Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: March 2018
 
 

IKEv1 Reference

The following sections provide reference information about IKEv1. IKEv1 is superseded by IKEv2, which offers faster automated key management. For more information about IKEv2, see IKEv2 Reference. For a comparison, see Comparison of IKEv2 and IKEv1.

IKEv1 Utilities and Files

The following table summarizes the configuration files for IKEv1 policy, the storage locations for IKEv1 keys, and the various commands and services that implement IKEv1. For more about services, see Chapter 1, Introduction to the Service Management Facility in Managing System Services in Oracle Solaris 11.3.

Table 18  IKEv1 Service Name, Commands, Configuration and Key Storage Locations, and Hardware Devices
Service, Command, File, or Device
Description
Man Page
svc:/network/ipsec/ike:default
The SMF service that manages IKEv1.
/usr/lib/inet/in.iked
Internet Key Exchange (IKEv1) daemon. Activates automated key management when the ike service is enabled.
/usr/sbin/ikeadm [-v1]
IKE administration command for viewing and temporarily modifying the IKE policy. Enables you to view IKE administrative objects such as Phase 1 algorithms and available Diffie-Hellman groups.
/usr/sbin/ikecert
Certificate database management command for manipulating local databases that hold public key certificates. The databases can also be stored on attached hardware.
/etc/inet/ike/config
Default configuration file for the IKEv1 policy. Contains the site's rules for matching inbound IKEv1 requests and preparing outbound IKEv1 requests.
If this file exists, the in.iked daemon starts when the ike service is enabled. You can change the location of this file by using the svccfg command.
ike.preshared
Preshared keys file in the /etc/inet/secret directory. Contains secret keys for authentication in the Phase 1 exchange. Used when configuring IKEv1 with preshared keys.
ike.privatekeys
Private keys directory in the /etc/inet/secret directory. Contains the private keys that are part of a public-private key pair.
publickeys directory
Directory in the /etc/inet/ike directory that holds public keys and certificate files. Contains the public key part of a public-private key pair.
crls directory
Directory in the /etc/inet/ike directory that holds revocation lists for public keys and certificate files.
Sun Crypto Accelerator 6000 board
Hardware that accelerates public key operations by offloading the operations from the operating system. The board also stores public keys, private keys, and public key certificates. The Sun Crypto Accelerator 6000 board is a FIPS 140-2 certified device at Level 3.

IKEv1 Service

The Service Management Facility (SMF) provides the svc:/network/ipsec/ike:default service to manage IKEv1. By default, this service is disabled. Before enabling this service, you must create an IKEv1 configuration file, /etc/inet/ike/config.

    The following ike service properties are configurable:

  • config_file property – Sets the location of the IKEv1 configuration file. The initial value is /etc/inet/ike/config.

  • debug_level property – Sets the debugging level of the in.iked daemon. The initial value is op, or operational. For possible values, see the table on debug levels under Object Types in the ikeadm(1M) man page.

  • admin_privilege property – Sets the level of privilege of the in.iked daemon. The initial value is base. Other values are modkeys and keymat. For details, see IKEv1 ikeadm Command.

For information about SMF, see Chapter 1, Introduction to the Service Management Facility in Managing System Services in Oracle Solaris 11.3. Also see the smf(5), svcadm(1M), and svccfg(1M) man pages.

IKEv1 Daemon

The in.iked daemon automates the management of IPsec SAs, which include the cryptographic keys that protect the packets that use IPsec. The daemon securely negotiates ISAKMP SAs and IPsec SAs with a peer system that is running the IKEv1 protocol.

By default, the svc:/network/ipsec/ike:default service is not enabled. After you have configured the /etc/inet/ike/config file and enabled the ike:default service, SMF starts the in.iked daemon at system boot. In addition to the /etc/inet/ike/config file, further configuration is stored in other files and databases, or as SMF properties. For more information, see IKEv1 Utilities and Files, and the ike.preshared(4), ikecert(1M), and in.iked(1M) man pages.

After the ike:default service is enabled, the in.iked daemon reads the configuration files and listens for external requests from an IKE peer and internal requests from IPsec for SAs.

For external requests from an IKEv1 peer, the configuration of the ike:default service determines how the daemon responds. Internal requests are routed through the PF_KEY interface. This interface handles communication between the kernel part of IPsec, which stores the IPsec SAs and performs packet encryption and decryption, and the key management daemon, in.iked, which runs in userland. When the kernel needs an SA to protect a packet, it sends a message through the PF_KEY interface to the in.iked daemon. For more information, see the pf_key(7P) man page.

