svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
in.iked(8)
System Administration Commands in.iked(8)
NAME
in.iked - daemon for the Internet Key Exchange (IKE)
SYNOPSIS
/usr/lib/inet/in.iked [-d] [-f filename] [-p level]
/usr/lib/inet/in.iked -c [-f filename]
DESCRIPTION
in.iked performs automated key management for IPsec using the Internet
Key Exchange (IKE) protocol.
in.iked implements the following:
o IKE authentication with either pre-shared keys, DSS signa‐
tures, RSA signatures, or RSA encryption.
o Diffie-Hellman key derivation using either 1024, 1536, 2048,
3072, or 4096-bit public key moduli, or 256, 384, or 521-bit
elliptic curve moduli.
o Authentication protection with cipher choices of AES or
3DES, and hash choices of either HMAC-SHA1 or the HMAC-SHA2
family. Encryption in in.iked is limited to the IKE authen‐
tication and key exchange. For information regarding IPsec
protection choices, see the ipsecesp(4P) man page.
in.iked is managed by the following smf(7) service:
svc:/network/ipsec/ike
This service is delivered disabled because the configuration file needs
to be created before the service can be enabled. See ike.config(5) for
the format of this file.
See "Service Management Facility" for information on managing the
smf(7) service.
in.iked listens for incoming IKE requests from the network and for
requests for outbound traffic using the PF_KEY socket. For more infor‐
mation, see the pf_key(4P) man page.
in.iked has two support programs that are used for IKE administration
and diagnosis: ikeadm(8) and ikecert(8).
The ikeadm(8) command can read the /etc/inet/ike/config file as a rule,
then pass the configuration information to the running in.iked daemon
using a doors interface.
example# ikeadm read rule /etc/inet/ike/config
Refreshing the ike smf(7) service provided to manage the in.iked dae‐
mon sends a SIGHUP signal to the in.iked daemon, which will (re)read
/etc/inet/ike/config and reload the certificate database.
The preceding two commands have the same effect, that is, to update the
running IKE daemon with the latest configuration. See "Service Manage‐
ment Facility" for more details on managing the in.iked daemon.
When Trusted Extensions are enabled (see labeld(8)), in.iked can be
used in the global zone to negotiate labeled security associations. On
labeled systems using in.iked, UDP ports 500 and 4500 must be config‐
ured as multi-level ports for the global zone (see tncfg(8)). See
ike.config(5) for more information on configuring in.iked to be label-
aware.
Service Management Facility
The IKE daemon (in.iked) is managed by the service management facility,
smf(7). The following group of services manage the components of IPsec:
tab(); lw(3.67i) lw(1.83i) svc:/network/ipsec/ipsecalgs(See ipse‐
calgs(8)) svc:/network/ipsec/policy(See ipsecconf(8)) svc:/net‐
work/ipsec/manual-key(See ipseckey(8)) svc:/network/ipsec/ike(See
ike.config(5))
The manual-key and ike services are delivered disabled because the sys‐
tem administrator must create configuration files for each service, as
described in the respective man pages listed above.
The correct administrative procedure is to create the configuration
file for each service, then enable each service using svcadm(8).
The ike service has a dependency on the ipsecalgs and policy services.
These services should be enabled before the ike service. Failure to do
so results in the ike service entering maintenance mode.
If the configuration needs to be changed, edit the configuration file
then refresh the service, as follows:
example# svcadm refresh ike
The following properties are defined for the ike service:
config/admin_privilege
Defines the level that ikeadm(8) invocations can change or observe
the running in.iked. The acceptable values for this property are
the same as those for the -p option. See the description of -p in
OPTIONS.
config/config_file
Defines the configuration file to use. The default value is
/etc/inet/ike/config. For the format of this file, see the ike.con‐
fig(5) man page. This property has the same effect as the -f flag.
See the description of -f in OPTIONS.
config/debug_level
Defines the amount of debug output that is written to the
debug_logfile file, described below. The default value for this is
op or operator. This property controls the recording of information
on events such as re-reading the configuration file. Acceptable
value for debug_level are listed in the ikeadm(8) man page. The
value all is equivalent to the -d flag. See the description of -d
in OPTIONS.
config/debug_logfile
Defines where debug output should be written. The messages written
here are from debug code within in.iked. Startup error messages are
recorded by the smf(7) framework and recorded in a service-specific
log file. Use any of the following commands to examine the logfile
property:
example# svcs -l ike
example# svcprop ike
example# svccfg -s ike listprop
The values for these log file properties might be different, in
which case both files should be inspected for errors.
config/ignore_errors
A boolean value that controls in.iked's behavior should the config‐
uration file have syntax errors. The default value is false, which
causes in.iked to enter maintenance mode if the configuration is
invalid.
