'\" te
.\" Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
.TH in.iked 1M "13 Feb 2014" "SunOS 5.11" "System Administration Commands"
.SH NAME
in.iked \- daemon for the Internet Key Exchange (IKE)
.SH SYNOPSIS
.LP
.nf
\fB/usr/lib/inet/in.iked\fR [\fB-d\fR] [\fB-f\fR \fIfilename\fR] [\fB-p\fR \fIlevel\fR]
.fi

.LP
.nf
\fB/usr/lib/inet/in.iked\fR \fB-c\fR [\fB-f\fR \fIfilename\fR]
.fi

.SH DESCRIPTION
.sp
.LP
\fBin.iked\fR performs automated key management for IPsec using the Internet Key Exchange (\fBIKE\fR) protocol. 
.sp
.LP
\fBin.iked\fR implements the following:
.RS +4
.TP
.ie t \(bu
.el o
\fBIKE\fR authentication with either pre-shared keys, \fBDSS\fR signatures, \fBRSA\fR signatures, or \fBRSA\fR encryption. 
.RE
.RS +4
.TP
.ie t \(bu
.el o
Diffie-Hellman key derivation using either \fB768\fR, \fB1024\fR, \fB1536\fR, \fB2048\fR, \fB3072\fR, or \fB4096\fR-bit public key moduli, or \fB256\fR, \fB384\fR, or \fB521\fR-bit elliptic curve moduli.
.RE
.RS +4
.TP
.ie t \(bu
.el o
Authentication protection with cipher choices of \fBAES\fR, \fBDES\fR, Blowfish, or \fB3DES\fR, and hash choices of either \fBHMAC-MD5\fR or \fBHMAC-SHA-1\fR. Encryption in \fBin.iked\fR is limited to the \fBIKE\fR authentication and key exchange. See \fBipsecesp\fR(7P) for information regarding IPsec protection choices.
.RE
.sp
.LP
\fBin.iked\fR is managed by the following \fBsmf\fR(5) service:
.sp
.in +2
.nf
svc:/network/ipsec/ike
.fi
.in -2
.sp

.sp
.LP
This service is delivered disabled because the configuration file needs to be created before the service can be enabled. See \fBike.config\fR(4) for the format of this file.
.sp
.LP
See "Service Management Facility" for information on managing the \fBsmf\fR(5) service.
.sp
.LP
\fBin.iked\fR listens for incoming \fBIKE\fR requests from the network and for requests for outbound traffic using the \fBPF_KEY\fR socket. See \fBpf_key\fR(7P). 
.sp
.LP
\fBin.iked\fR has two support programs that are used for IKE administration and diagnosis: \fBikeadm\fR(1M) and \fBikecert\fR(1M).
.sp
.LP
The \fBikeadm\fR(1M) command can read the \fB/etc/inet/ike/config\fR file as a \fBrule\fR, then pass the configuration information to the running \fBin.iked\fR daemon using a doors interface.
.sp
.in +2
.nf
example# \fBikeadm read rule /etc/inet/ike/config\fR
.fi
.in -2
.sp

.sp
.LP
Refreshing the \fBike\fR \fBsmf\fR(5) service provided to manage the \fBin.iked\fR daemon sends a \fBSIGHUP\fR signal to the \fBin.iked\fR daemon, which will (re)read \fB/etc/inet/ike/config\fR and reload the certificate database.
.sp
.LP
The preceding two commands have the same effect, that is, to update the running IKE daemon with the latest configuration. See "Service Management Facility" for more details on managing the \fBin.iked\fR daemon.
.sp
.LP
When Trusted Extensions are enabled (see \fBlabeld\fR(1M)), \fBin.iked\fR can be used in the global zone to negotiate labeled security associations. On labeled systems using \fBin.iked\fR, UDP ports 500 and 4500 must be configured as multi-level ports for the global zone in the \fBtnzonecfg\fR file (see \fBtnzonecfg(4)\fR, part of the \fISolaris Trusted Extensions Reference Manual\fR). See \fBike.config\fR(4) for more information on configuring \fBin.iked\fR to be label-aware.
.SS "Service Management Facility"
.sp
.LP
The IKE daemon (\fBin.iked\fR) is managed by the service management facility, \fBsmf\fR(5). The following group of services manage the components of IPsec:
.sp
.in +2
.nf
svc:/network/ipsec/ipsecalgs   (See ipsecalgs(1M))
svc:/network/ipsec/policy      (See ipsecconf(1M))
svc:/network/ipsec/manual-key  (See ipseckey(1M))
svc:/network/ipsec/ike         (see ike.config(4))
.fi
.in -2
.sp

