How to Update IKEv1 for a New Peer System

If you add IPsec policy entries to a working configuration between the same peers, you need to refresh the IPsec policy service. You do not need to reconfigure or restart IKEv1.

If you add a new peer to the IPsec policy, in addition to the IPsec changes, you must modify the IKEv1 configuration.

Before You Begin

You have updated the ipsecinit.conf file and refreshed IPsec policy for the peer systems.

You must become an administrator who is assigned the Network IPsec Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

If you administer remotely, see Example 7–1 and How to Remotely Administer ZFS With Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.2 for secure remote login instructions.

1. Create a rule for IKEv1 to manage the keys for the new system that is using IPsec.
   1. For example, on the enigma system, add the following rule to the /etc/inet/ike/config file:

      ### ike/config file on enigma, 192.168.116.16
       
      ## The rule to communicate with ada
      
      {label "enigma-to-ada"
       local_addr 192.168.116.16
       remote_addr 192.168.15.7
       p1_xform
       {auth_method preshared oakley_group 5 auth_alg sha256 encr_alg aes}
       p2_pfs 5
      	}

   2. On the ada system, add the following rule:

      ### ike/config file on ada, 192.168.15.7
       
      ## The rule to communicate with enigma
      
      {label "ada-to-enigma"
       local_addr 192.168.15.7
       remote_addr 192.168.116.16
       p1_xform
       {auth_method preshared oakley_group 5 auth_alg sha256 encr_alg aes}
       p2_pfs 5
      }

2. Create an IKEv1 preshared key for the peer systems.
   1. On the enigma system, add the following information to the /etc/inet/secret/ike.preshared file:

      ## ike.preshared on enigma for the ada interface
      ##
      { localidtype IP
        localid 192.168.116.16
        remoteidtype IP
        remoteid 192.168.15.7
        # enigma and ada's shared key
        key "Twas brillig and the slivey toves did *s0mEtHiNg* be CareFULL hEEEr"
      }

   2. On the ada system, add the following information to the ike.preshared file:

      ## ike.preshared on ada for the enigma interface
      ##
      { localidtype IP
        localid 192.168.15.7
        remoteidtype IP
        remoteid 192.168.116.16
        # ada and enigma's shared key
        key "Twas brillig and the slivey toves did *s0mEtHiNg* be CareFULL hEEEr"
      }

3. On each system, refresh the ike service.

   # svcadm refresh ike:default

Next Steps

If you have not completed establishing IPsec policy, return to the IPsec procedure to enable or refresh IPsec policy. For examples of IPsec policy protecting VPNs, see Protecting a VPN With IPsec. For other examples of IPsec policy, see How to Secure Network Traffic Between Two Servers With IPsec.