ikev2.preshared(4)
Name
ikev2.preshared - pre-shared keys file
for IKEv2
Synopsis
/etc/inet/ike/ikev2.preshared
Description
The /etc/inet/ike/ikev2.preshared file
contains secret keying material that two IKE instances
can use to authenticate each other. Because of the sensitive nature
of this data, it should be readable only by the user ikeuser.
The ikev2.preshared file is composed of
a list of pre-shared key entries. Each entry must contain key information,
as well as one or more label attributes. When the pre-shared key file
is loaded, the key information from each entry will be added to all
existing IKEv2 rules that match a label in the entry. If a label
does not match any existing IKEv2 rule, it is ignored. For information
about IKEv2 rules, see ikev2.config
(4) man page.
A pre-shared key entry may have either a single key attribute,
or local_key and/or remote_keyattributes.
Keys set via local_key and remote_key attributes
will only be used to compute local AUTH values or validate remote
AUTH values respectively.
Pre-shared keys are delimited by open-curly-brace ({)
and close-curly-brace (}) characters. There are
four attribute-value pairs allowed inside a pre-shared key:
|
|
|
|
label
|
ASCII-string
|
"My IKEv2 rule"
|
|
key
|
hex-string
|
1234567890abcdef
|
|
local_key
|
hex-string
|
0x1234567890abcdef
|
|
remote_key
|
ASCII-string
|
"This is my preshared key"
|
|
Comment lines with # appearing in the first
column are also legal.
An ASCII-string can consist of any valid ASCII character except
for NEWLINE. A backslash (\)
is considered an escape character when it precedes a double quote
or itself. Otherwise, a backslash is taken literally.
Files in this format can also be used by the ikeadm(1M) command
to load additional pre-shared keys into running an
in.ikev2d(1M)
process.
Examples
Example 1 A Sample
ikev2.preshared File
The following is an example of an ikev2.preshared file:
#### BEGINNING OF FILE
{
label "IP identities and PSK auth"
# Not secure
key 0001020304050607
}
{
# Use these pre-shared keys with both rules listed
label "IP address prefixes and PSK auth"
label "IPv6 address prefixes and PSK auth"
# Also not secure
local_key "This my password"
remote_key "This their password"
}
{
# This rule uses pre-shared keys for local auth only
label "Mixed auth types"
# Might have been secure if it wasn't published here
local_key aa567d1fc6a5530e1a2628d4f2f06e73
}
Refer to the first example provided in the
ikev2.config(4)
man page for a compatible ikev2.config file.
Security
If this file is compromised, the attacker can use the pre-shared
key values to impersonate this system, and any other systems using
the same keys, during the IKEv2 authentication exchange. The full
impact of a compromise depends on the IKEv2 configuration and the
extent to which keys have been reused.
The IKEv2 protocol does not protect the pre-shared keys from
brute force or dictionary attacks. So, strong keys must be chosen.
The IKEv2 protocol specification recommends that pre-shared keys contain
as much randomness as the strongest keys to be negotiated using the
protocol, and that plain-text passwords never be used.
The default and recommended file permissions for ikev2.preshared are
0600. The pfedit(1M) command should not be used to modify this file as it has the potential to
put sensitive keying material into the audit log.
Attributes
See attributes(5) for descriptions of the following attributes:
|
|
|
Availability
|
network/ike
|
|
Interface Stability
|
Committed
|
|
See Also
ikeadm(1M), in.ikev2d
(1M), ikev2.config
(4), ipseckey(1M), attributes(5), random(7D)