Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: March 2018
 
 

Managing IPsec and Its Keying Services

IPsec policy is enabled by default, but it lacks configuration information.

Key management is not enabled by default. You can configure IKE or manual key management, or both. Each IKE rule indicates which key management service is used. The ikeadm command can modify the running IKE daemon.

Configuring and Managing IPsec and Its Keying Services

  • Configuring and refreshing IPsec, then viewing policy:

    # pfedit /etc/inet/ipsecinit.conf
    # ipsecconf -c /etc/inet/ipsecinit.conf
    # svcadm refresh ipsec/policy
    # ipsecconf -Ln
  • Configuring and enabling manual keys for IPsec:

    # pfedit -s /etc/inet/secret/ipseckeys
    # svcadm enable ipsec/manual-key
  • Configuring and enabling IKEv2:

    # pfedit /etc/inet/ike/ikev2.config
    # /usr/lib/inet/in.ikev2d -c
    # svcadm enable ipsec/ike:ikev2
  • Configuring and enabling IKEv1:

    # pfedit /etc/inet/ike/config
    # /usr/lib/inet/in.iked -c
    # svcadm enable ipsec/ike:default
  • Verifying that IPsec and IKE are configured on a system where the services are enabled:

    # ipsecconf -Ln
    # ikeadm -v2 dump rule
    # ikeadm set priv keymat
    # ikeadm -v1 dump rule
  • Modifying key management:

    For IKEv2:

    # pfedit /etc/inet/ike/ikev2.config
    # /usr/lib/inet/in.ikev2d -c
    # svcadm restart ipsec/ike:ikev2

    For IKEv1:

    # pfedit /etc/inet/ike/config
    # /usr/lib/inet/in.iked -c
    # svcadm restart ipsec/ike:default

    For manual key management:

    # pfedit -s /etc/inet/secret/ipseckeys
    # ipseckey -c /etc/inet/secret/ipseckeys
    # svcadm refresh ipsec/manual-key
  • Modifying IPsec and IKE configurable properties:

    IPsec service:

    # svccfg -s ipsec/policy setprop config/property = value
    # svcadm refresh ipsec/policy; svcadm restart ipsec/policy

    IKEv2 service for sensitive keying material:

    # svccfg -s ike:ikev2 editprop
    # svcadm refresh ipsec/ike:ikev2; svcadm restart ipsec/ike:ikev2

    IKEv2 service for other properties:

    # svccfg -s ike:ikev2 setprop config/property = value
    # svcadm refresh ipsec/ike:ikev2; svcadm restart ipsec/ike:ikev2

    IKEv1 service:

    # svccfg -s ipsec/ike setprop config/property = value
    # svcadm refresh ipsec/ike:default; svcadm restart ipsec/ike:default

    Manual keys service:

    # svccfg -s ipsec/manual-key setprop config/property = value
    # svcadm refresh ipsec/manual-key; svcadm restart ipsec/manual-key
  • Configuring preshared keys for IKEv2:

    # pfedit -s /etc/inet/ike/ikev2.preshared
    # /usr/lib/inet/in.ikev2d -c
    # svcadm restart ikev2
  • Configuring preshared keys for IKEv1:

    # pfedit -s /etc/inet/secret/ike.preshared
    # svcadm restart ike