Two commands support the IKEv1 daemon. The ikeadm command provides a command line interface to the running daemon. The ikecert command manages the certificate databases, ike.privatekeys and publickeys, on your disk and on hardware.

For more information about these commands, see the in.iked(1M), ikeadm(1M), and ikecert(1M) man pages.

IKEv1 Configuration File

The IKEv1 configuration file, /etc/inet/ike/config, manages the SAs for network packets that need IPsec protection according to the policies in the IPsec configuration file, /etc/inet/ipsecinit.conf.

Key management with IKE includes rules and global parameters. An IKEv1 rule identifies systems that are running another IKEv1 daemon. The rule also specifies the authentication method. Global parameters include such items as the path to an attached hardware accelerator. For examples of IKEv1 policy files, see Configuring IKEv2 With Preshared Keys. For examples and descriptions of IKEv1 policy entries, see the ike.config(4) man page.

The /etc/inet/ike/config file can include the path to a library that is implemented according to the following standard: RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki). IKEv1 uses this PKCS #11 library to access hardware for key acceleration and key storage.

The security considerations for the ike/config file are similar to the considerations for the ipsecinit.conf file. For details, see Security Considerations for ipsecinit.conf and ipsecconf.

IKEv1 ikeadm Command

    You can use the ikeadm command to do the following:

  • View aspects of the IKE state

  • Change the properties of the IKE daemon

  • Display statistics on SA creation during the Phase 1 exchange

  • Debug IKE protocol exchanges

  • Display IKE daemon objects, such as all Phase 1 SAs, policy rules, preshared keys, available Diffie-Hellman groups, Phase 1 encryption and authentication algorithms, and the certificate cache

For examples and a full description of this command's options, see the ikeadm(1M) man page.

The privilege level of the running IKE daemon determines which aspects of the IKE daemon can be viewed and modified. Three levels of privilege are possible:

base level

You cannot view or modify keys. The base level is the default level of privilege.

keymat level

You can view the actual keys with the ikeadm command.

modkeys level

You can remove, change, and add preshared keys.

For a temporary privilege change, you can use the ikeadm command. For a permanent change, change the admin_privilege property of the ike service. For the temporary privilege change, see Managing the Running IKE Daemons.

The security considerations for the ikeadm command are similar to the considerations for the ipseckey command. See Security Considerations for ipseckey. For details that are specific to the ikeadm command, see the ikeadm(1M) man page.

IKEv1 Preshared Keys Files

When you create preshared keys manually, the keys are stored in files in the /etc/inet/secret directory. The ike.preshared file contains the preshared keys for the Phase 1 exchange when you configure a rule in the ike/config to use preshared keys. The ipseckeys file contains the preshared keys that are used to protect IP packets. The files are protected at 0600. The secret directory is protected at 0700.

Because the preshared keys are used to authenticate the Phase 1 exchange, the file must be valid before the in.iked daemon starts.

For examples of manually managing IPsec keys, see How to Manually Create IPsec Keys.

IKEv1 Public Key Databases and Commands

The ikecert command manages the local system's public/private keys, public certificates, and static CRLs databases. You use this command when the IKEv1 configuration file requires public key certificates. Because IKEv1 uses these databases to authenticate the Phase 1 exchange, the databases must be populated before activating the in.iked daemon. Three subcommands handle each of the three databases: certlocal, certdb, and certrldb.

If the system has an attached Sun Crypto Accelerator 6000 board, the ikecert command uses a PKCS #11 library to access the hardware key and certificate storage.

For more information, see the ikecert(1M) man page. For information about metaslot and the softtoken keystore, see the cryptoadm(1M) man page.

IKEv1 ikecert tokens Command

The tokens argument lists the token IDs that are available. Token IDs enable the ikecert certlocal and ikecert certdb commands to generate public key certificates and CSRs. The keys and certificates can also be stored on an attached Sun Crypto Accelerator 6000 board. The ikecert command uses the PKCS #11 library to access the hardware keystore.

