in.iked(1M)
NAME
in.iked - daemon for the Internet Key Exchange (IKE)
SYNOPSIS
/usr/lib/inet/in.iked [-d] [-f filename] [-p level]
/usr/lib/inet/in.iked -c [-f filename]
DESCRIPTION
in.iked performs automated key management for IPsec using
the Internet Key Exchange (IKE) protocol.
in.iked implements the following:
o IKE authentication with either pre-shared keys, DSS
signatures, RSA signatures, or RSA encryption.
o Diffie-Hellman key derivation using either 768, 1024,
or 1536-bit public key moduli.
o Authentication protection with cipher choices of DES,
Blowfish, or 3DES, and hash choices of either HMAC-MD5
or HMAC-SHA-1. Encryption in in.iked is limited to the
IKE authentication and key exchange. See ipsecesp(7P)
for information regarding IPsec protection choices.
in.iked starts at boot time if the /etc/inet/ike/config file
exists. See ike.config(4) for the format of this file.
in.iked listens for incoming IKE requests from the network
and for requests for outbound traffic using the PF_KEY
socket. See pf_key(7P).
in.iked has two support programs that are used for IKE
administration and diagnosis: ikeadm(1M) and ikecert(1M).
The SIGHUP signal causes the IKE daemon to read
/etc/inet/ike/config and reload the certificate database.
SIGHUP is equivalent to using ikeadm(1M) to read the
/etc/inet/ike/config file as a rule, for example:
example# ikeadm read rule /etc/inet/ike/config
OPTIONS
The following options are supported:
-c Check the syntax of a configuration file.
-d Use debug mode. The process stays attached to the con-
trolling terminal and produces large amounts of debug-
ging output.
-f filename
Use filename instead of /etc/inet/ike/config. See
ike.config(4) for the format of this file.
-p level
Specify privilege level (level). This option sets how
much ikeadm(1M) invocations can change or observe
about the running in.iked.
Valid levels are:
0 Base level
1 Access to preshared key info
2 Access to keying material
If -p is not specified, level defaults to 0.
SECURITY
This program has sensitive private keying information in its
image. Care should be taken with any core dumps or system
dumps of a running in.iked daemon, as these files contain
sensitive keying information. Use the coreadm(1M) command to
limit any corefiles produced by in.iked.
FILES
/etc/inet/ike/config
/etc/inet/secret/ike.privatekeys/*
Private keys. A private key must have a matching
public-key certificate with the same filename in
/etc/inet/ike/publickeys/.
/etc/inet/ike/publickeys/*
Public-key certificates. The names are only important
with regard to matching private key names.
/etc/inet/ike/crls/*
Public key certificate revocation lists.
/etc/inet/secret/ike.preshared
IKE pre-shared secrets for Phase I authentication.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcsu |
|_____________________________|_____________________________|
SEE ALSO
coreadm(1M), ikeadm(1M), ikecert(1M), ike.config(4), attri-
butes(5), ipsecesp(7P)
Harkins, Dan and Carrel, Dave. RFC 2409, Internet Key
Exchange (IKE). Network Working Group. November 1998.
Maughan, Douglas, Schertler, M., Schneider, M., Turner, J.
RFC 2408, Internet Security Association and Key Management
Protocol (ISAKMP). Network Working Group. November 1998.
Piper, Derrell, RFC 2407, The Internet IP Security Domain of
Interpretation for ISAKMP. Network Working Group. November
1998.
Man(1) output converted with
man2html