2 .\" Copyright (C) 2008, Sun Microsystems, Inc. All Rights Reserved
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
4 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
5 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH IPSECCONF 1M "April 9, 2016"
8 ipsecconf \- configure system wide IPsec policy
12 \fB/usr/sbin/ipsecconf\fR
17 \fB/usr/sbin/ipsecconf\fR \fB-a\fR \fIfile\fR [\fB-q\fR]
22 \fB/usr/sbin/ipsecconf\fR \fB-c\fR \fIfile\fR
27 \fB/usr/sbin/ipsecconf\fR \fB-d\fR [\fB-i\fR \fItunnel-name\fR] {\fIindex\fR, \fItunnel-name\fR, \fIindex\fR}
32 \fB/usr/sbin/ipsecconf\fR \fB-f\fR [\fB-i\fR \fItunnel-name\fR]
37 \fB/usr/sbin/ipsecconf\fR \fB-F\fR
42 \fB/usr/sbin/ipsecconf\fR \fB-l\fR [\fB-i\fR \fItunnel-name\fR] [\fB-n\fR]
47 \fB/usr/sbin/ipsecconf\fR \fB-L\fR [\fB-n\fR]
52 The \fBipsecconf\fR utility configures the IPsec policy for a host or for one
53 of its tunnels. Once the policy is configured, all outbound and inbound
54 datagrams are subject to policy checks as they exit and enter the host or
55 tunnel. For the host policy, if no entry is found, no policy checks will be
56 completed, and all the traffic will pass through. For a tunnel, if no entry is
57 found and there is at least one entry for the tunnel, the traffic will
58 automatically drop. The difference in behavior is because of the assumptions
59 about IPsec tunnels made in many implementations. Datagrams that are being
60 forwarded will not be subjected to policy checks that are added using this
61 command. See \fBifconfig\fR(1M) and \fBdladm\fR(1M) for information on how to
62 protect forwarded packets. Depending upon the match of the policy entry, a
63 specific action will be taken.
66 This command can be run only by superuser.
69 Each entry can protect traffic in either one direction (requiring a pair of
70 entries) or by a single policy entry which installs the needed symmetric
74 When the command is issued without any arguments, the list of file policy
75 entries loaded are shown. To display the (\fBspd p.e.\fRs) use the \fB-l\fR
76 option. Both will display the index number for the entry. To specify a single
77 tunnel's SPD, use the \fB-i\fR option in combination with \fB-l\fR. To specify
78 all SPDs, both host and for all tunnels, use \fB-L\fR.
81 Note, since one file policy entry (\fBFPE\fR) can generate multiple SPD pol
82 entries (\fBSPE\fRs), the list of FPEs may not show all the actual entries.
83 However, it is still useful in determining what what rules have been added to
84 get the spd into its current state.
87 You can use the \fB-d\fR option with the index to delete a given policy in the
88 system. If the \fB-d\fR option removes an FPE entry that produces multiple
89 SPEs, only then SPD with the same policy index as the FPE will be removed. This
90 can produce a situation where there may be SPEs when there are no FPEs.
93 As with \fB-l\fR, \fB-d\fR can use the \fB-i\fR flag to indicate a tunnel. An
94 alternate syntax is to specify a tunnel name, followed by a comma (\fB,\fR),
95 followed by an index. For example, \fBip.tun0,1\fR.
98 With no options, the entries are displayed in the order that they were added,
99 which is not necessarily the order in which the traffic match takes place.
102 To view the order in which the traffic match will take place, use the \fB-l\fR
103 option. The rules are ordered such that all bypass rules are checked first,
104 then ESP rules, then AH rules. After that, they are checked in the order
108 Policy entries are not preserved across system restarts. Permanent policy
109 entries should be added to \fB/etc/inet/ipsecinit.conf\fR. This file is read by
110 the following \fBsmf\fR(5) service:
114 svc:/network/ipsec/policy
121 See \fBNOTES\fR for more information on managing IPsec security policy and
122 \fBSECURITY\fR for issues in securing \fB/etc/inet/ipsecinit.conf\fR.
125 \fBipsecconf\fR supports the following options:
129 \fB\fB-a\fR \fIfile\fR\fR
133 Add the IPsec policy to the system as specified by each entry in the file. An
134 IPsec configuration file contains one or more entries that specify the
135 configuration. Once the policy is added, all outbound and inbound datagrams are
136 subject to policy checks.
138 Entries in the files are described in the section below. Examples can be found
139 in the section below.
