Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: September 2018
 
 

IKEv2 Protocol

This section covers the implementation of IKEv2. For IKEv1 information, see IKEv1 Protocol. For a comparison, see Comparison of IKEv2 and IKEv1. For information that applies to both protocols, see Introduction to IKE. Oracle Solaris supports both versions of the IKE protocol simultaneously.

The IKEv2 daemon, in.ikev2d, negotiates and authenticates keying material for IPsec SAs. See the in.ikev2d(1M) man page.

IKEv2 Configuration Choices

The /etc/inet/ike/ikev2.config configuration file contains the configuration for the in.ikev2d daemon. The configuration consists of a number of rules. Each entry contains parameters such as algorithms and authentication data that this system can use with a similarly configured IKEv2 peer.

The in.ikev2d daemon supports preshared keys (PSK) and public key certificates for identity.

    The ikev2.config(4) man page provides sample rules. Each rule must have a unique label. The following is a list of the descriptive labels of sample rules from the man page:

  • IP identities and PSK auth

  • IP address prefixes and PSK auth

  • IPv6 address prefixes and PSK auth

  • Certificate auth with DN identities

  • Certificate auth with many peer ID types

  • Certificate auth with wildcard peer IDs

  • Override transforms

  • Mixed auth types

  • Wildcard with required signer


Note -  A preshared key can be used with any one of many peer ID types, including IP addresses, DNs, FQDNs, and email addresses.

IKEv2 Policy for Public Certificates

The kmf-policy.xml file contains the certificate validation policy for IKEv2. The kmfcfg dbfile=/etc/inet/ike/kmf-policy.xml policy=default command is used to modify certificate validation policy. Typical modifications include the use of OCSP and CRLs, and the duration of network timeouts during certificate verification. Additionally, the policy enables an administrator to modify various aspects of certificate validation, such as validity date enforcement and key usage requirements. Loosening the default requirements for certificate validation is not recommended.

IKEv2 and FIPS 140-2

On a FIPS 140-2 enabled system, you are responsible for choosing only FIPS 140-2 approved algorithms when creating certificates and configuring IKEv2. The procedures and examples in this guide use FIPS 140-2 approved algorithms except when the algorithm "any" is specified.

    The following encryption algorithm mechanisms are available to use in the IKEv2 configuration and preshared keys files and approved for use in Oracle Solaris in FIPS 140-2 mode:

  • AES in CBC mode in 128-bit to 256-bit key lengths

  • 3DES

    The following authentication algorithm mechanisms are available to use in IKEv2 configuration and preshared keys files and approved for use in Oracle Solaris in FIPS 140-2 mode:

  • SHA1

  • SHA256

  • SHA384

  • SHA512

    The following mechanisms are available to use in IKEv2 certificates and approved for use in Oracle Solaris in FIPS 140-2 mode:

  • RSA in 2048-bit to 3072-bit key lengths

  • ECDSA that uses ECC with three possible curves and their associated hashes –

      The arguments to the ikev2cert gencert and ikev2cert gencsr commands are the following:

    • keytype=ec curve=secp256r1 hash=sha256

    • keytype=ec curve= secp384r1 hash=sha384

    • keytype=ec curve=secp521r1 hash=sha512

    For more information, see the ikev2cert(1M) man page.

For the definitive list of FIPS 140-2 approved algorithms for Oracle Solaris, follow the links in FIPS 140-2 Level 1 Certificate References for Oracle Solaris Systems in Using a FIPS 140-2 Enabled System in Oracle Solaris 11.3.