System Administration Commands ikeadm(1M)
NAME
ikeadm - manipulate Internet Key Exchange (IKE) parameters
and stateSYNOPSIS
ikeadm [-np]
ikeadm [-np] get [debug | priv | stats | defaults]
ikeadm [-np] set [debug | priv] [level] [file]
ikeadm [-np] [get | del] [p1 | rule | preshared] [id]
ikeadm [-np] add [rule | preshared] { description }
ikeadm [-np] token [login | logout] PKCS#11_Token_Object
ikeadm [-np] [read | write] [rule | preshared | certcache] file
ikeadm [-np] dump [p1 | rule | preshared | certcache | groups
| encralgs | authalgs]ikeadm [-np] flush [p1 | certcache]
ikeadm help
[get | set | add | del | read | write | dump | flush | token]DESCRIPTION
The ikeadm utility retrieves information from and manipu-
lates the configuration of the Internet Key Exchange (IKE) protocol daemon, in.iked(1M).ikeadm supports a set of operations, which may be performed
on one or more of the supported object types. When invokedwithout arguments, ikeadm enters interactive mode which
prints a prompt to the standard output and accepts commandsfrom the standard input until the end-of-file is reached.
Because ikeadm manipulates sensitive keying information, you
must be superuser to use this command. Additionally, some ofSunOS 5.11 Last change: 22 Feb 2010 1
System Administration Commands ikeadm(1M)
the commands available require that the daemon be running in a privileged mode, which is established when the daemon is started. For details on how to use this command securely see . OPTIONS The following options are supported:-n
Prevent attempts to print host and network names symbol-
ically when reporting actions. This is useful, for exam-
ple, when all name servers are down or are otherwise unreachable.-p
Paranoid. Do not print any keying material, even if sav-
ing Security Associations. Instead of an actual hexade-
cimal digit, print an X when this flag is turned on.USAGE
Commands The following commands are supported: add Add the specified object. This option can be used to add a new policy rule or a new preshared key to the current (running) in.iked configuration. When adding a new preshared key, the command cannot be invoked from the command line, as it will contain keying material. The rule or key being added is specified using appropriateid-value pairs as described in the ID FORMATS section.
del Delete a specific object or objects from in.iked's current configuration. This operation is available for IKE (Phase 1) SAs, policy rules, and preshared keys. The object to be deleted is specified as described in the Id Formats. dump Display all objects of the specified type known toSunOS 5.11 Last change: 22 Feb 2010 2
System Administration Commands ikeadm(1M)
in.iked. This option can be used to display all Phase 1SAs, policy rules, preshared keys, implemented Diffie-
Helman groups, encryption and authentication algorithms available for Phase 1, or the certificate cache. A large amount of output might be generated by this command. flush Remove all IKE (Phase 1) SAs or cached certificates from in.iked.Note that flushing the certcache will also (as a side-
effect) update IKE with any new certificates added or removed. get Lookup and display the specified object. May be used to view the current debug or privilege level, global statistics and default values for the daemon, or a specific IKE (Phase 1) SA, policy rule, or presharedkey. The latter three object types require that identi-
fying information be passed in; the appropriate specifi-
cation for each object type is described below. help Print a brief summary of commands, or, when followed by a command, prints information about that command. read Update the current in.iked configuration by reading the policy rules or preshared keys from either the default location or from the file specified. set Adjust the current debug or privilege level. If the debug level is being modified, an output file mayoptionally be specified; the output file must be speci-
fied if the daemon is running in the background and is not currently printing to a file. When changing the privilege level, adjustments may only be made to lowerthe access level; it cannot be increased using ikeadm.
