The IKE implementation offers algorithms whose keys vary in length. The key length that you choose is determined by site security. In general, longer keys provide more security than shorter keys.
In this procedure, you generate keys in ASCII format.
These procedures use the system names enigma and partym. Substitute the names of your systems for the names enigma and partym.
Before You Begin
You must become an administrator who is assigned the Network IPsec Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
If you administer remotely, see Example 7–1 and How to Remotely Administer ZFS With Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.2 for secure remote login instructions.
You can use the /etc/inet/ike/config.sample as a template.
The rules and global parameters in this file should permit the IPsec policy in the system's ipsecinit.conf file to succeed. The following IKEv1 configuration examples work with the ipsecinit.conf examples in How to Secure Network Traffic Between Two Servers With IPsec.
### ike/config file on enigma, 192.168.116.16 ## Global parameters # ## Defaults that individual rules can override. p1_xform { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des } p2_pfs 2 # ## The rule to communicate with partym # Label must be unique { label "enigma-partym" local_addr 192.168.116.16 remote_addr 192.168.13.213 p1_xform { auth_method preshared oakley_group 5 auth_alg sha256 encr_alg aes } p2_pfs 5 }
### ike/config file on partym, 192.168.13.213 ## Global Parameters # p1_xform { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des } p2_pfs 2 ## The rule to communicate with enigma # Label must be unique { label "partym-enigma" local_addr 192.168.13.213 remote_addr 192.168.116.16 p1_xform { auth_method preshared oakley_group 5 auth_alg sha256 encr_alg aes } p2_pfs 5 }
# /usr/lib/inet/in.iked -c -f /etc/inet/ike/config
## ike.preshared on enigma, 192.168.116.16 #… { localidtype IP localid 192.168.116.16 remoteidtype IP remoteid 192.168.13.213 # The preshared key can also be represented in hex # as in 0xf47cb0f432e14480951095f82b # key "This is an ASCII Cqret phrAz, use str0ng p@ssword tekniques" }
## ike.preshared on partym, 192.168.13.213 #… { localidtype IP localid 192.168.13.213 remoteidtype IP remoteid 192.168.116.16 # The preshared key can also be represented in hex # as in 0xf47cb0f432e14480951095f82b key "This is an ASCII Cqret phrAz, use str0ng p@ssword tekniques" }
# svcadm enable ipsec/ike:default
When IKEv1 administrators want to refresh the preshared key, they edit the files on the peer systems and restart the in.iked daemon.
First, on every system in the two subnets that uses the preshared key, the administrator changes the preshared key entry.
# pfedit -s /etc/inet/secret/ike.preshared … { localidtype IP localid 192.168.116.0/24 remoteidtype IP remoteid 192.168.13.0/24 # The two subnet's shared passphrase for keying material key "LOooong key Th@t m^st Be Ch*angEd \'reguLarLy)" }
Then, the administrator restarts the IKEv1 service on every system.
For information about the options to the pfedit command, see the pfedit(1M) man page.
# svcadm enable ipsec/ike:default
Next Steps
If you have not completed establishing IPsec policy, return to the IPsec procedure to enable or refresh IPsec policy. For examples of IPsec policy protecting VPNs, see Protecting a VPN With IPsec. For other examples of IPsec policy, see How to Secure Network Traffic Between Two Servers With IPsec.