You can check the syntax of the IPsec configuration file, the IPsec keys file, and the validity of certificates in the keystore before running the services.
# ipsecconf -c /etc/inet/ipsecinit.conf ipsecconf: Invalid pattern on line 5: ukp ipsecconf: form_ipsec_conf error ipsecconf: Malformed command (fatal): { ukp 58 type 133-137 dir out} pass {} ipsecconf: 1 policy rule(s) contained errors. ipsecconf: Fatal error - exiting.
If the output shows an error, fix it and run the command until the verification succeeds.
# ipseckey -c /etc/inet/secret/ipseckeys Config file /etc/inet/secret/ipseckeys has insecure permissions, will be rejected in permanent config.
If the output shows an error, fix the error then refresh the service.
# svcadm refresh ipsec/policy
To verify the validity of self-signed certificates in IKEv2, perform Step 4 in How to Configure IKEv2 With Self-Signed Public Key Certificates.
To verify that a public key certificate is not revoked in IKEv2, follow the procedure How to Set a Certificate Validation Policy in IKEv2.
To verify the validity of self-signed certificates in IKEv1, perform Step 4 in How to Configure IKEv1 With Self-Signed Public Key Certificates.
To verify that a public key certificate is not revoked in IKEv1, follow the procedure How to Handle Revoked Certificates in IKEv1.
Next Steps
If your configuration does not work when you enable IPsec and its keying services, you must troubleshoot while the services are running.