IKEv2 supersedes IKEv1. For a comparison, see Comparison of IKEv2 and IKEv1.
The following table summarizes the configuration files for IKEv2 policy, the storage locations for IKEv2 keys, and the various commands and services that implement IKEv2. For more about services, see Chapter 1, Introduction to the Service Management Facility in Managing System Services in Oracle Solaris 11.4.
The Service Management Facility (SMF) provides the svc:/network/ipsec/ike:ikev2 service instance to manage IKEv2. By default, this service is disabled. Before enabling this service, you must create a valid IKEv2 configuration in the /etc/inet/ike/ikev2.config file.
The following ike:ikev2 service properties are configurable:
config_file property – Specifies the location of the IKEv2 configuration file. The initial value is /etc/inet/ike/ikev2.config. This file has special permissions and must be owned by ikeuser. Do not use a different file.
debug_level property – Sets the debugging level of the in.ikev2d daemon. The initial value is op, or operational. For possible values, see the table on debug levels under Object Types in the ikeadm(8) man page.
debug_logfile property – Specifies the location of the log file for debugging IKEv2. The initial value is /var/log/ikev2/in.ikev2d.log.
fragmentation_enable property – Prevents fragmentation of IKEv2 messages at the IP layer. IKEv2 fragmentation must also be enabled on the peer. The default value is true.
fragmentation_mtu property – Specifies the maximum size of an IP packet carrying an IKEv2 message, in bytes, when fragmentation_enable is true. 1350 is the default. The range is from 576 to 9216.
kmf_policy property – Sets the location of the log file for certificate policy. The default value is /etc/inet/ike/kmf-policy.xml. This file has special permissions and must be owned by ikeuser. Do not use a different file.
pkcs11_token/pin property – Sets the PIN to use to log in to the keystore when the IKEv2 daemon starts. This value must match the value that you set for the token with the ikev2cert setpin command.
pkcs11_token/uri property – Sets the PKCS #11 URI to the keystore.
For information about SMF, see Chapter 1, Introduction to the Service Management Facility in Managing System Services in Oracle Solaris 11.4. Also see the smf(7), svcadm(8), and svccfg(8) man pages.
The in.ikev2d daemon automates the management of cryptographic keys for IPsec on an Oracle Solaris system. The daemon negotiates with a remote system that is running the same protocol to provide authenticated keying materials for security associations (SAs) in a protected manner. The daemon must be running on all systems that plan to use IPsec to protect communications by using the IKEv2 protocol.
By default, the svc:/network/ipsec/ike:ikev2 service is not enabled. After you have configured the /etc/inet/ike/ikev2.config file and enabled the ike:ikev2 service instance, SMF starts the in.ikev2d daemon at system boot.
When the IKEv2 daemon runs, the system authenticates itself to its peer IKEv2 entity and establishes the session keys. At an interval specified in the configuration file, the IKE keys are replaced automatically. The in.ikev2d daemon listens for incoming IKE requests from the network and for requests for outbound traffic through the PF_KEY socket. For more information, see the pf_key(4P) man page.
Two commands support the IKEv2 daemon. The ikeadm command can be used to view the IKE policy. For more information, see ikeadm Command for IKEv2. The ikev2cert command enables you to view and manage public and private key certificates. For more information, see IKEv2 ikev2cert Command.
The IKEv2 configuration file, /etc/inet/ike/ikev2.config, manages the rules that are used to negotiate the keys for the specified network endpoints that are being protected in the IPsec policy file, /etc/inet/ipsecinit.conf.
Key management with IKE includes rules and global parameters. An IKE rule identifies the systems or networks that the keying material secures. The rule also specifies the authentication method. Global parameters include such items as the default amount of time before an IKEv2 SA is rekeyed, ikesa_lifetime_secs. For examples of IKEv2 configuration files, see Configuring IKEv2 With Preshared Keys. For examples and descriptions of IKEv2 policy entries, see the ikev2.config(5) man page.
The IPsec SAs that IKEv2 supports protect the IP packets according to the policies in the IPsec configuration file, /etc/inet/ipsecinit.conf.
The security considerations for the ike/ikev2.config file are similar to the considerations for the ipsecinit.conf file. For details, see Security Considerations for ipsecinit.conf and ipsecconf.
When the in.ikev2d daemon is running, you can use the ikeadm [-v2] command to do the following:
View aspects of the IKEv2 state.
Display IKEv2 daemon objects, such as policy rules, preshared keys, available Diffie-Hellman groups, encryption and authentication algorithms, and existing active IKEv2 SAs.
For examples and a full description of this command's options, see the ikeadm(8) man page.
The security considerations for the ikeadm command are similar to the considerations for the ipseckey command. For details, see Security Considerations for ipseckey.
The /etc/inet/ike/ikev2.preshared file contains the preshared keys that are used by the IKEv2 service. The file is owned by ikeuser and protected at 0600.
You must customize the default ikev2.preshared file when you configure a rule in the ike/ikev2.config file that requires preshared keys. Because IKEv2 uses these preshared keys to authenticate IKEv2 peers, this file must be valid before the in.ikev2d daemon reads any rules that require preshared keys.
The ikev2cert command is used to generate, store, and manage public and private keys and certificates. You use this command when the ike/ikev2.config file requires public key certificates. Because IKEv2 uses these certificates to authenticate IKEv2 peers, the certificates must be in place before the in.ikev2d daemon reads rules that require the certificates.
The ikev2cert command calls the pktool command as ikeuser.
The following ikev2cert commands manage certificates for IKEv2. The commands must be run by the ikeuser account. The results are stored in the PKCS #11 softtoken keystore.
ikev2cert setpin – Generates a PIN for the ikeuser user. This PIN is required when you use certificates.
ikev2cert gencert – Generates a self-signed certificate.
ikev2cert gencsr – Generates a certificate signing request (CSR).
ikev2cert list – Lists certificates in the keystore.
ikev2cert export – Exports certificates to a file for export.
ikev2cert import – Imports a certificate or CRL.
For information about the syntax of the ikev2cert subcommands, see the pktool(1) man page. For examples, see the ikev2cert(8) man page. For information about the softtoken keystore, see the cryptoadm(8) man page.