141 Policy is latched for TCP/UDP sockets on which a \fBconnect\fR(3SOCKET) or
142 \fBaccept\fR(3SOCKET) is issued. So, the addition of new policy entries may not
143 affect such endpoints or sockets. However, the policy will be latched for a
144 socket with an existing non-null policy. Thus, make sure that there are no
145 preexisting connections that will be subject to checks by the new policy
148 The feature of policy latching explained above may change in the future. It is
149 not advisable to depend upon this feature.
155 \fB\fB-c\fR \fIfile\fR\fR
159 Check the syntax of the configuration file and report any errors without making
160 any changes to the policy. This option is useful when debugging configurations
161 and when \fBsmf\fR(5) reports a configuration error. See \fBSECURITY\fR.
167 \fB\fB-d\fR \fIindex\fR\fR
171 Delete the host policy denoted by the index. The index is obtained by invoking
172 \fBipsecconf\fR without any arguments, or with the \fB-l\fR option. See
173 DESCRIPTION for more information. Once the entry is deleted, all outbound and
174 inbound datagrams affected by this policy entry will not be subjected to policy
175 checks. Be advised that with connections for which the policy has been latched,
176 packets will continue to go out with the same policy, even if it has been
177 deleted. It is advisable to use the \fB-l\fR option to find the correct policy
184 \fB\fB-d\fR \fIname\fR,\fIindex\fR\fR
188 Delete the policy entry denoted by \fIindex\fR on a tunnel denoted by
189 \fIname\fR. Since tunnels affect traffic that might originate off-node,
190 latching does not apply as it does in the host policy case. Equivalent to:
191 \fB-d\fR \fIindex\fR \fB-i\fR \fIname\fR.
201 Flush all the policies in the system. Constraints are similar to the \fB-d\fR
202 option with respect to latching and host versus per-tunnel behavior.
212 Flush all policies on all tunnels and also flush all host policies.
218 \fB\fB-i\fR \fIname\fR\fR
222 Specify a tunnel interface name for use with the \fB-d\fR, \fB-f\fR, or
233 Listing of a single policy table, defaulting to the host policy. When
234 \fBipsecconf\fR is invoked without any arguments, a complete list of policy
235 entries with indexes added by the user since boot is displayed. The current
236 table can differ from the previous one if, for example, a multi-homed entry was
237 added or policy reordering occurred, or if a single rule entry generates two
238 \fBspd\fR rules In the case of a multi-homed entry, all the addresses are
239 listed explicitly. If a mask was not specified earlier but was instead inferred
240 from the address, it will be explicitly listed here. This option is used to
241 view policy entries in the correct order. The outbound and inbound policy
242 entries are listed separately.
252 Lists all policy tables, including host policy and all tunnel instances
253 (including configured but unplumbed).
255 If \fB-i\fR is specified, \fB-L\fR lists the policy table for a specific tunnel
266 Show network addresses, ports, protocols in numbers. The \fB-n\fR option may
267 only be used with the \fB-l\fR option.
277 Quiet mode. Suppresses the warning message generated when adding policies.
282 Each policy entry contains three parts specified as follows:
286 {pattern} action {properties}
296 {pattern} action {properties} ["or" action {properties}]*
302 Every policy entry begins on a new line and can span multiple lines. If an
303 entry exceeds the length of a line, you should split it only within a "braced"
304 section or immediately before the first (left-hand) brace of a braced section.
305 Avoid using the backslash character (\e). See EXAMPLES.
308 The \fIpattern\fR section, as shown in the syntax above, specifies the traffic
309 pattern that should be matched against the outbound and inbound datagrams. If
310 there is a match, a specific \fIaction\fR determined by the second argument
311 will be taken, depending upon the \fIproperties\fR of the policy entry.
314 If there is an \fBor\fR in the rule (multiple action-properties for a given
315 pattern), a transmitter will use the first action-property pair that works,
316 while a receiver will use any that are acceptable.
319 \fIpattern\fR and \fIproperties\fR are name-value pairs where name and value
320 are separated by a <space>, <tab> or <newline>. Multiple name-value pairs
321 should be separated by <space>, <tab> or <newline>. The beginning and end of
322 the pattern and properties are marked by \fB{\fR and \fB}\fR respectively.
325 Files can contain multiple policy entries. An unspecified name-value pair in
326 the \fIpattern\fR will be considered as a wildcard. Wildcard entries match any
327 corresponding entry in the datagram.
330 One thing to remember is that UDP port 500 is always bypassed regardless of any
331 policy entries. This is a requirement for \fBin.iked\fR(1M) to work.
