svcadm(8)을 검색하려면 섹션에서 8 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
ikeadm(8)
System Administration Commands ikeadm(8)
NAME
ikeadm - manipulate Internet Key Exchange (IKE) parameters and state
SYNOPSIS
ikeadm [-np] [-v {1|2}]
ikeadm [-np] [-v {1|2}] get [debug | priv | stats | defaults]
ikeadm [-np] [-v {1|2}] set [debug | priv] [level] [file]
ikeadm [-np] [-v {1|2}] [get | del] [p1 | ikesa | rule | preshared] [id]
ikeadm [-np] [-v {1|2}] add [rule | preshared] { description }
ikeadm [-np] [-v {1|2}] token [login | logout] PKCS#11_Token_Object
ikeadm [-np] [-v {1|2}] [read | write] [rule | preshared | certcache]
file
ikeadm [-np] [-v {1|2}] dump [p1 | ikesa | rule | preshared | certcache
| groups | encralgs | authalgs]
ikeadm [-v {1|2}] [-np] flush [p1 | ikesa | certcache]
ikeadm help
[get | set | add | del | read | write | dump | flush | token]
DESCRIPTION
The ikeadm utility retrieves information from and manipulates the con‐
figuration of the Internet Key Exchange (IKE) protocol daemon,
in.iked(8).
The ikeadm utility communicates with the running Internet Key Exchange
(IKE) daemon(s). This utility can retrieve information from or change
the configuration of the running daemon without restarting it. There
are two IKE protocol daemons, in.iked(8) and in.ikev2d(8), supporting
version one and two of the Internet Key Exchange Protocol respectively.
The ikeadm utility provides an alternate configuration mechanism to the
configuration files described in ike.config(5) and ikev2.config(5).
Additionally it provides a unique interface for gathering statistics
and other information only available from the running daemon(s).
ikeadm supports a set of operations, which may be performed on one or
more of the supported object types. When invoked without arguments,
ikeadm enters interactive mode which prints a prompt to the standard
output and accepts commands from the standard input until the end-of-
file is reached.
Because ikeadm manipulates sensitive keying information, you must be
superuser or be granted the Network IPsec Management rights profile to
use this command. Additionally, some of the commands available require
that the daemon be running in a privileged mode, which is established
when the daemon is started.
For details on how to use this command securely see SECURITY.
OPTIONS
The following options are supported:
-n
Prevent attempts to print host and network names symbolically when
reporting actions. This is useful, for example, when all name
servers are down or are otherwise unreachable.
-p
Paranoid. Do not print any keying material, even if saving Security
Associations. Instead of an actual hexadecimal digit, print an X
when this flag is turned on.
-v {1|2}
IKE version number. If only one of the in.iked(8) or in.ikev2d(8)
daemons are running, this flag is optional. Otherwise, this flag
designates which version of the IKE daemon is the target of this
operation.
USAGE
Commands
The following commands are supported:
add
Add the specified object. This option can be used to add a new pol‐
icy rule or a new preshared key to the current (running) IKE con‐
figuration. New preshared key values can only be entered by running
ikeadm interactively. See SECURITY. The rule or key being added is
specified using appropriate id-value pairs as described in the ID
FORMATS section.
del
Delete a specific object or objects from the IKE daemon's current
configuration. This operation is available for IKE (Phase 1) SAs,
IKEv2 IKE SAs, policy rules, and preshared keys. The object to be
deleted is specified as described in the Id Formats.
dump
Display all objects of the specified type known to the IKE daemon.
This option can be used to display all Phase 1 SAs, IKEv2 IKE SAs,
policy rules, preshared keys, implemented Diffie-Hellman groups,
encryption, and authentication algorithms available for Phase 1 or
IKE SAs, or the certificate cache. A large amount of output might
be generated by this command.
flush
Remove all IKE (Phase 1) SAs, IKEv2 IKE SAs, or cached certificates
from the IKE daemon.
