配置和刷新 IPsec,然后查看策略:
# pfedit /etc/inet/ipsecinit.conf # ipsecconf -c /etc/inet/ipsecinit.conf # svcadm refresh ipsec/policy # ipsecconf -Ln
# pfedit -s /etc/inet/secret/ipseckeys # svcadm enable ipsec/manual-key
配置和启用 IKEv2:
# pfedit /etc/inet/ike/ikev2.config # /usr/lib/inet/in.ikev2d -c # svcadm enable ipsec/ike:ikev2
配置和启用 IKEv1:
# pfedit /etc/inet/ike/config # /usr/lib/inet/in.iked -c # svcadm enable ipsec/ike:default
检验是否在已启用服务的系统上配置了 IPsec 和 IKE:
# ipsecconf -Ln # ikeadm -v2 dump rule # ikeadm set priv keymat # ikeadm -v1 dump rule
修改密钥管理:
对于 IKEv2:
# pfedit /etc/inet/ike/ikev2.config # /usr/lib/inet/in.ikev2d -c # svcadm restart ipsec/ike:ikev2
对于 IKEv1:
# pfedit /etc/inet/ike/config # /usr/lib/inet/in.iked -c # svcadm restart ipsec/ike:default
对于手动密钥管理:
# pfedit -s /etc/inet/secret/ipseckeys # ipseckey -c /etc/inet/secret/ipseckeys # svcadm refresh ipsec/manual-key
修改 IPsec 和 IKE 可配置属性:
IPsec 服务:
# svccfg -s ipsec/policy setprop config/property = value # svcadm refresh ipsec/policy; svcadm restart ipsec/policy
IKEv2 服务:
# svccfg -s ike:ikev2 editprop # svcadm refresh ipsec/ike:ikev2; svcadm restart ipsec/ike:ikev2
IKEv1 服务:
# svccfg -s ipsec/ike setprop config/property = value # svcadm refresh ipsec/ike:ikev2; svcadm restart ipsec/ike:ikev2
手动密钥服务:
# svccfg -s ipsec/manual-key setprop config/property = value # svcadm refresh ipsec/manual-key; svcadm restart ipsec/manual-key
为 IKEv2 配置预先共享的密钥:
# pfedit -s /etc/inet/ike/ikev2.preshared # /usr/lib/inet/in.ikev2d -c # svcadm restart ikev2
# pfedit -s /etc/inet/secret/ike.preshared # svcadm restart ike