Securing the Network in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

IKEv1 Key Negotiation

The IKEv1 daemon, in.iked, negotiates keys and authenticates IPsec SAs in a secure manner. IKEv1 provides perfect forward secrecy (PFS). In PFS, the keys that protect data transmission are not used to derive additional keys. Also, seeds used to create data transmission keys are not reused. See the in.iked(1M) man page.

IKEv1 Phase 1 Exchange

The IKEv1 protocol has two phases. Oracle Solaris supports the Main Mode Phase 1 exchange. The Main Mode exchange negotiates acceptable parameters to create an ISAKMP security association (SA) between the two peers. This ISAKMP SA uses asymmetrical encryption to exchange its keying material and authenticates its peer using a preshared key or a public key certificate. Unlike IPsec SAs, the ISAKMP SAs are bidirectional, so only one security association is needed.

    How IKEv1 negotiates ISAKAMP SAs in the Phase 1 exchange is configurable. IKEv1 reads the configuration information from the /etc/inet/ike/config file. Configuration information includes the following:

  • Global parameters, such as the names of public key certificates

  • Whether perfect forward secrecy (PFS) is required

  • This system's IKE peers

  • The algorithms that protect Phase 1 exchanges

  • The authentication method

    The two authentication methods are preshared keys and public key certificates. The public key certificates can be self-signed or issued by a certificate authority (CA).

For more information, see the ike.config(4) man page.

IKEv1 Phase 2 Exchange

The Phase 2 exchange is known as Quick Mode. The Quick Mode exchange negotiates the IPsec algorithms and keying material that is needed to create IPsec SAs. This exchange is protected (encrypted) by the ISAKMP SA that is negotiated in Phase 1.

The algorithms and security protocols in the Quick Mode exchange come from the IPsec policy file, /etc/inet/ipsecinit.conf.

The IPsec SAs are rekeyed when they expire. The lifetime of the SA is set by the in.iked daemon when it creates the IPsec SA. This value is configurable.

For more information, see the ipsecconf(1M) and in.iked(1M) man pages.