IKE Policy File

The configuration file for the IKE policy, /etc/inet/ike/config, provides the keying rules and global parameters for the IKE daemon itself, and for the IPsec SAs that the file manages. The IKE daemon itself requires keying material in the Phase 1 exchange. Rules in the ike/config file establish the keying material. A valid rule in the policy file contains a label. The rule identifies the systems or networks that the keying material secures, and specifies the authentication method. See Configuring IKE With Preshared Keys (Task Map) for examples of valid policy files. For examples and descriptions of its entries, see the ike.config(4) man page.

The IPsec SAs are used on the IP datagrams that are protected according to policies that are set up in the configuration file for the IPsec policy, /etc/inet/ipsecinit.conf. The IKE policy file determines if PFS is used when creating the IPsec SAs.

The ike/config file can include the path to a library that is implemented according to the following standard: RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki). IKE uses this PKCS #11 library to access hardware for key acceleration and key storage.

The security considerations for the ike/config file are similar to the considerations for the ipsecinit.conf file. See Security Considerations for ipsecinit.conf and ipsecconf for details.