Note that flushing the certcache will also (as a side-effect)
update IKEv1 with any new certificates added or removed. Note that
IKEv2 does not have an exposed certificate cache.
get
Lookup and display the specified object. May be used to view the
current debug or privilege level, global statistics and default
values for the daemon, or a specific IKE (Phase 1) SA, IKEv2 IKE
SA, policy rule, or preshared key. The latter three object types
require that identifying information be passed in; the appropriate
specification for each object type is described below.
help
Print a brief summary of commands, or, when followed by a command,
prints information about that command.
read
Update the current IKE configuration by reading the policy rules or
preshared keys from either the default location or from the file
specified.
set
Adjust the current debug or privilege level. If the debug level is
being modified, an output file may optionally be specified; the
output file must be specified if the daemon is running in the back‐
ground and is not currently printing to a file. When changing the
privilege level, adjustments may only be made to lower the access
level; it cannot be increased using ikeadm. Note that the privilege
level applies to IKEv1 only.
write
Write the current IKE/IKEv2 policy rule set or preshared key set to
the specified file. A destination file must be specified. This com‐
mand should not be used to overwrite the existing configuration
files.
token
Log into a PKCS#11 token object and grant access to keying material
or log out and invalidate access to keying material.
token can be run as a normal user with the Network IPsec Management
rights profile.
Object Types
debug
Specifies the daemon's debug level. This determines the amount and
type of output provided by the daemon about its operations. The
debug level is actually a bitmask, with individual bits enabling
different types of information.
IKEv1 and IKEv2
Certificate management 0x00000001 cert
Key management 0x00000002 key
Operational 0x00000004 op
Phase 1 SA creation 0x00000008 phase1
Phase 2 SA creation 0x00000010 phase2
PF_KEY interface 0x00000020 pfkey
Policy management 0x00000040 policy
Proposal construction 0x00000080 prop
Door interface 0x00000100 door
Config file processing 0x00000200 config
Label processing 0x00000400 label
IKEv2 only
Packet processing 0x00000800 packet
Audit interaction 0x00002000 audit
Additional Notes 0x00004000 note
Threading issues 0x00008000 thread
Extra PF_KEY dumps 0x00010000 pfkeymsg
Verbose 0x00006204 verbose
All debug flags 0x0001ffff all
When specifying the debug level, either a number (decimal or hexa‐
decimal) or a string of nicknames may be given. For example, 88,
0x58, and phase1+phase2+policy are all equivalent, and will turn on
debug for phase 1 sa creation, phase 2 sa creation, and policy
management. A string of nicknames may also be used to remove cer‐
tain types of information; all-op has the effect of turning on all
debug except for operational messages; it is equivalent to the num‐
bers 1019 or 0x3fb.
priv
IKEv1 only
Specifies the daemon's access privilege level. The possible values
are:
Description Level Nickname
Base level 0 base
Access to preshared key info 1 modkeys
Access to keying material 2 keymat
By default, in.iked is started at the base level. A command-line
option can be used to start the daemon at a higher level. ikeadm
can be used to lower the level, but it cannot be used to raise the
level.
Either the numerical level or the nickname may be used to specify
the target privilege level.
See in.iked(8) for a description of the config/admin_privilege SMF
property. This property allows you to establish a baseline privi‐
lege level that can be subsequently modified by ikeadm.
In order to get, add, delete, dump, read, or write preshared keys,
the privilege level must at least give access to preshared key
information. However, when viewing preshared keys (either using the
get or dump command), the key itself will only be available if the
privilege level gives access to keying material. This is also the
case when viewing Phase 1 SAs.
stats
Global statistics from the daemon.
IKEv1 stats cover both successful and failed Phase 1 SA creation.
Reported statistics include:
o Count of current P1 SAs which the local entity initiated
o Count of current P1 SAs where the local entity was the
responder
o Count of all P1 SAs which the local entity initiated
since boot
o Count of all P1 SAs where the local entity was the
responder since boot
o Count of all attempted P1 SAs since boot, where the
local entity was the initiator; includes failed attempts
o Count of all attempted P1 SAs since boot, where the
local entity was the responder; includes failed attempts
o Count of all failed attempts to initiate a P1 SA, where
the failure occurred because the peer did not respond
o Count of all failed attempts to initiate a P1 SA, where
the peer responded
o Count of all failed P1 SAs where the peer was the ini‐
tiator
o Whether a PKCS#11 library is in use, and if applicable,
the PKCS#11 library that is loaded. See ike.config(5).
