Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: March 2018
 
 

IKEv2 Reference

IKEv2 supersedes IKEv1. For a comparison, see Comparison of IKEv2 and IKEv1.

IKEv2 Utilities and Files

The following table summarizes the configuration files for IKEv2 policy, the storage locations for IKEv2 keys, and the various commands and services that implement IKEv2. For more about services, see Chapter 1, Introduction to the Service Management Facility in Managing System Services in Oracle Solaris 11.3.

Table 17  IKEv2 Service Name, Commands, Configuration and Key Storage Locations, and Hardware Devices
File, Location, Command, or Service
Description
Man Page
svc:/network/ipsec/ike:ikev2
The SMF service that manages IKEv2.
/usr/lib/inet/in.ikev2d
Internet Key Exchange (IKE) daemon. Activates automated key management when the ike:ikev2 service is enabled.
/usr/sbin/ikeadm [-v 2]
IKE administration command for viewing and temporarily modifying the IKEv2 policy. Enables you to view IKEv2 administrative objects, such as available Diffie-Hellman groups.
/usr/sbin/ikev2cert
Certificate database management command for creating and storing public key certificates as the configuration owner, ikeuser. Calls the pktool command.
/etc/inet/ike/ikev2.config
Default configuration file for the IKEv2 policy. Contains the site's rules for matching inbound IKEv2 requests and preparing outbound IKEv2 requests.
If this file exists, the in.ikev2d daemon starts when the ike:ikev2 service is enabled. You can change the location of this file by using the svccfg command.
/etc/inet/ike/ikev2.preshared
Contains secret keys that two IKEv2 instances that are not using certificate-based authentication can use to authenticate each other.
softtoken keystore
Contains the private keys and public key certificates for IKEv2, owned by ikeuser.

IKEv2 Service

The Service Management Facility (SMF) provides the svc:/network/ipsec/ike:ikev2 service instance to manage IKEv2. By default, this service is disabled. Before enabling this service, you must create a valid IKEv2 configuration in the /etc/inet/ike/ikev2.config file.

    The following ike:ikev2 service properties are configurable:

  • config_file property – Specifies the location of the IKEv2 configuration file. The initial value is /etc/inet/ike/ikev2.config. This file has special permissions and must be owned by ikeuser. Do not use a different file.

  • debug_level property – Sets the debugging level of the in.ikev2d daemon. The initial value is op, or operational. For possible values, see the table on debug levels under Object Types in the ikeadm(1M) man page.

  • debug_logfile property – Specifies the location of the log file for debugging IKEv2. The initial value is /var/log/ikev2/in.ikev2d.log.

  • kmf_policy property – Sets the location of the log file for certificate policy. The default value is /etc/inet/ike/kmf-policy.xml. This file has special permissions and must be owned by ikeuser. Do not use a different file.

  • pkcs11_token/pin property – Sets the PIN to use to log in to the keystore when the IKEv2 daemon starts. This value must match the value that you set for the token with the ikev2cert setpin command.

  • pkcs11_token/uri property – Sets the PKCS #11 URI to the keystore. To use the hardware storage on a crypto accelerator card, you must provide this value.

For information about SMF, see Chapter 1, Introduction to the Service Management Facility in Managing System Services in Oracle Solaris 11.3. Also see the smf(5), svcadm(1M), and svccfg(1M) man pages.

IKEv2 Daemon

The in.ikev2d daemon automates the management of cryptographic keys for IPsec on an Oracle Solaris system. The daemon negotiates with a remote system that is running the same protocol to provide authenticated keying materials for security associations (SAs) in a protected manner. The daemon must be running on all systems that plan to use IPsec to protect communications by using the IKEv2 protocol.

By default, the svc:/network/ipsec/ike:ikev2 service is not enabled. After you have configured the /etc/inet/ike/ikev2.config file and enabled the ike:ikev2 service instance, SMF starts the in.ikev2d daemon at system boot.

When the IKEv2 daemon runs, the system authenticates itself to its peer IKEv2 entity and establishes the session keys. At an interval specified in the configuration file, the IKE keys are replaced automatically. The in.ikev2d daemon listens for incoming IKE requests from the network and for requests for outbound traffic through the PF_KEY socket. For more information, see the pf_key(7P) man page.

Two commands support the IKEv2 daemon. The ikeadm command can be used to view the IKE policy. For more information, see ikeadm Command for IKEv2. The ikev2cert command enables you to view and manage public and private key certificates. For more information, see IKEv2 ikev2cert Command.

IKEv2 Configuration File

The IKEv2 configuration file, /etc/inet/ike/ikev2.config, manages the rules that are used to negotiate the keys for the specified network endpoints that are being protected in the IPsec policy file, /etc/inet/ipsecinit.conf.

Key management with IKE includes rules and global parameters. An IKE rule identifies the systems or networks that the keying material secures. The rule also specifies the authentication method. Global parameters include such items as the default amount of time before an IKEv2 SA is rekeyed, ikesa_lifetime_secs. For examples of IKEv2 configuration files, see Configuring IKEv2 With Preshared Keys. For examples and descriptions of IKEv2 policy entries, see the ikev2.config(4) man page.

The IPsec SAs that IKEv2 supports protect the IP packets according to the policies in the IPsec configuration file, /etc/inet/ipsecinit.conf.

The security considerations for the ike/ikev2.config file are similar to the considerations for the ipsecinit.conf file. For details, see Security Considerations for ipsecinit.conf and ipsecconf.

ikeadm Command for IKEv2

    When the in.ikev2d daemon is running, you can use the ikeadm [-v2] command to do the following:

  • View aspects of the IKEv2 state.

  • Display IKEv2 daemon objects, such as policy rules, preshared keys, available Diffie-Hellman groups, encryption and authentication algorithms, and existing active IKEv2 SAs.

For examples and a full description of this command's options, see the ikeadm(1M) man page.

The security considerations for the ikeadm command are similar to the considerations for the ipseckey command. For details, see Security Considerations for ipseckey.

IKEv2 Preshared Keys File

The /etc/inet/ike/ikev2.preshared file contains the preshared keys that are used by the IKEv2 service. The file is owned by ikeuser and protected at 0600.

You must customize the default ikev2.preshared file when you configure a rule in the ike/ikev2.config file that requires preshared keys. Because IKEv2 uses these preshared keys to authenticate IKEv2 peers, this file must be valid before the in.ikev2d daemon reads any rules that require preshared keys.

IKEv2 ikev2cert Command

The ikev2cert command is used to generate, store, and manage public and private keys and certificates. You use this command when the ike/ikev2.config file requires public key certificates. Because IKEv2 uses these certificates to authenticate IKEv2 peers, the certificates must be in place before the in.ikev2d daemon reads rules that require the certificates.

The ikev2cert command calls the pktool command as ikeuser.

    The following ikev2cert commands manage certificates for IKEv2. The commands must be run by the ikeuser account. The results are stored in the PKCS #11 softtoken keystore.

  • ikev2cert setpin – Generates a PIN for the ikeuser user. This PIN is required when you use certificates.

  • ikev2cert gencert – Generates a self-signed certificate.

  • ikev2cert gencsr – Generates a certificate signing request (CSR).

  • ikev2cert list – Lists certificates in the keystore.

  • ikev2cert export – Exports certificates to a file for export.

  • ikev2cert import – Imports a certificate or CRL.

For information about the syntax of the ikev2cert subcommands, see the pktool(1) man page. For examples, see the ikev2cert(1M) man page. For information about the softtoken keystore, see the cryptoadm(1M) man page.