SunOS 5.11 Last change: 22 Feb 2010 3
System Administration Commands ikeadm(1M)
write Write the current in.iked policy rule set or preshared key set to the specified file. A destination file must be specified. This command should not be used to overwrite the existing configuration files. tokenLog into a PKCS#11 token object and grant access to key-
ing material or log out and invalidate access to keying material. token can be run as a normal user with the following authorizations: o token login: solaris.network.ipsec.ike.token.login o token logout: solaris.network.ipsec.ike.token.logout Object Types debug Specifies the daemon's debug level. This determines the amount and type of output provided by the daemon about its operations. The debug level is actually a bitmask,with individual bits enabling different types of infor-
mation. Description Flag Nickname_________________________________________________________________
Certificate management 0x0001 cert Key management 0x0002 key Operational 0x0004 op Phase 1 SA creation 0x0008 phase1 Phase 2 SA creation 0x0010 phase2PF_KEY interface 0x0020 pfkey
Policy management 0x0040 policy Proposal construction 0x0080 prop Door interface 0x0100 door Config file processing 0x0200 config Label processing 0x0400 label All debug flags 0x07ff all When specifying the debug level, either a number (decimal or hexadecimal) or a string of nicknames may beSunOS 5.11 Last change: 22 Feb 2010 4
System Administration Commands ikeadm(1M)
given. For example, 88, 0x58, and phase1+phase2+policy are all equivalent, and will turn on debug for phase 1 sa creation, phase 2 sa creation, and policy management. A string of nicknames may also be used to remove certaintypes of information; all-op has the effect of turning
on all debug except for operational messages; it is equivalent to the numbers 1019 or 0x3fb. privSpecifies the daemon's access privilege level. The pos-
sible values are: Description Level Nickname Base level 0 base Access to preshared key info 1 modkeys Access to keying material 2 keymat By default, in.iked is started at the base level. Acommand-line option can be used to start the daemon at a
higher level. ikeadm can be used to lower the level, but
it cannot be used to raise the level. Either the numerical level or the nickname may be used to specify the target privilege level. In order to get, add, delete, dump, read, or write preshared keys, the privilege level must at least giveaccess to preshared key information. However, when view-
ing preshared keys (either using the get or dump com-
mand), the key itself will only be available if the privilege level gives access to keying material. This is also the case when viewing Phase 1 SAs. statsGlobal statistics from the daemon, covering both suc-
cessful and failed Phase 1 SA creation. Reported statistics include: o Count of current P1 SAs which the local entity initiated o Count of current P1 SAs where the local entity was the respondero Count of all P1 SAs which the local entity ini-
tiated since bootSunOS 5.11 Last change: 22 Feb 2010 5
System Administration Commands ikeadm(1M)
o Count of all P1 SAs where the local entity was the responder since boot o Count of all attempted P1 SAs since boot, where the local entity was the initiator; includes failed attempts o Count of all attempted P1 SAs since boot, where the local entity was the responder; includes failed attempts o Count of all failed attempts to initiate a P1 SA, where the failure occurred because the peer did not respond o Count of all failed attempts to initiate a P1 SA, where the peer responded o Count of all failed P1 SAs where the peer was the initiatoro Whether a PKCS#11 library is in use, and if
applicable, the PKCS#11 library that is loaded.
See . defaults Display default values used by the in.iked daemon. Some values can be overriden in the daemon configuration file (see ike.config(4)); for these values, the token name is displayed in the get defaults output. The output will reflect where a configuration token has changed the default.Default values might be ignored in the event a peer sys-
tem makes a valid alternative proposal or they can beoverriden by per-rule values established in ike.config.
In such instances, a get defaults command continues todisplay the default values, not the values used to over-
ride the defaults. p1 An IKE Phase 1 SA. A p1 object is identified by an IP address pair or a cookie pair; identification formats are described below. ruleSunOS 5.11 Last change: 22 Feb 2010 6
System Administration Commands ikeadm(1M)
An IKE policy rule, defining the acceptable security characteristics for Phase 1 SAs between specified local and remote identities. A rule is identified by its label; identification formats are described below. presharedA preshared key, including the local and remote identif-
ication and applicable IKE mode. A preshared key is identified by an IP address pair or an identity pair; identification formats are described below. Id Formats Commands like add, del, and get require that additional information be specified on the command line. In the case of the delete and get commands, all that is required is to minimally identify a given object; for the add command, the full object must be specified. Minimal identification is accomplished in most cases by a pair of values. For IP addresses, the local addr and thenthe remote addr are specified, either in dot-notation for
IPv4 addresses, colon-separated hexadecimal format for IPv6
addresses, or a host name present in the host name database. If a host name is given that expands to more than one address, the requested operation will be performed multiple times, once for each possible combination of addresses.Identity pairs are made up of a local type-value pair, fol-
lowed by the remote type-value pair. Valid types are:
prefix An address prefix. fqdnA fully-qualified domain name.
domain Domain name, synonym for fqdn.user_fqdn
SunOS 5.11 Last change: 22 Feb 2010 7
System Administration Commands ikeadm(1M)
User identity of the form user@fqdn. mailboxSynonym for user_fqdn.
A cookie pair is made up of the two cookies assigned to a Phase 1 Security Association (SA) when it is created; first is the initiator's, followed by the responder's. A cookie isa 64-bit number.
