IPsec policy is enabled by default, but it lacks configuration information.
Key management is not enabled by default. You can configure IKE or manual key management, or both. Each IKE rule indicates which key management service is used. The ikeadm command can modify the running IKE daemon.
Configuring and refreshing IPsec, then viewing policy:
# pfedit /etc/inet/ipsecinit.conf # ipsecconf -c /etc/inet/ipsecinit.conf # svcadm refresh ipsec/policy # ipsecconf -Ln
Configuring and enabling manual keys for IPsec:
# pfedit -s /etc/inet/secret/ipseckeys # svcadm enable ipsec/manual-key
Configuring and enabling IKEv2:
# pfedit /etc/inet/ike/ikev2.config # /usr/lib/inet/in.ikev2d -c # svcadm enable ipsec/ike:ikev2
Configuring and enabling IKEv1:
# pfedit /etc/inet/ike/config # /usr/lib/inet/in.iked -c # svcadm enable ipsec/ike:default
Verifying that IPsec and IKE are configured on a system where the services are enabled:
# ipsecconf -Ln # ikeadm -v2 dump rule # ikeadm set priv keymat # ikeadm -v1 dump rule
Modifying key management:
For IKEv2:
# pfedit /etc/inet/ike/ikev2.config # /usr/lib/inet/in.ikev2d -c # svcadm restart ipsec/ike:ikev2
For IKEv1:
# pfedit /etc/inet/ike/config # /usr/lib/inet/in.iked -c # svcadm restart ipsec/ike:default
For manual key management:
# pfedit -s /etc/inet/secret/ipseckeys # ipseckey -c /etc/inet/secret/ipseckeys # svcadm refresh ipsec/manual-key
Modifying IPsec and IKE configurable properties:
IPsec service:
# svccfg -s ipsec/policy setprop config/property = value # svcadm refresh ipsec/policy; svcadm restart ipsec/policy
IKEv2 service for sensitive keying material:
# svccfg -s ike:ikev2 editprop # svcadm refresh ipsec/ike:ikev2; svcadm restart ipsec/ike:ikev2
IKEv2 service for other properties:
# svccfg -s ike:ikev2 setprop config/property = value # svcadm refresh ipsec/ike:ikev2; svcadm restart ipsec/ike:ikev2
For an example of why you would change a property value, see Example 44, Preventing the Loss of IKEv2 Messages From Intermediate Devices.
IKEv1 service:
# svccfg -s ipsec/ike setprop config/property = value # svcadm refresh ipsec/ike:default; svcadm restart ipsec/ike:default
Manual keys service:
# svccfg -s ipsec/manual-key setprop config/property = value # svcadm refresh ipsec/manual-key; svcadm restart ipsec/manual-key
Configuring preshared keys for IKEv2:
# pfedit -s /etc/inet/ike/ikev2.preshared # /usr/lib/inet/in.ikev2d -c # svcadm restart ikev2
Configuring preshared keys for IKEv1:
# pfedit -s /etc/inet/secret/ike.preshared # svcadm restart ike