.sp
.LP
The manual-key and \fBike\fR services are delivered \fBdisabled\fR because the system administrator must create configuration files for each service, as described in the respective man pages listed above.
.sp
.LP
The correct administrative procedure is to create the configuration file for each service, then enable each service using \fBsvcadm\fR(1M).
.sp
.LP
The \fBike\fR service has a dependency on the \fBipsecalgs\fR and \fBpolicy\fR services. These services should be enabled before the \fBike\fR service. Failure to do so results in the \fBike\fR service entering maintenance mode.
.sp
.LP
If the configuration needs to be changed, edit the configuration file then refresh the service, as follows:
.sp
.in +2
.nf
example# \fBsvcadm refresh ike\fR
.fi
.in -2
.sp

.sp
.LP
The following properties are defined for the \fBike\fR service:
.sp
.ne 2
.mk
.na
\fB\fBconfig/admin_privilege\fR\fR
.ad
.sp .6
.RS 4n
Defines the level that \fBikeadm\fR(1M) invocations can change or observe the running \fBin.iked\fR. The acceptable values for this property are the same as those for the \fB-p\fR option. See the description of \fB-p\fR in \fBOPTIONS\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBconfig/config_file\fR\fR
.ad
.sp .6
.RS 4n
Defines the configuration file to use. The default value is \fB/etc/inet/ike/config\fR. See \fBike.config\fR(4) for the format of this file. This property has the same effect as the \fB-f\fR flag. See the description of \fB-f\fR in \fBOPTIONS\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBconfig/debug_level\fR\fR
.ad
.sp .6
.RS 4n
Defines the amount of debug output that is written to the \fBdebug_logfile\fR file, described below. The default value for this is \fBop\fR or \fBoperator\fR. This property controls the recording of information on events such as re-reading the configuration file. Acceptable value for \fBdebug_level\fR are listed in the \fBikeadm\fR(1M) man page. The value \fBall\fR is equivalent to the \fB-d\fR flag. See the description of \fB-d\fR in \fBOPTIONS\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBconfig/debug_logfile\fR\fR
.ad
.sp .6
.RS 4n
Defines where debug output should be written. The messages written here are from debug code within \fBin.iked\fR. Startup error messages are recorded by the \fBsmf\fR(5) framework and recorded in a service-specific log file. Use any of the following commands to examine the \fBlogfile\fR property:
.sp
.in +2
.nf
example# \fBsvcs -l ike\fR
example# \fBsvcprop ike\fR
example# \fBsvccfg -s ike listprop\fR
.fi
.in -2
.sp

The values for these log file properties might be different, in which case both files should be inspected for errors.
.RE

.sp
.ne 2
.mk
.na
\fB\fBconfig/ignore_errors\fR\fR
.ad
.sp .6
.RS 4n
A boolean value that controls \fBin.iked\fR's behavior should the configuration file have syntax errors. The default value is \fBfalse\fR, which causes \fBin.iked\fR to enter maintenance mode if the configuration is invalid.
.sp
Setting this value to \fBtrue\fR causes the IKE service to stay online, but correct operation requires the administrator to configure the running daemon with \fBikeadm\fR(1M). This option is provided for compatibility with previous releases.
.RE

