Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: April 2019

IKEv1 Protocol

The following sections provide an overview of IKEv1. IKEv1 is superseded by IKEv2, which offers faster, secured key management. For information about IKEv2, see IKEv2 Protocol. For a comparison, see Comparison of IKEv2 and IKEv1. For information that is common to both protocols, see Introduction to IKE. IKEv1 and IKEv2 can run simultaneously and negotiate with their peer protocol on other systems.

IKEv1 Key Negotiation

The IKEv1 daemon, in.iked, negotiates keys and authenticates IPsec SAs in a secure manner. IKEv1 provides perfect forward secrecy (PFS). In PFS, the keys that protect data transmission are not used to derive additional keys. Also, seeds used to create data transmission keys are not reused. See the in.iked(1M) man page.

IKEv1 Phase 1 Exchange

The IKEv1 protocol has two phases. Oracle Solaris supports the Main Mode Phase 1 exchange. The Main Mode exchange negotiates acceptable parameters to create an ISAKMP security association (SA) between the two peers. This ISAKMP SA uses asymmetrical encryption to exchange its keying material and authenticates its peer using a preshared key or a public key certificate. Unlike IPsec SAs, the ISAKMP SAs are bidirectional, so only one security association is needed.

    How IKEv1 negotiates ISAKAMP SAs in the Phase 1 exchange is configurable. IKEv1 reads the configuration information from the /etc/inet/ike/config file. Configuration information includes the following:

  • Global parameters, such as the names of public key certificates

  • Whether perfect forward secrecy (PFS) is required

  • This system's IKE peers

  • The algorithms that protect Phase 1 exchanges

  • The authentication method

    The two authentication methods are preshared keys and public key certificates. The public key certificates can be self-signed or issued by a certificate authority (CA).

For more information, see the ike.config(4) man page.

IKEv1 Phase 2 Exchange

The Phase 2 exchange is known as Quick Mode. The Quick Mode exchange negotiates the IPsec algorithms and keying material that is needed to create IPsec SAs. This exchange is protected (encrypted) by the ISAKMP SA that is negotiated in Phase 1.

The algorithms and security protocols in the Quick Mode exchange come from the IPsec policy file, /etc/inet/ipsecinit.conf.

The IPsec SAs are rekeyed when they expire. The lifetime of the SA is set by the in.iked daemon when it creates the IPsec SA. This value is configurable.

For more information, see the ipsecconf(1M) and in.iked(1M) man pages.

IKEv1 Configuration Choices

The /etc/inet/ike/config configuration file contains the configuration for the in.iked daemon. The configuration consists of a number of rules. Each entry contains parameters such as algorithms and authentication data that this system can use with a similarly configured IKEv1 peer. The in.iked daemon supports preshared keys and public key certificates for identity.

The entry auth_method preshared indicates that preshared keys are used. Values for auth_method other than preshared indicate that public key certificates are to be used.

In IKEv1, preshared keys are tied to a particular IP address or range of addresses. The keys are placed in the /etc/inet/secret/ike.preshared file on each system.

For more information, see How IKE Works and the ike.config(4) and ike.preshared(4) man pages.