IKEv2 stats cover both successful and failed IKE SA creation.
o Count of all successful IKEv2 SA creations
o Count of all failed IKEv2 SA creations
o Count of all successful IKEv2 rekeys
o Count of all failed IKEv2 rekeys
o Count of all memory allocation failures
defaults
IKEv1 only
Display default values used by the in.iked daemon. Some values can
be overridden in the daemon configuration file (see ike.config(5));
for these values, the token name is displayed in the get defaults
output. The output will reflect where a configuration token has
changed the default.
Default values might be ignored in the event a peer system makes a
valid alternative proposal or they can be overridden by per-rule
values established in ike.config. In such instances, a get defaults
command continues to display the default values, not the values
used to override the defaults.
ikesa
An IKEv2 IKE SA. An ikesa object is identified by an IP address
pair or a local SPI; identification formats are described below.
p1
An IKE Phase 1 SA. A p1 object is identified by an IP address pair
or a cookie pair; identification formats are described below.
rule
An IKE policy rule, defining the acceptable security characteris‐
tics for Phase 1 or IKEv2 IKE SAs between specified local and
remote identities. A rule is identified by its label; identifica‐
tion formats are described below.
preshared
A preshared key, including the applicable identifier(s). In IKEv1,
a preshared key is identified by an IP address pair or an identity
pair. In IKEv2, a preshared key is identified by its rule label.
Identification formats are described below.
Id Formats
Commands like add, del, and get require that additional information be
specified on the command line. In the case of the delete and get com‐
mands, all that is required is to minimally identify a given object;
for the add command, the full object must be specified.
Minimal identification is accomplished in most cases by a pair of val‐
ues. For IP addresses, the local addr and then the remote addr are
specified, either in dot-notation for IPv4 addresses, colon-separated
hexadecimal format for IPv6 addresses, or a host name present in the
host name database. If a host name is given that expands to more than
one address, the requested operation will be performed multiple times,
once for each possible combination of addresses.
Identity pairs are made up of a local type-value pair, followed by the
remote type-value pair. Valid types are:
prefix
An address prefix.
fqdn
A fully-qualified domain name.
domain
Domain name, synonym for fqdn.
user_fqdn
User identity of the form user@fqdn. (IKEv1 only)
mailbox
Synonym for user_fqdn.
A cookie pair is made up of the two cookies assigned to a Phase 1 Secu‐
rity Association (SA) when it is created; first is the initiator's,
followed by the responder's. A cookie is a 64-bit number.
Finally, a label (which is used to identify a policy rule) is a charac‐
ter string assigned to the rule when it is created.
Formatting a rule or preshared key for the add command follows the for‐
mat rules for the in.iked or in.ikev2d configuration files. Both are
made up of a series of id-value pairs, contained in curly braces ({ and
}). For IKEv1, see ike.config(5) and ike.preshared(5) for details on
the formatting of rules and preshared keys. For IKEv2, see ikev2.con‐
fig(5) and ikev2.preshared(5) for its formatting rules.
SECURITY
The ikeadm command allows an authorized user with the Network IPsec
Management rights profile to enter cryptographic keying information. If
an adversary gains access to such information, the security of IPsec
traffic is compromised. The following issues should be taken into
account when using the ikeadm command.
o Is the TTY going over a network (interactive mode)?
If it is, then the security of the keying material is the
security of the network path for this TTY's traffic. Using
ikeadm over a clear-text telnet or rlogin session is risky.
Even local windows may be vulnerable to attacks where a con‐
cealed program that reads window events is present.
o Is the file accessed over the network or readable to the
world (read/write commands)?
A network-mounted file can be sniffed by an adversary as it
is being read. A world-readable file with keying material in
it is also risky.
If your source address is a host that can be looked up over the net‐
work, and your naming system itself is compromised, then any names used
will no longer be trustworthy.
Commands that manage keying material do not generally allow the keying
material to be specified on the command line. This is because this key‐
ing material may end up in a shell history file or be visible to
another user running ps(1) and could therefore be compromised.
Security weaknesses often lie in misapplication of tools, not the tools
themselves. It is recommended that administrators are cautious when
using the ikeadm command. The safest mode of operation is probably on a
console, or other hard-connected TTY.
