Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: September 2018
 
 

Viewing Information About IPsec and Its Keying Services


Note -  For most commands, you must become an administrator who is assigned the Network IPsec Management rights profile. You must be typing in a profile shell. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

Viewing IPsec and Manual Key Service Properties

You can view the name of the IPsec policy file and the file that holds manual keys.

  • To show the name of the IPsec configuration file:

    % svccfg -s policy listprop config/config_file
    config/config_file         astring     /etc/inet/ipsecinit.conf
  • To show the name of the file that holds manual keys for IPsec:

    % svccfg -s manual-key listprop config/config_file
    config/config_file         astring     /etc/inet/secret/ipseckeys

Viewing IKE Information

You can view the properties of the IKE service, aspects of the IKE state and IKE daemon object, and certificate validation policy. If you are running both IKE services, you can display information per service or for both services. These commands can be helpful during testing, troubleshooting, and monitoring.

  • Viewing the properties of the IKE service instances – The output displays the configurable properties of the IKEv2 service, including the names of the configuration files.


    Note -  Review the ipsecconf(1M). in.ikev2d(1M), and in.iked(1M) man pages to ensure that you can or should modify a property in the config group of the IPsec, IKEv2, or IKEv1 service. For example, IKEv2 configuration files are created with special permissions and owned by ikeuser. The permissions and file owner must not be changed.
    % svccfg -s ipsec/ike:ikev2 listprop config
    config                      application
    config/allow_keydump       boolean     false
    config/config_file         astring     /etc/inet/ike/ikev2.config
    config/ignore_errors       boolean     false
    config/kmf_policy          astring     /etc/inet/ike/kmf-policy.xml
    config/max_child_sas       integer     0
    config/max_threads         integer     0
    config/min_threads         integer     0
    config/preshared_file      astring     /etc/inet/ike/ikev2.preshared
    config/response_wait_time  integer     30
    config/value_authorization astring     solaris.smf.value.ipsec
    config/debug_logfile       astring
    config/debug_level         astring     op

    The output in the following example displays the configurable properties of the IKEv1 service. Do not specify the :default service instance.

    % svccfg -s ipsec/ike listprop config
    config                      application
    config/admin_privilege     astring     base
    config/config_file         astring     /etc/inet/ike/config
    config/debug_level         astring     op
    config/debug_logfile       astring     /var/log/in.iked.log
    config/ignore_errors       boolean     false
    config/value_authorization astring     solaris.smf.value.ipsec
  • Viewing the current state of the IKE daemon – The output in the following example displays the arguments to the ikeadm command. These arguments display the current state of the daemon.


    Note -  To use the ikeadm command, the IKE daemon must be running.
    % ikeadm help
    ...
            get   debug|priv|stats|p1|ikesa|rule|preshared|defaults [identifier]
            dump  p1|ikesa|rule|preshared|certcache|groups|encralgs|authalgs
            read  rule|preshared [filename]
            help  [get|set|add|del|dump|flush|read|write|token|help]
  • Showing the syntax of a specific argument to the ikeadm command – Use the help subcommands to show command argument syntax. For example:

    % ikeadm help read
    This command reads a new configuration file into
    in.iked, discarding the old configuration info.
    
    Sets of data that may be read include:
            rule            all phase 1/ikesa rules
            preshared       all preshared keys
    
    A filename may be provided to specify a source file
    other than the default.
  • Viewing preshared keys – You can view preshared keys for IKEv1 and IKEv2.


    Note -  If you are running only one IKE version, you can omit the –v option.

    For IKEv2:

    # ikeadm -v2 dump preshared

    For IKEv1:

    # ikeadm set priv keymat
    # ikeadm -v1 dump preshared
    
    PSKEY: Rule label: "Test PSK 197 to 56"
    PSKEY: Local pre-shared key (80 bytes): 74206272696c6c696720...3/584
    PSKEY: Remote pre-shared key (80 bytes): 74206272696c6c696720...3/584
    
    Completed dump of preshared keys
  • Viewing IKE SAs – The output includes information about the SA, the transform, the local and remote systems, and other details. If communication has not been requested, no SAs exist, so no information exists to display.

