Sun Microsystems, Inc.
spacerspacer
spacer   www.sun.com docs.sun.com | | |  
spacer
black dot
   
A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   P   Q   R   S   T   U   V   W   X   Y   Z
    
 
System Administration Commandsikeadm(1M)


NAME

 ikeadm - manipulate Internet Key Exchange (IKE) parameters and state

SYNOPSIS

 ikeadm [-np]
 ikeadm [-np] get [ debug | priv | stats]
 ikeadm [-np] set [ debug | priv] [level] [file]
 ikeadm [-np] [ get | del] [ p1 | rule | preshared] [id]
 ikeadm [-np] add [ rule | preshared] { description }
 ikeadm [-np] [ read | write] [ rule | preshared] file
 ikeadm [-np] [ dump | pls | rule | preshared]
 ikeadm [-np] flush pls
 ikeadm help [ get | set | add | del | read | write | dump | flush]

DESCRIPTION

 

The ikeadm utility retrieves information from and manipulates the configuration of the Internet Key Exchange (IKE) protocol daemon, in.iked(1M).

ikeadm supports a set of operations, which may be performed on one or more of the supported object types. When invoked without arguments, ikeadm enters interactive mode which prints a prompt to the standard output and accepts commands from the standard input until the end-of-file is reached.

Because ikeadm manipulates sensitive keying information, you must be superuser to use this command. Additionally, some of the commands available require that the daemon be running in a privileged mode, which is established when the daemon is started.

For details on how to use this command securely see SECURITY.

OPTIONS

 

The following options are supported:

-n
Prevent attempts to print host and network names symbolically when reporting actions. This is useful, for example, when all name servers are down or are otherwise unreachable.
-p
Paranoid. Do not print any keying material, even if saving Security Associations. Instead of an actual hexadecimal digit, print an X when this flag is turned on.

USAGE

 

Commands

 

The following commands are supported:

add
Add the specified object. This option can be used to add a new policy rule or a new preshared key to the current (running) in.iked configuration. When adding a new preshared key, the command cannot be invoked from the command line, as it will contain keying material. The rule or key being added is specified using appropriate id-value pairs as described in the ID FORMATS section.
del
Delete a specific object from in.iked's current configuration. This operation is available for IKE (Phase 1) SAs, policy rules, and preshared keys. The object to be deleted is specified as described in the ID FORMATS.
dump
Display all objects of the specified type known to in.iked. This option can be used to display all Phase 1 SAs, policy rules, or preshared keys. A large amount of output may be generated by this command.
flush
Remove all IKE (Phase 1) SAs from in.iked.
get
Lookup and display the specified object. May be used to view the current debug or privilege level, global statistics for the daemon, or a specific IKE (Phase 1) SA, policy rule, or preshared key. The latter three object types require that identifying information be passed in; the appropriate specification for each object type is described below.
help
Print a brief summary of commands, or, when followed by a command, prints information about that command.
read
Update the current in.iked configuration by reading the policy rules or preshared keys from either the default location or from the file specified.
set
Adjust the current debug or privilege level. If the debug level is being modified, an output file may optionally be specified; the output file must be specified if the daemon is running in the background and is not currently printing to a file. When changing the privilege level, adjustments may only be made to lower the access level; it cannot be increased using ikeadm.
write
Write the current in.iked policy rule set or preshared key set to the specified file. A destination file must be specified. This command should not be used to overwrite the existing configuration files.

OBJECT TYPES

 
debug
Specifies the daemon's debug level. This determines the amount and type of output provided by the daemon about its operations. The debug level is actually a bitmask, with individual bits enabling different types of information.
DescriptionFlagNickname
Certificate management0x0001cert
Key management0x0002key
Operational0x0004op
Phase 1 SA creation0x0008phase1
Phase 2 SA creation0x0010phase2
PF_KEY interface0x0020pfkey
Policy management0x0040policy
Proposal construction0x0080prop
Door interface0x0100door
Config file processing0x0200config
All debug flags0x3ffall

When specifying the debug level, either a number (decimal or hexadecimal) or a string of nicknames may be given. For example, 88, 0x58, and phase1+phase2+policy are all equivalent, and will turn on debug for phase 1 sa creation, phase 2 sa creation, and policy management. A string of nicknames may also be used to remove certain types of information; all-op has the effect of turning on all debug except for operational messages; it is equivalent to the numbers 1019 or 0x3fb.

priv
Specifies the daemon's access privilege level. The possible values are:
DescriptionLevelNickname
Base level 0base
Access to preshared key info1modkeys
Access to keying material2keymat

By default, in.iked is started at the base level. A command-line option can be used to start the daemon at a higher level. ikeadm can be used to lower the level, but it cannot be used to raise the level.

Either the numerical level or the nickname may be used to specify the target privilege level.

In order to get, add, delete, dump, read, or write preshared keys, the privilege level must at least give access to preshared key information. However, when viewing preshared keys (either using the get or dump command), the key itself will only be available if the privilege level gives access to keying material. This is also the case when viewing Phase 1 SAs.

stats
Global statistics from the daemon, covering both successful and failed Phase 1 SA creation.