.sp
.LP
These properties can be modified using \fBsvccfg\fR(1M) by users who have been assigned the following authorization:
.sp
.in +2
.nf
solaris.smf.value.ipsec
.fi
.in -2
.sp

.sp
.LP
PKCS#11 token objects can be unlocked or locked by using \fBikeadm\fR token login and \fBikeadm\fR token logout, respectively. Availability of private keying material stored on these PKCS#11 token objects can be observed with: \fBikeadm dump certcache\fR. The following authorizations allow users to log into and out of PKCS#11 token objects:
.sp
.in +2
.nf
solaris.network.ipsec.ike.token.login
solaris.network.ipsec.ike.token.logout
.fi
.in -2
.sp

.sp
.LP
See \fBauths\fR(1), \fBikeadm\fR(1M), \fBuser_attr\fR(4), \fBrbac\fR(5).
.sp
.LP
The service needs to be refreshed using \fBsvcadm\fR(1M) before a new property value is effective. General, non-modifiable properties can be viewed with the \fBsvcprop\fR(1) command.
.sp
.in +2
.nf
# \fBsvccfg -s ipsec/ike setprop config/config_file = \e
/new/config_file\fR
# \fBsvcadm refresh ike\fR
.fi
.in -2
.sp

.sp
.LP
Administrative actions on this service, such as enabling, disabling, refreshing, and requesting restart can be performed using \fBsvcadm\fR(1M). A user who has been assigned the authorization shown below can perform these actions:
.sp
.in +2
.nf
solaris.smf.manage.ipsec
.fi
.in -2
.sp

.sp
.LP
The service's status can be queried using the \fBsvcs\fR(1) command.
.sp
.LP
The \fBin.iked\fR daemon is designed to be run under \fBsmf\fR(5) management. While the \fBin.iked\fR command can be run from the command line, this is discouraged. If the \fBin.iked\fR command is to be run from the command line, the \fBike\fR \fBsmf\fR(5) service should be disabled first. See \fBsvcadm\fR(1M).
.SS "Interaction with Location Profiles"
.sp
.LP
IKE configuration and activation is managed in Location profiles (refer to \fBnetcfg\fR(1M) for more information about location profiles). These profiles are either fixed, meaning the network configuration is being managed in the traditional way, or reactive, meaning the network configuration is being managed automatically, reacting to changes in the network environment according to policy rules specified in the profiles.
.sp
.LP
When a fixed location (there can currently be only one, the DefaultFixed location) is active, changes made to the SMF repository will be applied to the location when it is disabled, and thus will be restored if that location is later re-enabled.
.sp
.LP
When a reactive location is active, changes should not be applied directly to the SMF repository; these changes will not be preserved in the location profile, and will thus be lost if the location is disabled, or if the system's network configuration, as managed by \fBsvc:/network/physical:default\fR and \fBsvc:/network/location:default\fR, is refreshed or restarted. Changes should instead be applied to the location itself, using the \fBnetcfg\fR(1M) command; this will save the change to the location profile repository, and will also apply it to the SMF repository (if the change is made to the currently active location).
.sp
.LP
The name of the file containing IKE configuration rules is stored in the\fBike-config-file\fR property of a location profile. If this property has a value set \fBsvc:/network/ipsec/ike\fR will be enabled, with the specified rules file applied. If this property is not set, the service will be disabled.
.SH OPTIONS
.sp
.LP
The following options are supported:
.sp
.ne 2
.mk
.na
\fB\fB-c\fR\fR
.ad
.RS 15n
.rt  
Check the syntax of a configuration file.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-d\fR\fR
.ad
.RS 15n
.rt  
Use debug mode. The process stays attached to the controlling terminal and produces large amounts of debugging output. This option is deprecated. See "Service Management Facility" for more details.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-f\fR \fIfilename\fR\fR
.ad
.RS 15n
.rt  
Use \fIfilename\fR instead of \fB/etc/inet/ike/config\fR. See \fBike.config\fR(4) for the format of this file. This option is deprecated. See "Service Management Facility" for more details.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-p\fR \fIlevel\fR\fR
.ad
.RS 15n
.rt  
Specify privilege level (\fIlevel\fR). This option sets how much \fBikeadm\fR(1M) invocations can change or observe about the running \fBin.iked\fR. 
.sp
Valid \fIlevels\fR are: 
.sp
.ne 2
.mk
.na
\fB0\fR
.ad
.RS 5n
.rt  
Base level
.RE

