| Skip Navigation Links | |
| Exit Print View | |
|
System Administration Guide: IP Services Oracle Solaris 11 Express 11/10 |
| Skip Navigation Links | |
| Exit Print View | |
|
|
System Administration Guide: IP Services Oracle Solaris 11 Express 11/10 |
1. Planning an IPv4 Addressing Scheme (Tasks)
2. Planning an IPv6 Addressing Scheme (Overview)
3. Planning an IPv6 Network (Tasks)
4. Configuring TCP/IP Network Services and IPv4 Addressing (Tasks)
5. Enabling IPv6 on a Network (Tasks)
6. Administering a TCP/IP Network (Tasks)
8. Troubleshooting Network Problems (Tasks)
9. TCP/IP and IPv4 in Depth (Reference)
12. Planning for DHCP Service (Tasks)
13. Configuring the DHCP Service (Tasks)
14. Administering DHCP (Tasks)
15. Configuring and Administering the DHCP Client
16. Troubleshooting DHCP (Reference)
17. DHCP Commands and Files (Reference)
18. IP Security Architecture (Overview)
20. IP Security Architecture (Reference)
21. Internet Key Exchange (Overview)
How to Display Available Groups and Algorithms for Phase 1 IKE Exchanges
Configuring IKE With Preshared Keys (Task Map)
Configuring IKE With Preshared Keys
How to Configure IKE With Preshared Keys
How to Refresh IKE Preshared Keys
How to View IKE Preshared Keys
How to Add an IKE Preshared Key for a New Policy Entry in ipsecinit.conf
How to Verify That IKE Preshared Keys Are Identical
Configuring IKE With Public Key Certificates (Task Map)
Configuring IKE With Public Key Certificates
How to Configure IKE With Self-Signed Public Key Certificates
How to Configure IKE With Certificates Signed by a CA
How to Generate and Store Public Key Certificates on Hardware
How to Handle a Certificate Revocation List
Configuring IKE for Mobile Systems (Task Map)
Configuring IKE for Mobile Systems
How to Configure IKE for Off-Site Systems
Configuring IKE to Find Attached Hardware (Task Map)
Configuring IKE to Find Attached Hardware
How to Configure IKE to Find the Sun Crypto Accelerator 1000 Board
How to Configure IKE to Find the Sun Crypto Accelerator 4000 Board
Changing IKE Transmission Parameters (Task Map)
23. Internet Key Exchange (Reference)
24. IP Filter in Oracle Solaris (Overview)
Part IV Networking Performance
26. Integrated Load Balancer Overview
27. Configuration of Integrated Load Balancer Tasks
28. Virtual Router Redundancy Protocol (Overview)
29. VRRP Configuration (Tasks)
30. Implementing Congestion Control
Part V IP Quality of Service (IPQoS)
31. Introducing IPQoS (Overview)
32. Planning for an IPQoS-Enabled Network (Tasks)
33. Creating the IPQoS Configuration File (Tasks)
34. Starting and Maintaining IPQoS (Tasks)
35. Using Flow Accounting and Statistics Gathering (Tasks)
When IKE negotiates keys, the speed of transmission can affect the success of the negotiation. Normally, you would not need to change the default values for IKE transmission parameters. However, when optimizing key negotiation over very dirty lines, or when reproducing a problem, you might want to change the transmission values.
Longer duration times enable IKE to negotiate keys over unreliable transmission lines. You can lengthen certain parameters so that initial attempts succeed. If the initial attempt does not succeed, you can space subsequent attempts to offer more time for success.
Shorter duration times enable you to take advantage of reliable transmission lines. You can more quickly retry a failed negotiation to speed up the negotiation. When diagnosing a problem, you might also want to speed up the negotiation for a quick failure. Shorter durations also enable the Phase 1 SAs to be used for their lifetime.
On each system, modify Phase 1 duration parameters the /etc/inet/ike/config file.
### ike/config file on system ## Global parameters # ## Phase 1 transform defaults # #expire_timer 300 #retry_limit 5 #retry_timer_init 0.5 (integer or float) #retry_timer_max 30 (integer or float)
The number of seconds to let a not-yet-complete IKE Phase I negotiation linger before deleting the negotiation attempt. By default, the attempt lingers for 30 seconds.
The number of retransmits before any IKE negotiation is aborted. By default, IKE tries five times.
The initial interval between retransmits. This interval is doubled until the retry_timer_max value is reached. The initial interval is 0.5 seconds.
The maximum interval in seconds between retransmits. The retransmit interval stops growing at this limit. By default, the limit is 30 seconds.
# svcadm refresh svc:/network/ipsec/ike
Example 22-14 Lengthening IKE Phase 1 Negotiation Times
In the following example, a system is connected to its IKE peers by a high-traffic transmission line. The original settings are in comments in the file. The new settings lengthen the negotiation time.
### ike/config file on partym ## Global Parameters # ## Phase 1 transform defaults #expire_timer 300 #retry_limit 5 #retry_timer_init 0.5 (integer or float) #retry_timer_max 30 (integer or float) # expire_timer 600 retry_limit 10 retry_timer_init 2.5 retry_timer_max 180
Example 22-15 Shortening IKE Phase 1 Negotiation Times
In the following example, a system is connected to its IKE peers by a high-speed line with little traffic. The original settings are in comments in the file. The new settings shorten the negotiation time.
### ike/config file on partym ## Global Parameters # ## Phase 1 transform defaults #expire_timer 300 #retry_limit 5 #retry_timer_init 0.5 (integer or float) #retry_timer_max 30 (integer or float) # expire_timer 120 retry_timer_init 0.20
|