How to Manually Create IPsec Keys

Language:

The following procedure provides the IPsec keys for when you are not using only IKE for key management.

IPsec SAs that are added by using the ipseckey command are not persistent over system reboot. For persistent IPsec SAs, add entries to the /etc/inet/secret/ipseckeys file.

Caution - If you must use manual keying, take great care to ensure that the keys that you generate are secure. These are the actual keys used to secure the data.

Before You Begin

You must be in the global zone to manually manage keying material in a shared-IP zone. For an exclusive-IP zone, you configure the keying material in that exclusive-IP zone.

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

Generate the keys for the IPsec SAs.
The keys must support a specific policy in the ipsecinit.conf file. For example, you might use the policy from How to Secure Network Traffic Between Two Servers With IPsec:
```
{laddr enigma raddr partym} ipsec {encr_algs aes encr_auth_algs sha512 sa shared}
```
This policy uses the AES and SHA-2 algorithms.
1. Determine the keys that you require.
  - Two hexadecimal random numbers as the value for the SPI. One number is for outbound traffic. One number is for inbound traffic. Each number can be up to eight characters long.
  - Two hexadecimal random numbers for the SHA-2 authentication algorithm. Each number must be 512 characters long. One number is for dst enigma. One number is for dst partym.
  - Two hexadecimal random numbers for the AES encryption algorithm. Each number must be 128 characters long. One number is for dst enigma. One number is for dst partym.
  Note - The ipsecalgs -l command displays the key sizes of the algorithms. Follow this procedure when using manual keys, that is, use the SHA512 and AES algorithms. Do not use weak algorithms, the combined mode algorithms, or the GMAC algorithms for manual keys.
2. Generate the required keys.
  - If you have a random number generator at your site, use the generator.
  - Use the pktool command, as shown in How to Generate a Symmetric Key by Using the pktool Command in Managing Encryption and Certificates in Oracle Solaris 11.2 and the IPsec example in that section.

Add the keys to the manual keys file for IPsec.

Edit the /etc/inet/secret/ipseckeys file on the enigma system to appear similar to the following:

## ipseckeys - This file takes the file format documented in 
##  ipseckey(1m).
#   Note that naming services might not be available when this file
#   loads, just like ipsecinit.conf.
#
#   Backslashes indicate command continuation.
#
# for outbound packets on enigma
add esp spi 0x8bcd1407 \
   src 192.168.116.16 dst 192.168.13.213  \
   encr_alg aes \
   auth_alg sha512  \
   encrkey  d41fb74470271826a8e7a80d343cc5aa... \
   authkey  e896f8df7f78d6cab36c94ccf293f031...
#
# for inbound packets
add esp spi 0x122a43e4 \
   src 192.168.13.213 dst 192.168.116.16 \
   encr_alg aes \
   auth_alg sha512  \
   encrkey dd325c5c137fb4739a55c9b3a1747baa... \
   authkey ad9ced7ad5f255c9a8605fba5eb4d2fd...

Protect the file with read-only permissions.
```
# chmod 400 /etc/inet/secret/ipseckeys
```
If you used the pfedit -s command to create the ipseckeys file, then the permissions are correctly set. For more information, see the pfedit(1M) man page.

Verify the syntax of the file.

# ipseckey -c /etc/inet/secret/ipseckeys

Note - The keys on the two systems must be identical.

Activate the keys for IPsec.

If the manual-key service is not enabled, enable it.

% svcs manual-key
STATE          STIME    FMRI
disabled       Apr_10   svc:/network/ipsec/manual-key:default
# svcadm enable ipsec/manual-key

If the manual-key service is enabled, refresh it.
```
# svcadm refresh ipsec/manual-key
```

Next Steps

If you have not completed establishing IPsec policy, return to the IPsec procedure to enable or refresh IPsec policy. For examples of IPsec policy protecting VPNs, see Protecting a VPN With IPsec. For other examples of IPsec policy, see How to Secure Network Traffic Between Two Servers With IPsec.