在 Oracle® Solaris 11.2 中确保网络安全

退出打印视图

更新时间: 2014 年 9 月
 
 

配置和管理 IPsec 及其加密服务

  • 配置和刷新 IPsec,然后查看策略:

    # pfedit /etc/inet/ipsecinit.conf
    # ipsecconf -c /etc/inet/ipsecinit.conf
    # svcadm refresh ipsec/policy
    # ipsecconf -Ln
  • 配置和启用 IPsec 的手动密钥:

    # pfedit -s /etc/inet/secret/ipseckeys
    # svcadm enable ipsec/manual-key
  • 配置和启用 IKEv2:

    # pfedit /etc/inet/ike/ikev2.config
    # /usr/lib/inet/in.ikev2d -c
    # svcadm enable ipsec/ike:ikev2
  • 配置和启用 IKEv1:

    # pfedit /etc/inet/ike/config
    # /usr/lib/inet/in.iked -c
    # svcadm enable ipsec/ike:default
  • 检验是否在已启用服务的系统上配置了 IPsec 和 IKE:

    # ipsecconf -Ln
    # ikeadm -v2 dump rule
    # ikeadm set priv keymat
    # ikeadm -v1 dump rule
  • 修改密钥管理:

    对于 IKEv2:

    # pfedit /etc/inet/ike/ikev2.config
    # /usr/lib/inet/in.ikev2d -c
    # svcadm restart ipsec/ike:ikev2

    对于 IKEv1:

    # pfedit /etc/inet/ike/config
    # /usr/lib/inet/in.iked -c
    # svcadm restart ipsec/ike:default

    对于手动密钥管理:

    # pfedit -s /etc/inet/secret/ipseckeys
    # ipseckey -c /etc/inet/secret/ipseckeys
    # svcadm refresh ipsec/manual-key
  • 修改 IPsec 和 IKE 可配置属性:

    IPsec 服务:

    # svccfg -s ipsec/policy setprop config/property = value
    # svcadm refresh ipsec/policy; svcadm restart ipsec/policy

    IKEv2 服务:

    # svccfg -s ike:ikev2 editprop
    # svcadm refresh ipsec/ike:ikev2; svcadm restart ipsec/ike:ikev2

    IKEv1 服务:

    # svccfg -s ipsec/ike setprop config/property = value
    # svcadm refresh ipsec/ike:ikev2; svcadm restart ipsec/ike:ikev2

    手动密钥服务:

    # svccfg -s ipsec/manual-key setprop config/property = value
    # svcadm refresh ipsec/manual-key; svcadm restart ipsec/manual-key
  • 为 IKEv2 配置预先共享的密钥:

    # pfedit -s /etc/inet/ike/ikev2.preshared
    # /usr/lib/inet/in.ikev2d -c
    # svcadm restart ikev2
  • 为 IKEv1 配置预先共享的密钥:

    # pfedit -s /etc/inet/secret/ike.preshared
    # svcadm restart ike