Substitute the names of your systems for the names enigma and partym in this procedure. You configure both IKE endpoints.
Before You Begin
You must become an administrator who is assigned the Network IPsec Management rights profile. You must be typing in a profile shell. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
If you administer remotely, see Example 7–1 and How to Remotely Administer ZFS With Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.2 for secure remote login instructions.
# pfedit /etc/inet/ike/ikev2.config
The rules and global parameters in this file must manage the keys in the IPsec policy in the system's ipsecinit.conf file. The following IKEv2 configuration examples manage the keys of the ipsecinit.conf examples in How to Secure Network Traffic Between Two Servers With IPsec.
### ikev2.config file on enigma, 192.168.116.16
## Global parameters
# This default value will apply to all transforms that follow
#
ikesa_lifetime_secs 3600
#
# Global transform definitions.  The algorithm choices are
# based on RFC 4921.
#
## Two transforms are acceptable to this system, Group 20 and Group 19.
## A peer can be configured with 19 or 20.
## To ensure that a particular peer uses a specific transform,
## include the transform in the rule.
## 
# Group 20 is 384-bit ECP - Elliptic Curve over Prime
ikesa_xform { encr_alg aes(256..256) auth_alg sha384 dh_group 20 }
# Group 19 is 256-bit ECP
ikesa_xform { encr_alg aes(128..128) auth_alg sha256 dh_group 19 }
#
## The rule to communicate with partym
##  Label must be unique
{ label "enigma-partym"
  auth_method preshared
  local_addr  192.168.116.16
  remote_addr 192.168.13.213
}
## ikev2.config file on partym, 192.168.13.213
## Global Parameters
#
...
ikesa_xform { encr_alg aes(256..256) auth_alg sha384 dh_group 20 }
ikesa_xform { encr_alg aes(128..128) auth_alg sha256 dh_group 19 }
...
## The rule to communicate with enigma
##  Label must be unique
{ label "partym-enigma"
  auth_method preshared
  local_addr  192.168.13.213
  remote_addr 192.168.116.16
}
# /usr/lib/inet/in.ikev2d -c
|  | Caution - This file has special permissions and is owned by ikeuser. Never delete or replace this file. Instead, use the pfedit command to edits its contents so that the file retains its original properties. | 
# pfedit -s /etc/inet/ike/ikev2.preshared
## ikev2.preshared on enigma, 192.168.116.16
#…
## label must match the rule that uses this key
{ label "enigma-partym"
## The preshared key can also be represented in hex
## as in 0xf47cb0f432e14480951095f82b
   key "This is an ASCII Cqret phrAz, use str0ng p@ssword tekniques"
}
For information about the options to the pfedit command, see the pfedit(1M) man page.
## ikev2.preshared on partym, 192.168.13.213
#…
## label must match the label of the rule that uses this key
{ label "partym-enigma"
## The preshared key can also be represented in hex
## as in 0xf47cb0f432e14480951095f82b
	key "This is an ASCII Cqret phrAz, use str0ng p@ssword tekniques"
	}
# svcadm enable ipsec/ike:ikev2
When replacing the preshared key, edit the preshared key files on the peer systems and restart the ikev2 service.
# svcadm restart ikev2
In this example, the IKEv2 administrators create a preshared key per system, exchange them, and add each key to the preshared key file. The label of the preshared key entry matches the label in a rule in the ikev2.config file. Then, they restart the in.ikev2d daemons.
After receiving the other system's preshared key, the administrator edits the ikev2.preshared file. The file on partym is the following:
# pfedit -s /etc/inet/ike/ikev2.preshared
#…
{ label "partym-enigma"
## local and remote preshared keys 
local_key  "P-LongISH key Th@t m^st Be Ch*angEd \'reguLarLy)"
remote_key "E-CHaNge lEyeGhtB+lBs et KeeS b4 2LoOoOoOoOng"
}
Therefore, the ikev2.preshared keys file on enigma must be the following:
#…
{ label "enigma-partym"
## local and remote preshared keys 
local_key  "E-CHaNge lEyeGhtB+lBs et KeeS b4 2LoOoOoOoOng"
remote_key "P-LongISH key Th@t m^st Be Ch*angEd \'reguLarLy)"
}
The administrators restart the IKEv2 service instance on each system.
# svcadm restart ikev2
Next Steps
If you have not completed establishing IPsec policy, return to the IPsec procedure to enable or refresh IPsec policy. For examples of IPsec policy protecting VPNs, see Protecting a VPN With IPsec. For other examples of IPsec policy, see How to Secure Network Traffic Between Two Servers With IPsec.
For more examples, see the ikev2.config (4) and ikev2.preshared (4) man pages.