For additional information regarding this subject, see the afterward by
Matt Blaze in Bruce Schneier's Applied Cryptography: Protocols, Algo‐
rithms, and Source Code in C.
EXAMPLES
Example 1 Emptying out all Phase 1 or IKEv2 IKE Security Associations
IKEv1:
The following command empties out all Phase 1 Security Associations:
example# ikeadm flush p1
IKEv2:
The following command empties out all IKEv2 IKE Security Associations:
example# ikeadm flush ikesa
Example 2 Displaying all Phase 1 or IKEv2 IKE Security Associations
IKEv1:
The following command displays all Phase 1 Security Associations:
example# ikeadm dump p1
IKEv2:
The following command displays all IKEv2 IKE Security Associations:
example# ikeadm dump ikesa
Example 3 Deleting a Specific Phase 1 Security Association
The following command deletes the specified Phase 1 or IKEv2 IKE Secu‐
rity Associations:
IKEv1:
example# ikeadm del p1 local_ip remote_ip
IKEv2:
example# ikeadm del ikesa local_ip remote_ip
...or:
example# ikeadm del ikesa 0x49bf01d5c7585ea8
Note that the value 0x49bf01d5c7585ea8, in the preceding example com‐
mand, is the local SPI of the IKE SA, as displayed by ikeadm dump
ikesa.
Example 4 Adding a Rule From a File
The following command adds a rule from a file:
example# ikeadm add rule rule_file
Example 5 Adding a Preshared Key
The following command adds a preshared key:
IKEv1:
example# ikeadm
ikeadm> add preshared { localidtype ip localid local_ip
remoteidtype ip remoteid remote_ip ike_mode main
key 1234567890abcdef1234567890abcdef }
IKEv2:
example# ikeadm
ikeadm> add preshared { label "existing rule label"
key 0x4b6562652e0a }
Example 6 Saving All Preshared Keys to a File
The following command saves all preshared keys to a file:
example# ikeadm write preshared target_file
Example 7 Viewing a Particular Rule
The following command views a particular rule:
example# ikeadm get rule rule_label
Example 8 Reading in New Rules from ike.config
The following command reads in new rules from the ike.config file:
example# ikeadm read rules
Example 9 Lowering the Privilege Level
The following command lowers the privilege level for IKEv1:
example# ikeadm set priv base
Example 10 Viewing the Debug Level
The following command shows the current debug level:
example# ikeadm get debug
Example 11 Using stats to Verify Hardware Accelerator in IKEv1
The following example shows how stats may include an optional line at
the end to indicate if IKE is using a PKCS#11 library to accelerate
public-key operations, if applicable.
example# ikeadm get stats
Phase 1 SA counts:
Current: initiator: 0 responder: 0
Total: initiator: 21 responder: 27
Attempted:initiator: 21 responder: 27
Failed: initiator: 0 responder: 0
initiator fails include 0 time-out(s)
PKCS#11 library linked in from /opt/system/core-osonn/lib/libpkcs11.so
example#
Example 12 Displaying the Certificate Cache in IKEv1
The following command shows the certificate cache and the status of
associated private keys, if applicable:
example# ikeadm dump certcache
Example 13 Logging into a PKCS#11 Token
The following command shows logging into a PKCS#11 token object and
unlocking private keys:
example# ikeadm token login "Sun Metaslot"
Enter PIN for PKCS#11 token:
ikeadm: PKCS#11 operation successful
EXIT STATUS
The following exit values are returned:
0 Successful completion.
non-zero An error occurred. Writes an appropriate error message to
standard error.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/network/ike _ Interface Stability‐
Committed
SEE ALSO
ps(1), ipsec(4P), ike.config(5), ike.preshared(5), ikev2.config(5),
ikev2.preshared(5), attributes(7), in.iked(8), in.ikev2d(8)
Schneier, Bruce, Applied Cryptography: Protocols, Algorithms, and
Source Code in C, Second Edition, John Wiley & Sons, New York, NY,
1996.
NOTES
As in.iked and in.ikev2d can run only in the global zone, kernel zones,
and exclusive-IP zones, this command is not useful in shared-IP zones.
Oracle Solaris 11.4 21 Jun 2021 ikeadm(8)