Setting this value to true causes the IKE service to stay online,
but correct operation requires the administrator to configure the
running daemon with ikeadm(8). This option is provided for compati‐
bility with previous releases.
These properties can be modified using svccfg(8) by users who have been
assigned the following authorization:
solaris.smf.value.ipsec
PKCS#11 token objects can be unlocked or locked by using ikeadm token
login and ikeadm token logout, respectively. Availability of private
keying material stored on these PKCS#11 token objects can be observed
with: ikeadm dump certcache. The following authorizations allow users
to log into and out of PKCS#11 token objects:
solaris.network.ipsec.ike.token.login
solaris.network.ipsec.ike.token.logout
See auths(1), ikeadm(8), user_attr(5), rbac(7).
The service needs to be refreshed using svcadm(8) before a new property
value is effective. General, non-modifiable properties can be viewed
with the svcprop(1) command.
# svccfg -s ipsec/ike setprop config/config_file = \
/new/config_file
# svcadm refresh ike
Administrative actions on this service, such as enabling, disabling,
refreshing, and requesting restart can be performed using svcadm(8). A
user who has been assigned the authorization shown below can perform
these actions:
solaris.smf.manage.ipsec
The service's status can be queried using the svcs(1) command.
The in.iked daemon is designed to be run under smf(7) management. While
the in.iked command can be run from the command line, this is discour‐
aged. If the in.iked command is to be run from the command line, the
ike smf(7) service should be disabled first. For more information, see
the svcadm(8) man page.
OPTIONS
The following options are supported:
-c Check the syntax of a configuration file.
-d Use debug mode. The process stays attached to the con‐
trolling terminal and produces large amounts of debug‐
ging output. This option is deprecated. See "Service
Management Facility" for more details.
-f filename Use filename instead of /etc/inet/ike/config. See
ike.config(5) for the format of this file. This option
is deprecated. See "Service Management Facility" for
more details.
-p level Specify privilege level (level). This option sets how
much ikeadm(8) invocations can change or observe about
the running in.iked.
Valid levels are:
0 Base level
1 Access to preshared key info
2 Access to keying material
If -p is not specified, level defaults to 0.
This option is deprecated. See "Service Management
Facility" for more details.
SECURITY
This program has sensitive private keying information in its image.
Care should be taken with any core dumps or system dumps of a running
in.iked daemon, as these files contain sensitive keying information.
Use the coreadm(8) command to limit any corefiles produced by in.iked.
FILES
/etc/inet/ike/config
Default configuration file.
/etc/inet/secret/ike.privatekeys/*
Private keys. A private key must have a matching public-key cer‐
tificate with the same filename in /etc/inet/ike/publickeys/.
/etc/inet/ike/publickeys/*
Public-key certificates. The names are only important with regard
to matching private key names.
/etc/inet/ike/crls/*
Public key certificate revocation lists.
/etc/inet/secret/ike.preshared
IKE pre-shared secrets for Phase I authentication.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/network/ike
SEE ALSO
svcs(1), ipsecesp(4P), pf_key(4P), ike.config(5), attributes(7),
smf(7), coreadm(8), ikeadm(8), ikecert(8), ipsecalgs(8), ipsecconf(8),
ipseckey(8), labeld(8), svcadm(8), svccfg(8), tncfg(8)
Harkins, Dan and Carrel, Dave. RFC 2409, Internet Key Exchange (IKE).
Network Working Group. November 1998.
Maughan, Douglas, Schertler, M., Schneider, M., Turner, J. RFC 2408,
Internet Security Association and Key Management Protocol (ISAKMP).
Network Working Group. November 1998.
Piper, Derrell, RFC 2407, The Internet IP Security Domain of Interpre‐
tation for ISAKMP. Network Working Group. November 1998.
Fu, D.; Solinos, J., RFC 4753, ECP Groups for IKE and IKEv2. Network
Working Group. January 2007.
Lepinski, M.; Kent, S., RFC 5114, Additional Diffie-Hellman Groups for
Use with IETF Standards. Network Working Group. January 2008.
Oracle Solaris 11.4 10 Aug 2020 in.iked(8)