Reported statistics include:

  • Count of current P1 SAs which the local entity initiated
  • Count of current P1 SAs where the local entity was the responder
  • Count of all P1 SAs which the local entity initiated since boot
  • Count of all P1 SAs where the local entity was the responder since boot
  • Count of all attempted P1 SAs since boot, where the local entity was the initiator; includes failed attempts
  • Count of all attempted P1 SAs since boot, where the local entity was the responder; includes failed attempts
  • Count of all failed attempts to initiate a P1 SA, where the failure occurred because the peer did not respond
  • Count of all failed attempts to initiate a P1 SA, where the peer responded
  • Count of all failed P1 SAs where the peer was the initiator
p1
An IKE Phase 1 SA. A p1 object is identified by an IP address pair or a cookie pair; identification formats are described below.
rule
An IKE policy rule, defining the acceptable security characteristics for Phase 1 SAs between specified local and remote identities. A rule is identified by its label; identification formats are described below.
preshared
A preshared key, including the local and remote identification and applicable IKE mode. A preshared key is identified by an IP address pair or an identity pair; identification formats are described below.

ID FORMATS

 

Commands like add, del, and get require that additional information be specified on the command line. In the case of the delete and get commands, all that is required is to minimally identify a given object; for the add command, the full object must be specified.

Minimal identification is accomplished in most cases by a pair of values. For IP addresses, the local addr and then the remote addr are specified, either in dot-notation for IPv4 addresses, colon-separated hexadecimal format for IPv6 addresses, or a host name present in the host name database. If a host name is given that expands to more than one address, the requested operation will be performed multiple times, once for each possible combination of addresses.

Identity pairs are made up of a local type-value pair, followed by the remote type-value pair. Valid types are:

prefix
An address prefix.
fqdn
A fully-qualified domain name.
domain
Domain name, synonym for fqdn.
user_fqdn
User identity of the form user@fqdn.
mailbox
Synonym for user_fqdn.

A cookie pair is made up of the two cookies assigned to a Phase 1 Security Association (SA) when it is created; first is the initiator's, followed by the responder's. A cookie is a 64-bit number.

Finally, a label (which is used to identify a policy rule) is a character string assigned to the rule when it is created.

Formatting a rule or preshared key for the add command follows the format rules for the in.iked configuration files. Both are made up of a series of id-value pairs, contained in curly braces ({ and }). See ike.config(4) and ike.preshared(4) for details on the formatting of rules and preshared keys.

SECURITY

 

The ikeadm command allows a privileged user to enter cryptographic keying information. If an adversary gains access to such information, the security of IPsec traffic is compromised. The following issues should be taken into account when using the ikeadm command.

  • Is the TTY going over a network (interactive mode)?

    If it is, then the security of the keying material is the security of the network path for this TTY's traffic. Using ikeadm over a clear-text telnet or rlogin session is risky. Even local windows may be vulnerable to attacks where a concealed program that reads window events is present.

  • Is the file accessed over the network or readable to the world (read/write commands)?

    A network-mounted file can be sniffed by an adversary as it is being read. A world-readable file with keying material in it is also risky.

If your source address is a host that can be looked up over the network, and your naming system itself is compromised, then any names used will no longer be trustworthy.

Security weaknesses often lie in misapplication of tools, not the tools themselves. It is recommended that administrators are cautious when using the ikeadm command. The safest mode of operation is probably on a console, or other hard-connected TTY.

For additional information regarding this subject, see the afterward by Matt Blaze in Bruce Schneier's Applied Cryptography: Protocols, Algorithms, and Source Code in C.

EXAMPLES

 Example 1. Emptying out all Phase 1 Security Associations
 

The following command empties out all Phase 1 Security Associations:

 
example# ikeadm flush p1s
Example 2. Displaying all Phase 1 Security Associations
 

The following command displays all Phase 1 Security Associations:

 
example# ikeadm dump p1s
Example 3. Deleting a Specific Phase 1 Security Association
 

The following command deletes the specified Phase 1 Security Associations:

 
example# ikeadm get p1 local_ip remote_ip
Example 4. Adding a Rule From a File
 

The following command adds a rule from a file:

 
example# ikeadm add rule rule_file
Example 5. Adding a Preshared Key
 

The following command adds a preshared key:

 
example# ikeadm
     ikeadm> add preshared { localidtype ip localid local_ip
             remoteidtype ip remoteid remote_ip ike_mode main
             key 1234567890abcdef1234567890abcdef }
Example 6. Saving All Preshared Keys to a File
 

The following command saves all preshared keys to a file:

 
example# ikeadm write preshared target_file
Example 7. Viewing a Particular Rule
 

The following command views a particular rule:

 
example# ikeadm get rule rule_label
Example 8. Reading in New Rules from ike.config
 

The following command reads in new rules from the ike.config file:

 
example# ikeadm read rules
Example 9. Lowering the Privilege Level
 

The following command lowers the privilege level:

 
example# ikeadm set priv base
Example 10. Viewing the debug level
 

The following command the current debug level

 
example# ikeadm get debug

EXIT STATUS

 

The following exit values are returned:

0
Successful completion.
non-zero
An error occurred. Writes an appropriate error message to standard error.

ATTRIBUTES

 

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPEATTRIBUTE VALUE
AvailabilitySUNWcsu
Interface StabilityEvolving

SEE ALSO

 

in.iked(1M), ike.config(4), ike.preshared(4), attributes(5), ipsec(7P)

Schneier, Bruce, Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition, John Wiley & Sons, New York, NY, 1996.


SunOS 5.9Go To TopLast Changed 4 Oct 2001

 
      
      
Copyright 2002 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms.