Securing the Network in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

IKEv1 Daemon

The in.iked daemon automates the management of IPsec SAs, which include the cryptographic keys that protect the packets that use IPsec. The daemon securely negotiates ISAKMP SAs and IPsec SAs with a peer system that is running the IKEv1 protocol.

By default, the svc:/network/ipsec/ike:default service is not enabled. After you have configured the /etc/inet/ike/config file and enabled the ike:default service, SMF starts the in.iked daemon at system boot. In addition to the /etc/inet/ike/config file, further configuration is stored in other files and databases, or as SMF properties. For more information, see IKEv1 Utilities and Files, and the ike.preshared(4), ikecert(1M), and in.iked(1M) man pages.

After the ike:default service is enabled, the in.iked daemon reads the configuration files and listens for external requests from an IKE peer and internal requests from IPsec for SAs.

For external requests from an IKEv1 peer, the configuration of the ike:default service determines how the daemon responds. Internal requests are routed through the PF_KEY interface. This interface handles communication between the kernel part of IPsec, which stores the IPsec SAs and performs packet encryption and decryption, and the key management daemon, in.iked, which runs in userland. When the kernel needs an SA to protect a packet, it sends a message through the PF_KEY interface to the in.iked daemon. For more information, see the pf_key(7P) man page.

Two commands support the IKEv1 daemon. The ikeadm command provides a command line interface to the running daemon. The ikecert command manages the certificate databases, ike.privatekeys and publickeys, on your disk and on hardware.

For more information about these commands, see the in.iked(1M), ikeadm(1M), and ikecert(1M) man pages.