Go to main content

Securing the Network in Oracle® Solaris 11.4

Exit Print View

Updated: January 2019
 
 

How to Troubleshoot Systems Before IPsec and IKE Are Running

You can check the syntax of the IPsec configuration file, the IPsec keys file, and the validity of certificates in the keystore before running the services.

  1. Verify the syntax of the IPsec configuration file.
    # ipsecconf -c /etc/inet/ipsecinit.conf
    ipsecconf: Invalid pattern on line 5: ukp
    ipsecconf: form_ipsec_conf error
    ipsecconf: Malformed command (fatal):
    { ukp 58 type 133-137 dir out} pass {}
    
    ipsecconf: 1 policy rule(s) contained errors.
    ipsecconf: Fatal error - exiting.

    If the output shows an error, fix it and run the command until the verification succeeds.

  2. Verify the syntax of the ipseckeys file.
    # ipseckey -c /etc/inet/secret/ipseckeys
    Config file /etc/inet/secret/ipseckeys has insecure permissions, 
    will be rejected in permanent config.

    If the output shows an error, fix the error then refresh the service.

    # svcadm refresh ipsec/policy

    Note -  The IKE configuration files and IKE preshared key files are validated by a running IKE daemon.
  3. Verify the validity of the certificates.

Next Steps

If your configuration does not work when you enable IPsec and its keying services, you must troubleshoot while the services are running.