/usr/lib/inet/in.iked [-d] [-f filename] [-p level]
/usr/lib/inet/in.iked -c [-f filename]
in.iked performs automated key management for IPsec using the Internet Key Exchange (IKE) protocol.
in.iked implements the following:
in.iked is managed by the following smf(5) service:
This service is delivered disabled because the configuration file needs to be created before the service can be enabled. See ike.config(4) for the format of this file.
See "Service Management Facility" for information on managing the smf(5) service.
in.iked listens for incoming IKE requests from the network and for requests for outbound traffic using the PF_KEY socket. See pf_key(7P).
The ikeadm(1M) command can read the /etc/inet/ike/config file as a rule, then pass the configuration information to the running in.iked daemon using a doors interface.
example# ikeadm read rule /etc/inet/ike/config
Refreshing the ike smf(5) service provided to manage the in.iked daemon sends a SIGHUP signal to the in.iked daemon, which will (re)read /etc/inet/ike/config and reload the certificate database.
The preceding two commands have the same effect, that is, to update the running IKE daemon with the latest configuration. See "Service Management Facility" for more details on managing the in.iked daemon.
The IKE daemon (in.iked) is managed by the service management facility, smf(5). The following group of services manage the components of IPsec:
svc:/network/ipsec/ipsecalgs (See ipsecalgs(1M)) svc:/network/ipsec/policy (See ipsecconf(1M)) svc:/network/ipsec/manual-key (See ipseckey(1M)) svc:/network/ipsec/ike (see ike.config(4))
The manual-key and ike services are delivered disabled because the system administrator must create configuration files for each service, as described in the respective man pages listed above.
The correct administrative procedure is to create the configuration file for each service, then enable each service using svcadm(1M).
The ike service has a dependency on the ipsecalgs and policy services. These services should be enabled before the ike service. Failure to do so results in the ike service entering maintenance mode.
If the configuration needs to be changed, edit the configuration file then refresh the service, as follows:
example# svcadm refresh ike
The following properties are defined for the ike service:
example# svcs -l ike example# svcprop ike example# svccfg -s ike listprop
The values for these log file properties might be different, in which case both files should be inspected for errors.
Setting this value to true causes the IKE service to stay online, but correct operation requires the administrator to configure the running daemon with ikeadm(1M). This option is provided for compatibility with previous releases.
These properties can be modified using svccfg(1M) by users who have been assigned the following authorization:
PKCS#11 token objects can be unlocked or locked by using ikeadm token login and ikeadm token logout, respectively. Availability of private keying material stored on these PKCS#11 token objects can be observed with: ikeadm dump certcache. The following authorizations allow users to log into and out of PKCS#11 token objects:
# svccfg -s ipsec/ike setprop config/config_file = \ /new/config_file # svcadm refresh ike
Administrative actions on this service, such as enabling, disabling, refreshing, and requesting restart can be performed using svcadm(1M). A user who has been assigned the authorization shown below can perform these actions:
The service's status can be queried using the svcs(1) command.
The in.iked daemon is designed to be run under smf(5) management. While the in.iked command can be run from the command line, this is discouraged. If the in.iked command is to be run from the command line, the ike smf(5) service should be disabled first. See svcadm(1M).
The following options are supported:
Valid levels are:
If -p is not specified, level defaults to 0.
This option is deprecated. See "Service Management Facility" for more details.
This program has sensitive private keying information in its image. Care should be taken with any core dumps or system dumps of a running in.iked daemon, as these files contain sensitive keying information. Use the coreadm(1M) command to limit any corefiles produced by in.iked.
Harkins, Dan and Carrel, Dave. RFC 2409, Internet Key Exchange (IKE). Network Working Group. November 1998.
Maughan, Douglas, Schertler, M., Schneider, M., Turner, J. RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP). Network Working Group. November 1998.
Piper, Derrell, RFC 2407, The Internet IP Security Domain of Interpretation for ISAKMP. Network Working Group. November 1998.
|January 27, 2009||OmniOS|