The IKEv1 daemon, in.iked, negotiates keys and authenticates IPsec SAs in a secure manner. IKEv1 provides perfect forward secrecy (PFS). In PFS, the keys that protect data transmission are not used to derive additional keys. Also, seeds used to create data transmission keys are not reused. See the in.iked(1M) man page.
The IKEv1 protocol has two phases. Oracle Solaris supports the Main Mode Phase 1 exchange. The Main Mode exchange negotiates acceptable parameters to create an ISAKMP security association (SA) between the two peers. This ISAKMP SA uses asymmetrical encryption to exchange its keying material and authenticates its peer using a preshared key or a public key certificate. Unlike IPsec SAs, the ISAKMP SAs are bidirectional, so only one security association is needed.
How IKEv1 negotiates ISAKAMP SAs in the Phase 1 exchange is configurable. IKEv1 reads the configuration information from the /etc/inet/ike/config file. Configuration information includes the following:
Global parameters, such as the names of public key certificates
Whether perfect forward secrecy (PFS) is required
This system's IKE peers
The algorithms that protect Phase 1 exchanges
The authentication method
The two authentication methods are preshared keys and public key certificates. The public key certificates can be self-signed or issued by a certificate authority (CA).
For more information, see the ike.config(4) man page.
The Phase 2 exchange is known as Quick Mode. The Quick Mode exchange negotiates the IPsec algorithms and keying material that is needed to create IPsec SAs. This exchange is protected (encrypted) by the ISAKMP SA that is negotiated in Phase 1.
The algorithms and security protocols in the Quick Mode exchange come from the IPsec policy file, /etc/inet/ipsecinit.conf.
The IPsec SAs are rekeyed when they expire. The lifetime of the SA is set by the in.iked daemon when it creates the IPsec SA. This value is configurable.