334 File can be commented by using a \fB#\fR as the first character. Comments may
335 be inserted either at the beginning or the end of a line.
338 The complete syntax of a policy entry is:
342 policy ::= { <pattern1> } <action1> { <properties1> } |
343 { <pattern2> } <action2> { <properties2> }
344 [ 'or' <action2> { <properties2>} ]*
346 pattern1 ::= <pattern_name_value_pair1>*
348 pattern2 ::= <pattern_name_value_pair2>*
350 action1 ::= apply | permit | bypass | pass
351 action2 ::= bypass | pass | drop | ipsec
353 properties1 ::= {<prop_name_value_pair1>}
354 properties2 ::= {<prop_name_value_pair2>}
357 pattern_name_value_pair1 ::=
358 saddr <address>/<prefix> |
359 src <address>/<prefix> |
360 srcaddr <address>/<prefix> |
363 daddr <address>/<prefix> |
364 dst <address>/<prefix> |
365 dstaddr <address>/<prefix> |
371 type <number>-<number> |
373 code <number>-<number>
374 tunnel <interface-name> |
375 negotiate <tunnel,transport>
377 pattern_name_value_pair2 ::=
378 raddr <address>/<prefix> |
379 remote <address>/<prefix> |
381 laddr <address>/<prefix> |
382 local <address>/<prefix> |
386 type <number>-<number> |
388 code <number>-<number>
390 tunnel <interface-name> |
391 negotiate <tunnel,transport> |
394 address ::= <IPv4 dot notation> | <IPv6 colon notation> |
395 <String recognized by gethostbyname>|
396 <String recognized by getnetbyname>
400 mask ::= <0xhexdigit[hexdigit]> | <0Xhexdigit[hexdigit]> |
403 port ::= <number>| <String recognized by getservbyname>
405 protocol ::= <number>| <String recognized by getprotobyname>
407 prop_name_value_pair1 ::=
408 auth_algs <auth_alg> |
409 encr_algs <encr_alg> |
410 encr_auth_algs <auth_alg> |
414 prop_name_value_pair2 ::=
415 auth_algs <auth_alg> |
416 encr_algs <encr_alg> |
417 encr_auth_algs <auth_alg> |
420 auth_alg ::= <auth_algname> ['(' <keylen> ')']
421 auth_algname ::= any | md5 | hmac-md5 | sha | sha1 | hmac-sha |
422 hmac-sha1 | hmac-sha256 | hmac-sha384 |
423 hmac-sha512 |<number>
425 encr_alg ::= <encr_algname> ['(' <keylen> ')']
426 encr_algname ::= any | aes | aes-cbc | des | des-cbc | 3des |
427 3des-cbc | blowfish | blowfish-cbc | <number>
429 keylen ::= <number> | <number>'..' | '..'<number> | <number>'..' \e
432 sa_val ::= shared | unique
434 dir_val1 ::= out | in
435 dir_val2 ::= out | in | both
437 number ::= < 0 | 1 | 2 ... 9> <number>
438 icmp-type ::= <number> | unreach | echo | echorep | squench |
439 redir | timex | paramprob | timest | timestrep |
440 inforeq | inforep | maskreq | maskrep | unreach6 |
441 pkttoobig6 | timex6 | paramprob6 | echo6 | echorep6 |
442 router-sol6 | router-ad6 | neigh-sol6 | neigh-ad6 |
445 icmp-code ::= <number> | net-unr | host-unr | proto-unr | port-unr |
446 needfrag | srcfail | net-unk | host-unk | isolate |
447 net-prohib | host-prohib | net-tos | host-tos |
448 filter-prohib | host-preced | cutoff-preced |
449 no-route6 | adm-prohib6 | addr-unr6 | port-unr6 |
450 hop-limex6 | frag-re-timex6 | err-head6 | unrec-head6 |
457 Policy entries may contain the following (name value) pairs in the
458 \fIpattern\fR field. Each (name value) pair may appear only once in given
471 The value that follows is the local address of the datagram with the prefix
472 length. Only plen leading bits of the source address of the packet will be
473 matched. plen is optional. Local means destination on incoming and source on
474 outgoing packets. The source address value can be a hostname as described in
475 getaddrinfo(3SOCKET) or a network name as described in
476 \fBgetnetbyname\fR(3XNET) or a host address or network address in the Internet
477 standard dot notation. See \fBinet_addr\fR(3XNET). If a hostname is given and
478 getaddrinfo(3SOCKET) returns multiple addresses for the host, then policy will
479 be added for each of the addresses with other entries remaining the same.
