svcadm(8)을 검색하려면 섹션에서 8 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
ikev2.preshared(5)
ikev2.preshared(5) File Formats ikev2.preshared(5)
NAME
ikev2.preshared - pre-shared keys file for IKEv2
SYNOPSIS
/etc/inet/ike/ikev2.preshared
DESCRIPTION
The /etc/inet/ike/ikev2.preshared file contains secret keying material
that two IKE instances can use to authenticate each other. Because of
the sensitive nature of this data, it should be readable only by the
user ikeuser.
The ikev2.preshared file is composed of a list of pre-shared key
entries. Each entry must contain key information, as well as one or
more label attributes. When the pre-shared key file is loaded, the key
information from each entry will be added to all existing IKEv2 rules
that match a label in the entry. If a label does not match any existing
IKEv2 rule, it is ignored. For information about IKEv2 rules, see the
ikev2.config(5) man page.
A pre-shared key entry may have either a single key attribute, or
local_key and/or remote_key attributes. Keys set via local_key and
remote_key attributes will only be used to compute local AUTH values or
validate remote AUTH values respectively.
Pre-shared keys are delimited by open-curly-brace ({) and close-curly-
brace (}) characters. There are four attribute-value pairs allowed
inside a pre-shared key:
tab(); cw(1.83i) cw(1.83i) cw(1.83i) lw(1.83i) lw(1.83i) lw(1.83i)
NameValueExample _ labelASCII-string"My IKEv2 rule" keyhex-
string1234567890abcdef local_keyhex-string0x1234567890abcdef
remote_keyASCII-string"This is my preshared key"
Comment lines with # appearing in the first column are also legal.
An ASCII-string can consist of any valid ASCII character except for
NEWLINE. A backslash (\) is considered an escape character when it pre‐
cedes a double quote or itself. Otherwise, a backslash is taken liter‐
ally.
Files in this format can also be used by the ikeadm(8) command to load
additional pre-shared keys into running an in.ikev2d(8) process.
EXAMPLES
Example 1 A Sample ikev2.preshared File
The following is an example of an ikev2.preshared file:
#### BEGINNING OF FILE
{
label "IP identities and PSK auth"
# Not secure
key 0001020304050607
}
{
# Use these pre-shared keys with both rules listed
label "IP address prefixes and PSK auth"
label "IPv6 address prefixes and PSK auth"
# Also not secure
local_key "This my password"
remote_key "This their password"
}
{
# This rule uses pre-shared keys for local auth only
label "Mixed auth types"
# Might have been secure if it wasn't published here
local_key aa567d1fc6a5530e1a2628d4f2f06e73
}
Refer to the first example provided in the ikev2.config(5) man page for
a compatible ikev2.config file.
SECURITY
If this file is compromised, the attacker can use the pre-shared key
values to impersonate this system, and any other systems using the same
keys, during the IKEv2 authentication exchange. The full impact of a
compromise depends on the IKEv2 configuration and the extent to which
keys have been reused.
The IKEv2 protocol does not protect the pre-shared keys from brute
force or dictionary attacks. So, strong keys must be chosen. The IKEv2
protocol specification recommends that pre-shared keys contain as much
randomness as the strongest keys to be negotiated using the protocol,
and that plain-text passwords never be used.
The default and recommended file permissions for ikev2.preshared are
0600. The pfedit(8) command should not be used to modify this file as
it has the potential to put sensitive keying material into the audit
log. The sensitive system attribute is set on this file by the packag‐
ing system and should be kept.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/network/ike _ Interface Stability‐
Committed
SEE ALSO
random(4D), ikev2.config(5), attributes(7), ikeadm(8), ipseckey(8)
Oracle Solaris 11.4 21 Jun 2021 ikev2.preshared(5)