IKEv1 ikecert certlocal Command

The certlocal subcommand manages the private key database. Options to this subcommand enable you to add, view, and remove private keys. This subcommand also creates either a self-signed certificate or a CSR. The –ks option creates a self-signed certificate. The –kc option creates a CSR. Keys are stored on the system in the /etc/inet/secret/ike.privatekeys directory, or on attached hardware with the –T option.

When you create a private key, the options to the ikecert certlocal command must have related entries in the ike/config file. The correspondences between ikecert options and ike/config entries are shown in the following table.

Table 19  Correspondences Between ikecert Options and ike/config Entries in IKEv1
ikecert Option
ike/config Entry
Description
–A subject-alternate-name
cert_trust subject-alternate-name
A nickname that uniquely identifies the certificate. Possible values are an IP address, an email address, or a domain name.
–D X.509-distinguished-name
X.509-distinguished-name
The full name of the certificate authority that includes the country (C), organization name (ON), organizational unit (OU), and common name (CN).
–t dsa-sha1 | dsa-sha256
auth_method dsa_sig
An authentication method that is slightly slower than RSA.
–t rsa-md5 and
–t rsa-sha1 | rsa-sha256 | rsa-sha384 | rsa-sha512
auth_method rsa_sig
An authentication method that is slightly faster than DSA.
The RSA public key must be large enough to encrypt the biggest payload. Typically, an identity payload, such as the X.509 distinguished name, is the biggest payload.
–t rsa-md5 and
–t rsa-sha1 | rsa-sha256 | rsa-sha384 | rsa-sha512
auth_method rsa_encrypt
RSA encryption hides identities in IKE from eavesdroppers but requires that the IKE peers know each other's public keys.

If you issue a CSR with the ikecert certlocal -kc command, you send the output of the command to a certificate authority (CA). If your company runs its own public key infrastructure (PKI), you send the output to your PKI administrator. The CA or your PKI administrator then creates certificates. The certificates that are returned to you are input to the certdb subcommand. The certificate revocation list (CRL) that the CA returns to you is input for the certrldb subcommand.

IKEv1 ikecert certdb Command

The certdb subcommand manages the public key database. Options to this subcommand enable you to add, view, and remove certificates and public keys. The command accepts as input certificates that were generated by the ikecert certlocal -ks command on a remote system. For the procedure, see How to Configure IKEv1 With Self-Signed Public Key Certificates. This command also accepts the certificate that you receive from a CA as input. For the procedure, see How to Configure IKEv1 With Certificates Signed by a CA.

The certificates and public keys are stored on the system in the /etc/inet/ike/publickeys directory. The –T option stores the certificates, private keys, and public keys on attached hardware.

IKEv1 ikecert certrldb Command

The certrldb subcommand manages the certificate revocation list (CRL) database, /etc/inet/ike/crls. The CRL database maintains the revocation lists for public keys. Certificates that are no longer valid are on this list. When CAs provide you with a CRL, you can install the CRL in the CRL database with the ikecert certrldb command. For the procedure, see How to Handle Revoked Certificates in IKEv1.

IKEv1 /etc/inet/ike/publickeys Directory

The /etc/inet/ike/publickeys directory contains the public part of a public-private key pair and its certificate in files, or slots. The directory is protected at 0755. The ikecert certdb command populates the directory. The –T option stores the keys on the Sun Crypto Accelerator 6000 board rather than in the publickeys directory.

The slots contain, in encoded form, the X.509 distinguished name of a certificate that was generated on another system. If you are using self-signed certificates, you use the certificate that you receive from the administrator of the remote system as input to the command. If you are using certificates from a CA, you install two signed certificates from the CA into this database. You install a certificate that is based on the CSR that you sent to the CA. You also install a certificate of the CA.

IKEv1 /etc/inet/secret/ike.privatekeys Directory

The /etc/inet/secret/ike.privatekeys directory holds private key files that are part of a public-private key pair. The directory is protected at 0700. The ikecert certlocal command populates the ike.privatekeys directory. Private keys are not effective until their public key counterparts, self-signed certificates or CAs, are installed. The public key counterparts are stored in the /etc/inet/ike/publickeys directory or on supported hardware.

IKEv1 /etc/inet/ike/crls Directory

The /etc/inet/ike/crls directory contains certificate revocation list (CRL) files. Each file corresponds to a public certificate file in the /etc/inet/ike/publickeys directory. CAs provide the CRLs for their certificates. You can use the ikecert certrldb command to populate the database.