493 The value that follows is the remote address of the datagram with the prefix
494 length. Only plen leading bits of the remote address of the packet will be
495 matched. plen is optional. Remote means source on incoming packets and
496 destination on outgoing packets. The remote address value can be a hostname as
497 described in \fBgetaddrinfo\fR(3SOCKET) or a network name as described in
498 \fBgetnetbyname\fR(3XNET) or a host address or network address in the Internet
499 standard dot notation. See \fBinet_addr\fR(3XNET). If a hostname is given and
500 \fBgetaddrinfo\fR(3SOCKET) returns multiple addresses for the host, then policy
501 will be added for each of the addresses with other entries remaining the same.
519 The value that follows is the source address of the datagram with the prefix
520 length. Only \fIplen\fR leading bits of the source address of the packet will
521 be matched. \fIplen\fR is optional.
523 The source address value can be a hostname as described in
524 \fBgetaddrinfo\fR(3SOCKET) or a network name as described in
525 \fBgetnetbyname\fR(3XNET) or a host address or network address in the Internet
526 standard dot notation. See \fBinet_addr\fR(3XNET).
528 If a hostname is given and \fBgetaddrinfo\fR(3SOCKET) returns multiple
529 addresses for the host, then policy will be added for each of the addresses
530 with other entries remaining the same.
548 The value that follows is the destination address of the datagram with the
549 prefix length. Only \fIplen\fR leading bits of the destination address of the
550 packet will be matched. \fIplen\fR is optional.
552 See \fIsaddr\fR for valid values that can be given. If multiple source and
553 destination addresses are found, then a policy entry that covers each source
554 address-destination address pair will be added to the system.
564 For IPv4 only. The value that follows is the source mask. If prefix length is
565 given with \fIsaddr\fR, this should not be given. This can be represented
566 either in hexadecimal number with a leading \fB0x\fR or \fB0X\fR, for example,
567 \fB0xffff0000\fR, \fB0Xffff0000\fR or in the Internet decimal dot notation, for
568 example, \fB255.255.0.0\fR and \fB255.255.255.0\fR. The mask should be
569 contiguous and the behavior is not defined for non-contiguous masks.
571 \fIsmask\fR is considered only when \fIsaddr\fR is given.
573 For both IPv4 and IPv6 addresses, the same information can be specified as a
574 \fIslen\fR value attached to the \fIsaddr\fR parameter.
584 Analogous to \fIsmask.\fR
594 The value that follows is the local port of the datagram. This can be either a
595 port number or a string searched with a NULL proto argument, as described in
606 The value that follows is the remote port of the datagram. This can be either a
607 port number or a string searched with a NULL proto argument, as described in
618 The value that follows is the source port of the datagram. This can be either a
619 port number or a string searched with a \fBNULL\fR proto argument, as described
620 in \fBgetservbyname\fR(3XNET)
630 The value that follows is the destination port of the datagram. This can be
631 either a port number or a string as described in \fBgetservbyname\fR(3XNET)
632 searched with \fBNULL\fR proto argument.
638 \fB\fBproto\fR \fIulp\fR\fR
642 The value that follows is the Upper Layer Protocol that this entry should be
643 matched against. It could be a number or a string as described in
644 \fBgetprotobyname\fR(3XNET). If no smask or plen is specified, a plen of 32 for
645 IPv4 or 128 for IPv6 will be used, meaning a host. If the \fIulp\fR is
646 \fBicmp\fR or \fBipv6-icmp\fR, any action applying IPsec must be the same for
647 all \fBicmp\fR rules.
653 \fB\fBtype\fR \fInum\fR or \fInum\fR-\fInum\fR\fR
657 The value that follows is the ICMP type that this entry should be matched
658 against. \fBtype\fR must be a number from 0 to 255, or one of the appropriate
659 \fBicmp-type\fR keywords. Also, \fIulp\fR must be present and must specify
660 either \fBicmp\fR or \fBipv6-icmp\fR. A range of types can be specified with a
661 hyphen separating numbers.
667 \fB\fBcode\fR \fInum\fR or \fInum\fR-\fInum\fR\fR
671 The value that follows is the ICMP code that this entry should be matched
672 against. The value following the keyword \fBcode\fR must be a number from 0 to
673 254 or one of the appropriate \fBicmp-code\fR keywords. Also, \fBtype\fR must
674 be present. A range of codes can be specified with a hyphen separating numbers.
