Security associations (SAs) require keying material for authentication and for encryption. The managing of this keying material is called key management. Oracle Solaris provides two methods for managing the keys for IPsec SAs: IKE and manual key management.
The Internet Key Exchange (IKE) protocol handles key management automatically. Oracle Solaris 11.2 supports IKE version 2 (IKEv2) and IKE version 1 (IKEv1) of the IKE protocol.
The use of IKE to manage IPsec SAs is encouraged. These key management protocols offer the following advantages:
Provide strong peer authentication
Automatically generate SAs with a high quality random key source
Do not require administrative intervention to generate new SAs
For more information, see How IKE Works.
The use of manual keys is more complicated than IKE and is potentially risky. A system file, /etc/inet/secret/ipseckeys, contains the encryption keys. If these keys are compromised, they can be used to decrypt recorded network traffic. Because IKE frequently changes the keys, the window of exposure to such a compromise is much smaller. Using the ipseckeys file or its command interface, ipseckey, is appropriate only for systems that do not support IKE.
While the ipseckey command has only a limited number of general options, the command supports a rich command language. You can specify that requests be delivered by means of a programmatic interface specific for manual keying. For additional information, see the ipseckey (1M) and pf_key (7P) man pages.
Typically, manual SA generation is used when IKE is unavailable for some reason. However, if the SPI values are unique, manual SA generation and IKE can be used at the same time.