

# ikeadm
ikeadm> add preshared { localidtype ip localid 192.168.15.7
remoteidtype ip remoteid 192.168.116.16 ike_mode main
key 8d1fb4ee500e2bea071deb2e781cb48374411af5a9671714672bb1749ad9364d }
ikeadm: Successfully created new preshared key.

Exit the ikeadm command mode.
ikeadm> exit #

On each system, lower the privilege level of the in.iked daemon.
# ikeadm set priv base

On each system, activate the ipsecinit.conf file to secure the added interface.
# ipsecconf -a /etc/inet/ipsecinit.conf
Caution –
Read the warning when you execute the ipsecconf command. The same warning applies to restarting the in.iked daemon. A socket that is already latched, that is, the socket is in use, provides an unsecured back door into the system. For more extensive discussion, see Security Considerations for ipsecinit.conf and ipsecconf.

On each system, read in the new rules by using the ikeadm command.
# ikeadm read rules
A sample of the new rules for the ada and enigma systems is available at the start of the procedure. Because the rules are in the /etc/inet/ike/config file, the name of the file does not have to be specified to the ikeadm command.

To ensure that IKE preshared keys are available at reboot, add the keys to the /etc/inet/secret/ike.preshared file.

For example, on the enigma system, you would add the following keying information to the ike.preshared file:

# ike.preshared on enigma for the ada interface
#…
{ localidtype IP
  localid 192.168.116.16
  remoteidtype IP
  remoteid 192.168.15.7
  # enigma and ada's shared key in hex (32 - 448 bits required)
  key 8d1fb4ee500e2bea071deb2e781cb48374411af5a9671714672bb1749ad9364d
}

On the ada system, you would add the following keying information to the ike.preshared file:

# ike.preshared on ada for the enigma interface
#…
{ localidtype IP
  localid 192.168.15.7
  remoteidtype IP
  remoteid 192.168.116.16
  # ada and enigma's shared key in hex (32 - 448 bits required)
  key 8d1fb4ee500e2bea071deb2e781cb48374411af5a9671714672bb1749ad9364d
}

Verify that the systems can communicate. See How to Verify That the Preshared Keys Are Identical.

How to Verify That the Preshared Keys Are Identical

If the preshared keys on the communicating systems are not identical, you see the following error message:

# rup system2
system2: RPC: Rpcbind failure

On the system console, become superuser or assume an equivalent role.

Note –
Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session.

Check that the in.iked daemon permits you to change keying material.
# /usr/sbin/ikeadm get priv Current privilege level is 0x0, base privileges enabled
You can view keying material if the command returns a privilege level of 0x2. Level 0x0 does not permit keying material operations. By default, the in.iked daemon runs at the 0x0 level of privilege.

If the in.iked daemon does not permit you to view keying material, kill the daemon. Then, restart the daemon with the correct privilege level.
# pkill in.iked # /usr/lib/inet/in.iked -p 2 Setting privilege level to 2!

On each system, view the preshared key information.

# ikeadm dump preshared
PSKEY: Preshared key (24 bytes): f47cb…/192
LOCIP: AF_INET: port 0, 192.168.116.16 (enigma).
REMIP: AF_INET: port 0, 192.168.13.213 (partym).

Compare the two dumps.

If the preshared keys are not identical, replace one key with the other key in the /etc/inet/secret/ike.preshared file.

When the verification is complete, lower the privilege level of the in.iked daemon.
# ikeadm set priv base