680 \fB\fBtunnel\fR \fIname\fR\fR
684 Specifies a tunnel network interface, as configured with \fBifconfig\fR(1M). If
685 a tunnel of \fIname\fR does not yet exist, the policy entries are added anyway,
686 and joined with the tunnel state when it is created. If a tunnel is unplumbed,
687 its policy entries disappear.
693 \fB\fBnegotiate\fR \fItunnel\fR\fR
697 \fB\fBnegotiate\fR \fItransport\fR\fR
701 For per-tunnel security, specify whether the IPsec SAs protecting the traffic
702 should be tunnel-mode SAs or transport-mode SAs. If transport-mode SAs are
703 specified, no addresses can appear in the policy entry. Transport-mode is
704 backward compatible with Solaris 9, and tunnel IPsec policies configured with
705 \fBifconfig\fR(1M) will show up as transport mode entries here.
710 Policy entries may contain the following (name-value) pairs in the properties
711 field. Each (name-value) pair may appear only once in a given policy entry.
715 \fB\fBauth_algs\fR\fR
719 An acceptable value following this implies that IPsec \fBAH\fR header will be
720 present in the outbound datagram. Values following this describe the
721 authentication algorithms that will be used while applying the IPsec \fBAH\fR
722 on outbound datagrams and verified to be present on inbound datagrams. See
725 This entry can contain either a string or a decimal number.
733 This should be either \fBMD5\fR or \fBHMAC-MD5\fR denoting the \fBHMAC-MD5\fR
734 algorithm as described in \fIRFC 2403\fR, and \fBSHA1\fR, or \fBHMAC-SHA1\fR or
735 \fBSHA\fR or \fBHMAC-SHA\fR denoting the \fBHMAC-SHA\fR algorithm described in
736 \fIRFC 2404\fR. You can use the \fBipsecalgs\fR(1M) command to obtain the
737 complete list of authentication algorithms.
739 The string can also be \fBANY\fR, which denotes no-preference for the
740 algorithm. Default algorithms will be chosen based upon the \fBSA\fRs available
741 at this time for manual \fBSA\fRs and the key negotiating daemon for automatic
742 \fBSA\fRs. Strings are not case-sensitive.
752 A number in the range 1-255. This is useful when new algorithms can be
756 If \fIauth_algs\fR is not present, the \fBAH\fR header will not be present in
757 the outbound datagram, and the same will be verified for the inbound datagram.
763 \fB\fBencr_algs\fR\fR
767 An acceptable value following this implies that IPsec \fBESP\fR header will be
768 present in the outbound datagram. The value following this describes the
769 encryption algorithms that will be used to apply the IPsec \fBESP\fR protocol
770 to outbound datagrams and verify it to be present on inbound datagrams. See
773 This entry can contain either a string or a decimal number. Strings are not
782 Can be one of the following:
789 string value: Algorithm Used: See RFC:
791 DES or DES-CBC DES-CBC 2405
792 3DES or 3DES-CBC 3DES-CBC 2451
793 BLOWFISH or BLOWFISH-CBC BLOWFISH-CBC 2451
794 AES or AES-CBC AES-CBC 2451
797 You can use the \fBipsecalgs\fR(1M) command to obtain the complete list of
798 authentication algorithms.
800 The value can be \fBNULL\fR, which implies a \fBNULL\fR encryption, pursuant to
801 \fIRFC 2410\fR. This means that the payload will not be encrypted. The string
802 can also be \fBANY\fR, which indicates no-preference for the algorithm. Default
803 algorithms will be chosen depending upon the SAs available at the time for
804 manual SAs and upon the key negotiating daemon for automatic SAs. Strings are
815 A decimal number in the range 1-255. This is useful when new algorithms can be
824 \fB\fBencr_auth_algs\fR\fR
828 An acceptable value following \fBencr_auth_algs\fR implies that the IPsec
829 \fBESP\fR header will be present in the outbound datagram. The values following
830 \fBencr_auth_algs\fR describe the authentication algorithms that will be used
831 while applying the IPsec \fBESP\fR protocol on outbound datagrams and verified
832 to be present on inbound datagrams. See \fIRFC 2406\fR. This entry can contain
833 either a string or a number. Strings are case-insensitive.
841 Valid values are the same as the ones described for \fBauth_algs\fR above.
851 This should be a decimal number in the range 1-255. This is useful when new
852 algorithms can be dynamically loaded.
