ike.preshared(4) File Formats ike.preshared(4)NAME
ike.preshared - pre-shared keys file for IKE
SYNOPSIS
/etc/inet/secret/ike.preshared
DESCRIPTION
The /etc/inet/secret/ike.preshared file contains secret keying material that two IKE instances can use to authenticate each other. Because
of the sensitive nature of this data, it is kept in the /etc/inet/secret directory, which is only accessible by root.
Pre-shared keys are delimited by open-curly-brace ({) and close-curly-brace (}) characters. There are five name-value pairs required inside
a pre-shared key:
Name Value Example
localidtype IP localidtype IP
remoteidtype IP remoteidtype IP
localid IP-address localid 10.1.1.2
remoteid IP-address remoteid 10.1.1.3
key hex-string 1234567890abcdef
Comment lines with # appearing in the first column are also legal.
Files in this format can also be used by the ikeadm(1M) command to load additional pre-shared keys into a running an in.iked(1M) process.
EXAMPLES
Example 1: A Sample ike.preshared File
The following is an example of an ike.preshared file:
#
# Two pre-shared keys between myself, 10.1.1.2, and two remote
# hosts. Note that names are not allowed for IP addresses.
#
# A decent hex string can be obtained by performing:
# od -x </dev/random | head
#
{
localidtype IP
localid 10.1.1.2
remoteidtype IP
remoteid 10.21.12.4
key 4b656265207761732068657265210c0a
}
{
localidtype IP
localid 10.1.1.2
remoteidtype IP
remoteid 10.9.1.25
key 536f20776572652042696c6c2c2052656e65652c20616e642043687269732e0a
}
SECURITY
If this file is compromised, all IPsec security associations derived from secrets in this file will be compromised as well. The default
permissions on ike.preshared are 0600. They should stay this way.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Availability |SUNWcsr |
+-----------------------------+-----------------------------+
SEE ALSO od(1), ikeadm(1M), in.iked(1M), ipseckey(1M), attributes(5), random(7D)SunOS 5.10 15 Oct 2001 ike.preshared(4)
Check Out this Related Man Page
in.iked(1M) System Administration Commands in.iked(1M)NAME
in.iked - daemon for the Internet Key Exchange (IKE)
SYNOPSIS
/usr/lib/inet/in.iked [-d] [-f filename] [-p level]
/usr/lib/inet/in.iked -c [-f filename]
DESCRIPTION
in.iked performs automated key management for IPsec using the Internet Key Exchange (IKE) protocol.
in.iked implements the following:
o IKE authentication with either pre-shared keys, DSS signatures, RSA signatures, or RSA encryption.
o Diffie-Hellman key derivation using either 768, 1024, or 1536-bit public key moduli.
o Authentication protection with cipher choices of DES, Blowfish, or 3DES, and hash choices of either HMAC-MD5 or HMAC-SHA-1. Encryption
in in.iked is limited to the IKE authentication and key exchange. See ipsecesp(7P) for information regarding IPsec protection
choices.
in.iked starts at boot time if the /etc/inet/ike/config file exists. See ike.config(4) for the format of this file.
in.iked listens for incoming IKE requests from the network and for requests for outbound traffic using the PF_KEY socket. See pf_key(7P).
in.iked has two support programs that are used for IKE administration and diagnosis: ikeadm(1M) and ikecert(1M).
The SIGHUP signal causes the IKE daemon to read /etc/inet/ike/config and reload the certificate database. SIGHUP is equivalent to using
ikeadm(1M) to read the /etc/inet/ike/config file as a rule, for example:
example# ikeadm read rule /etc/inet/ike/config
OPTIONS
The following options are supported:
-c Check the syntax of a configuration file.
-d Use debug mode. The process stays attached to the controlling terminal and produces large amounts of debugging output.
-f filename Use filename instead of /etc/inet/ike/config. See ike.config(4) for the format of this file.
-p level Specify privilege level (level). This option sets how much ikeadm(1M) invocations can change or observe about the running
in.iked.
Valid levels are:
0 Base level
1 Access to preshared key info
2 Access to keying material
If -p is not specified, level defaults to 0.
SECURITY
This program has sensitive private keying information in its image. Care should be taken with any core dumps or system dumps of a running
in.iked daemon, as these files contain sensitive keying information. Use the coreadm(1M) command to limit any corefiles produced by
in.iked.
FILES
/etc/inet/ike/config
/etc/inet/secret/ike.privatekeys/*
Private keys. A private key must have a matching public-key certificate with the same filename in /etc/inet/ike/publickeys/.
/etc/inet/ike/publickeys/*
Public-key certificates. The names are only important with regard to matching private key names.
/etc/inet/ike/crls/*
Public key certificate revocation lists.
/etc/inet/secret/ike.preshared
IKE pre-shared secrets for Phase I authentication.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Availability |SUNWcsu |
+-----------------------------+-----------------------------+
SEE ALSO coreadm(1M), ikeadm(1M), ikecert(1M), ike.config(4), attributes(5), ipsecesp(7P)
Harkins, Dan and Carrel, Dave. RFC 2409, Internet Key Exchange (IKE). Network Working Group. November 1998.
Maughan, Douglas, Schertler, M., Schneider, M., Turner, J. RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP).
Network Working Group. November 1998.
Piper, Derrell, RFC 2407, The Internet IP Security Domain of Interpretation for ISAKMP. Network Working Group. November 1998.
SunOS 5.10 11 Jun 2003 in.iked(1M)