    # ikeadm -v2 dump ikesa
    IKESA: SPIs: Local 0xd3db95689459cca4  Remote 0xb5878717f5cfa877
    ...
    XFORM: Encryption alg: aes-cbc(256..256); Authentication alg: hmac-sha512
    ...
    LOCIP: AF_INET: port 500, 192.0.2.68 (example-3).
    ...
    REMIP: AF_INET: port 500, 192.0.2.67 (ex-2).
    ...
    LIFTM: SA expires in 11459 seconds (3.18 hours)
    ...
    STATS: 0 IKE SA rekeys since initial AUTH.
    LOCID: Initiator identity, type FQDN
    ...
    CHILD: ESP Inbound SPI: 0x94841ca3, Outbound SPI 0x074ae1e5
    ...
    Completed dump of IKE SA info
  • Viewing active IKE rules – A listed IKE rule might not be in use, but it is available for use.

    # ikeadm -v2 dump rule
    
    GLOBL: Label 'Test Rule1 for PSK', key manager cookie 1
    GLOBL: Local auth method=pre-shared key
    GLOBL: Remote auth method=pre-shared key
    
    GLOBL: childsa_pfs=false
    GLOBL: authentication_lifetime=86400 seconds (1.00 day)
    GLOBL: childsa_lifetime=120 seconds (2.00 minutes)
    GLOBL: childsa_softlife=108 seconds (1.80 minute)
    GLOBL: childsa_idletime=60 seconds
    GLOBL: childsa_lifetime_kb=122880 kilobytes (120.00 MB)
    GLOBL: childsa_softlife_kb=110592 kilobytes (108.00 MB)
    LOCIP: IP address range(s):
    LOCIP: 192.0.2.66
    REMIP: IP address range(s):
    REMIP: 192.0.2.77
    LOCID: Identity descriptors:
    LOCID: Includes:
    LOCID:       fqdn="gloria@ms.mag"
    REMID: Identity descriptors:
    REMID: Includes:
    REMID:       fqdn="gloria@ms.mag"
    XFRMS: Available Transforms:
    
    XF  0: Encryption alg: aes-cbc(128..256); Authentication alg: hmac-sha512
    XF  0: PRF: hmac-sha512 ; Diffie-Hellman Group: 2048-bit MODP (group 14)
    XF  0: IKE SA lifetime before rekey: 14400 seconds (4.00 hours)
    
    Completed dump of policy rules
  • Viewing certificate validation policy in IKEv2 – You must specify the dbfile value and the policy value.

    • Dynamically downloaded CRLs might require administrator intervention to adjust the responder timeout.

      In the output in the following example, the CRLs are downloaded from the URI that is embedded in the certificate, then the lists are cached. When the cache contains an expired CRL, a new CRL is downloaded to replace the old one.

      # kmfcfg list dbfile=/etc/inet/ike/kmf-policy.xml policy=default
      …
      Validation Policy Information:
          Maximum Certificate Revocation Responder Timeout: 10
          Ignore Certificate Revocation Responder Timeout: true
      …
          CRL:
              Base filename: [not set]
              Directory: /var/user/ikeuser/crls
              Download and cache CRL: true
              CRL specific proxy override: www-proxy.cagate.example.com:80
              Ignore CRL signature: false
              Ignore CRL validity date: false
      IPsec policy bypass on outgoing connections: true
      …
    • Statically downloaded CRLs require frequent administrator attention.

      When the administrator sets the CRL entries to the following values, the administrator is responsible for manually downloading the CRLs, populating the directory, and maintaining current CRLs:

      …
              Directory: /var/user/ikeuser/crls
              Download and cache CRL: false
              Proxy: [not set]
      …