Finally, a label (which is used to identify a policy rule) is a character string assigned to the rule when it is created.Formatting a rule or preshared key for the add command fol-
lows the format rules for the in.iked configuration files.Both are made up of a series of id-value pairs, contained in
curly braces ({ and }). See ike.config(4) and ike.preshared(4) for details on the formatting of rules and preshared keys. SECURITYThe ikeadm command allows a privileged user to enter crypto-
graphic keying information. If an adversary gains access tosuch information, the security of IPsec traffic is comprom-
ised. The following issues should be taken into account whenusing the ikeadm command.
o Is the TTY going over a network (interactive mode)? If it is, then the security of the keying material is the security of the network path for this TTY'straffic. Using ikeadm over a clear-text telnet or
rlogin session is risky. Even local windows may be vulnerable to attacks where a concealed program that reads window events is present. o Is the file accessed over the network or readable to the world (read/write commands)?A network-mounted file can be sniffed by an adver-
sary as it is being read. A world-readable file
with keying material in it is also risky.SunOS 5.11 Last change: 22 Feb 2010 8
System Administration Commands ikeadm(1M)
If your source address is a host that can be looked up over the network, and your naming system itself is compromised, then any names used will no longer be trustworthy. Security weaknesses often lie in misapplication of tools,not the tools themselves. It is recommended that administra-
tors are cautious when using the ikeadm command. The safest
mode of operation is probably on a console, or other hard-
connected TTY. For additional information regarding this subject, see theafterward by Matt Blaze in Bruce Schneier's Applied Cryptog-
raphy: Protocols, Algorithms, and Source Code in C.EXAMPLES
Example 1 Emptying out all Phase 1 Security AssociationsThe following command empties out all Phase 1 Security Asso-
ciations:example# ikeadm flush p1
Example 2 Displaying all Phase 1 Security AssociationsThe following command displays all Phase 1 Security Associa-
tions:example# ikeadm dump p1
Example 3 Deleting a Specific Phase 1 Security Association The following command deletes the specified Phase 1 Security Associations:example# ikeadm del p1 local_ip remote_ip
Example 4 Adding a Rule From a FileSunOS 5.11 Last change: 22 Feb 2010 9
System Administration Commands ikeadm(1M)
The following command adds a rule from a file:example# ikeadm add rule rule_file
Example 5 Adding a Preshared Key The following command adds a preshared key:example# ikeadm
ikeadm> add preshared { localidtype ip localid local_ip
remoteidtype ip remoteid remote_ip ike_mode main
key 1234567890abcdef1234567890abcdef } Example 6 Saving All Preshared Keys to a File The following command saves all preshared keys to a file:example# ikeadm write preshared target_file
Example 7 Viewing a Particular Rule The following command views a particular rule:example# ikeadm get rule rule_label
Example 8 Reading in New Rules from ike.config The following command reads in new rules from the ike.config file:example# ikeadm read rules
SunOS 5.11 Last change: 22 Feb 2010 10
System Administration Commands ikeadm(1M)
Example 9 Lowering the Privilege Level The following command lowers the privilege level:example# ikeadm set priv base
Example 10 Viewing the Debug Level The following command shows the current debug levelexample# ikeadm get debug
Example 11 Using stats to Verify Hardware Accelerator The following example shows how stats may include an optional line at the end to indicate if IKE is using aPKCS#11 library to accelerate public-key operations, if
applicable.example# ikeadm get stats
Phase 1 SA counts: Current: initiator: 0 responder: 0 Total: initiator: 21 responder: 27 Attempted:initiator: 21 responder: 27 Failed: initiator: 0 responder: 0initiator fails include 0 time-out(s)
PKCS#11 library linked in from /opt/SUNWconn/lib/libpkcs11.so
example#
Example 12 Displaying the Certificate Cache The following command shows the certificate cache and the status of associated private keys, if applicable:example# ikeadm dump certcache
SunOS 5.11 Last change: 22 Feb 2010 11
System Administration Commands ikeadm(1M)
Example 13 Logging into a PKCS#11 Token
The following command shows logging into a PKCS#11 token
object and unlocking private keys:example# ikeadm token login "Sun Metaslot"
Enter PIN for PKCS#11 token:
ikeadm: PKCS#11 operation successful
EXIT STATUS The following exit values are returned: 0 Successful completion.non-zero An error occurred. Writes an appropriate error
message to standard error.ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcs ||_____________________________|_____________________________|
| Interface Stability | Not an Interface ||_____________________________|_____________________________|
SEE ALSO
in.iked(1M), ike.config(4), ike.preshared(4), attributes(5), ipsec(7P)Schneier, Bruce, Applied Cryptography: Protocols, Algo-
rithms, and Source Code in C, Second Edition, John Wiley & Sons, New York, NY, 1996. NOTESAs in.iked can run only in the global zone and exclusive-IP
zones, this command is not useful in shared-IP zones.
SunOS 5.11 Last change: 22 Feb 2010 12