This section covers the implementation of IKEv2. For IKEv1 information, see IKEv1 Protocol. For a comparison, see Comparison of IKEv2 and IKEv1. For information that applies to both protocols, see Introduction to IKE. Oracle Solaris supports both versions of the IKE protocol simultaneously.
The IKEv2 daemon, in.ikev2d, negotiates and authenticates keying material for IPsec SAs. See the in.ikev2d(1M) man page.
The /etc/inet/ike/ikev2.config configuration file contains the configuration for the in.ikev2d daemon. The configuration consists of a number of rules. Each entry contains parameters such as algorithms and authentication data that this system can use with a similarly configured IKEv2 peer.
The in.ikev2d daemon supports preshared keys (PSK) and public key certificates for identity.
The ikev2.config(4) man page provides sample rules. Each rule must have a unique label. The following is a list of the descriptive labels of sample rules from the man page:
IP identities and PSK auth
IP address prefixes and PSK auth
IPv6 address prefixes and PSK auth
Certificate auth with DN identities
Certificate auth with many peer ID types
Certificate auth with wildcard peer IDs
Mixed auth types
Wildcard with required signer
The kmf-policy.xml file contains the certificate validation policy for IKEv2. The kmfcfg dbfile=/etc/inet/ike/kmf-policy.xml policy=default command is used to modify certificate validation policy. Typical modifications include the use of OCSP and CRLs, and the duration of network timeouts during certificate verification. Additionally, the policy enables an administrator to modify various aspects of certificate validation, such as validity date enforcement and key usage requirements. Loosening the default requirements for certificate validation is not recommended.
On a FIPS 140-2 enabled system, you are responsible for choosing only FIPS 140-2 approved algorithms when creating certificates and configuring IKEv2. The procedures and examples in this guide use FIPS 140-2 approved algorithms except when the algorithm "any" is specified.
The following encryption algorithm mechanisms are available to use in the IKEv2 configuration and preshared keys files and approved for use in Oracle Solaris in FIPS 140-2 mode:
AES in CBC mode in 128-bit to 256-bit key lengths
The following authentication algorithm mechanisms are available to use in IKEv2 configuration and preshared keys files and approved for use in Oracle Solaris in FIPS 140-2 mode:
The following mechanisms are available to use in IKEv2 certificates and approved for use in Oracle Solaris in FIPS 140-2 mode:
RSA in 2048-bit to 3072-bit key lengths
ECDSA that uses ECC with three possible curves and their associated hashes –
The arguments to the ikev2cert gencert and ikev2cert gencsr commands are the following:
keytype=ec curve=secp256r1 hash=sha256
keytype=ec curve= secp384r1 hash=sha384
keytype=ec curve=secp521r1 hash=sha512
For more information, see the ikev2cert(1M) man page.
For the definitive list of FIPS 140-2 approved algorithms for Oracle Solaris, follow the links in FIPS 140-2 Level 1 Guidance Documents for Oracle Solaris Systems in Using a FIPS 140-2 Enabled System in Oracle Solaris 11.3.