Go to main content

man pages section 5: File Formats

Exit Print View

Updated: Thursday, June 13, 2019
 
 

ikev2.preshared(5)

Name

ikev2.preshared - pre-shared keys file for IKEv2

Synopsis

/etc/inet/ike/ikev2.preshared

Description

The /etc/inet/ike/ikev2.preshared file contains secret keying material that two IKE instances can use to authenticate each other. Because of the sensitive nature of this data, it should be readable only by the user ikeuser.

The ikev2.preshared file is composed of a list of pre-shared key entries. Each entry must contain key information, as well as one or more label attributes. When the pre-shared key file is loaded, the key information from each entry will be added to all existing IKEv2 rules that match a label in the entry. If a label does not match any existing IKEv2 rule, it is ignored. For information about IKEv2 rules, see ikev2.config (5) man page.

A pre-shared key entry may have either a single key attribute, or local_key and/or remote_keyattributes. Keys set via local_key and remote_key attributes will only be used to compute local AUTH values or validate remote AUTH values respectively.

Pre-shared keys are delimited by open-curly-brace ({) and close-curly-brace (}) characters. There are four attribute-value pairs allowed inside a pre-shared key:

Name
Value
Example
label
ASCII-string
"My IKEv2 rule"
key
hex-string
1234567890abcdef
local_key
hex-string
0x1234567890abcdef
remote_key
ASCII-string
"This is my preshared key"

Comment lines with # appearing in the first column are also legal.

An ASCII-string can consist of any valid ASCII character except for NEWLINE. A backslash (\) is considered an escape character when it precedes a double quote or itself. Otherwise, a backslash is taken literally.

Files in this format can also be used by the ikeadm(8) command to load additional pre-shared keys into running an in.ikev2d(8) process.

Examples

Example 1 A Sample ikev2.preshared File

The following is an example of an ikev2.preshared file:



#### BEGINNING OF FILE
{
	label "IP identities and PSK auth"
     # Not secure
     key 0001020304050607
}
{
     # Use these pre-shared keys with both rules listed
		label "IP address prefixes and PSK auth"
     label "IPv6 address prefixes and PSK auth"
     # Also not secure
     local_key "This my password"
     remote_key "This their password"
}
{
     # This rule uses pre-shared keys for local auth only
     label "Mixed auth types"
     # Might have been secure if it wasn't published here
     local_key aa567d1fc6a5530e1a2628d4f2f06e73
}

Refer to the first example provided in the ikev2.config (5) man page for a compatible ikev2.config file.

Security

If this file is compromised, the attacker can use the pre-shared key values to impersonate this system, and any other systems using the same keys, during the IKEv2 authentication exchange. The full impact of a compromise depends on the IKEv2 configuration and the extent to which keys have been reused.

The IKEv2 protocol does not protect the pre-shared keys from brute force or dictionary attacks. So, strong keys must be chosen. The IKEv2 protocol specification recommends that pre-shared keys contain as much randomness as the strongest keys to be negotiated using the protocol, and that plain-text passwords never be used.

The default and recommended file permissions for ikev2.preshared are 0600. The pfedit(8) command should not be used to modify this file as it has the potential to put sensitive keying material into the audit log.

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
system/network/ike
Interface Stability
Committed

See Also

random(4D), ikev2.config(5), attributes(7), ikeadm(8), ipseckey(8)