.sp
.ne 2
.mk
.na
\fB1\fR
.ad
.RS 5n
.rt  
Access to preshared key info
.RE

.sp
.ne 2
.mk
.na
\fB2\fR
.ad
.RS 5n
.rt  
Access to keying material
.RE

If \fB-p\fR is not specified, \fIlevel\fR defaults to \fB0\fR.
.sp
This option is deprecated. See "Service Management Facility" for more details.
.RE

.SH SECURITY
.sp
.LP
This program has sensitive private keying information in its image. Care should be taken with any core dumps or system dumps of a running \fBin.iked\fR daemon, as these files contain sensitive keying information. Use the \fBcoreadm\fR(1M) command to limit any corefiles produced by \fBin.iked\fR.
.SH FILES
.sp
.ne 2
.mk
.na
\fB\fB/etc/inet/ike/config\fR\fR
.ad
.sp .6
.RS 4n
Default configuration file.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/inet/secret/ike.privatekeys/*\fR\fR
.ad
.sp .6
.RS 4n
Private keys. A private key \fBmust\fR have a matching public-key certificate with the same filename in \fB/etc/inet/ike/publickeys/\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/inet/ike/publickeys/*\fR\fR
.ad
.sp .6
.RS 4n
Public-key certificates. The names are only important with regard to matching private key names.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/inet/ike/crls/*\fR\fR
.ad
.sp .6
.RS 4n
Public key certificate revocation lists.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/inet/secret/ike.preshared\fR\fR
.ad
.sp .6
.RS 4n
\fBIKE\fR pre-shared secrets for Phase I authentication.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
tab() box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
Availabilitysystem/core-os
.TE

.SH SEE ALSO
.sp
.LP
\fBsvcs\fR(1), \fBcoreadm\fR(1M), \fBikeadm\fR(1M), \fBikecert\fR(1M), \fBlabeld\fR(1M), \fBnetcfg\fR(1M), \fBsvccfg\fR(1M), \fBsvcadm\fR(1M), \fBike.config\fR(4), \fBattributes\fR(5), \fBsmf\fR(5), \fBipsecesp\fR(7P), \fBpf_key\fR(7P)
.sp
.LP
See \fBtnzonecfg(4)\fR, part of the \fISolaris Trusted Extensions Reference Manual\fR.
.sp
.LP
Harkins, Dan and Carrel, Dave. \fIRFC 2409, Internet Key Exchange (IKE)\fR. Network Working Group. November 1998.
.sp
.LP
Maughan, Douglas, Schertler, M., Schneider, M., Turner, J. \fIRFC 2408, Internet Security Association and Key Management Protocol (ISAKMP)\fR. Network Working Group. November 1998.
.sp
.LP
Piper, Derrell, \fIRFC 2407, The Internet IP Security Domain of Interpretation for ISAKMP\fR. Network Working Group. November 1998.
.sp
.LP
Fu, D.; Solinos, J., \fIRFC 4753, ECP Groups for IKE and IKEv2\fR. Network Working Group. January 2007.
.sp
.LP
Lepinski, M.; Kent, S., \fIRFC 5114, Additional Diffie-Hellman Groups for Use with IETF Standards\fR. Network Working Group. January 2008.