855 If \fBencr_algs\fR is present and \fBencr_auth_algs\fR is not present in a
856 policy entry, the system will use an \fBESP\fR \fBSA\fR regardless of whether
857 the \fBSA\fR has an authentication algorithm or not.
859 If \fBencr_algs\fR is not present and \fBencr_auth_algs\fR is present in a
860 policy entry, null encryption will be provided, which is equivalent to
861 \fBencr_algs\fR with \fBNULL\fR, for outbound and inbound datagrams.
863 If both \fBencr_algs\fR and \fBencr_auth_algs\fR are not present in a policy
864 entry, \fBESP\fR header will not be present for outbound datagrams and the same
865 will be verified for inbound datagrams.
867 If both \fBencr_algs\fR and \fBencr_auth_algs\fR are present in a policy entry,
868 \fBESP\fR header with integrity checksum will be present on outbound datagrams
869 and the same will be verified for inbound datagrams.
871 For \fBencr_algs\fR, \fBencr_auth_algs\fR, and \fBauth_algs\fR a key length
872 specification may be present. This is either a single value specifying the only
873 valid key length for the algorithm or a range specifying the valid minimum
874 and/or maximum key lengths. Minimum or maximum lengths may be omitted.
884 Values following this decides whether this entry is for outbound or inbound
885 datagram. Valid values are strings that should be one of the following:
893 This means that this policy entry should be considered only for outbound
904 This means that this policy entry should be considered only for inbound
915 This means that this policy entry should be considered for both inbound and
919 This entry is not needed when the action is "apply", "permit" or "ipsec". But
920 if it is given while the action is "apply" or "permit", it should be "out" or
921 "in" respectively. This is mandatory when the action is "bypass".
931 Values following this decide the attribute of the security association. Value
932 indicates whether a unique security association should be used or any existing
933 \fBSA\fR can be used. If there is a policy requirement, \fBSA\fRs are created
934 dynamically on the first outbound datagram using the key management daemon.
935 Static \fBSA\fRs can be created using \fBipseckey\fR(1M). The values used here
936 determine whether a new \fBSA\fR will be used/obtained. Valid values are
937 strings that could be one of the following:
945 Unique Association. A new/unused association will be obtained/used for packets
946 matching this policy entry. If an \fBSA\fR that was previously used by the same
947 5 tuples, that is, {Source address, Destination address, Source port,
948 Destination Port, Protocol (for example, \fBTCP\fR/\fBUDP\fR)} exists, it will
949 be reused. Thus uniqueness is expressed by the 5 tuples given above. The
950 security association used by the above 5 tuples will not be used by any other
951 socket. For inbound datagrams, uniqueness will not be verified.
953 For tunnel-mode tunnels, \fBunique\fR is ignored. SAs are assigned per-rule in
954 tunnel-mode tunnels. For transport-mode tunnels, \fBunique\fR is implicit,
955 because the enforcement happens only on the outer-packet addresses and protocol
956 value of either IPv4-in-IP or IPv6-in-IP.
966 Shared association. If an \fBSA\fR exists already for this source-destination
967 pair, it will be used. Otherwise a new \fBSA\fR will be obtained. This is the
971 This is mandatory only for outbound policy entries and should not be given for
972 entries whose action is "bypass". If this entry is not given for inbound
973 entries, for example, when "dir" is in or "action" is permit, it will be
974 assumed to be shared.
979 Action follows the pattern and should be given before properties. It should be
980 one of the following and this field is mandatory.
988 Use IPsec for the datagram as described by the properties, if the pattern
989 matches the datagram. If ipsec is given without a dir spec , the pattern is
990 matched to incoming and outgoing datagrams.
1000 Apply IPsec to the datagram as described by the properties, if the pattern
1001 matches the datagram. If \fBapply\fR is given, the pattern is matched only on
1002 the outbound datagram.
1012 Permit the datagram if the pattern matches the incoming datagram and satisfies
1013 the constraints described by the properties. If it does not satisfy the
1014 properties, discard the datagram. If \fBpermit\fR is given, the pattern is
1015 matched only for inbound datagrams.
1029 Bypass any policy checks if the pattern matches the datagram. \fBdir\fR in the
1030 properties decides whether the check is done on outbound or inbound datagrams.
1031 All the \fBbypass\fR entries are checked before checking with any other policy
1032 entry in the system. This has the highest precedence over any other entries.
1033 \fBdir\fR is the only field that should be present when action is \fBbypass\fR.
1043 Drop any packets that match the pattern.
1048 If the file contains multiple policy entries, for example, they are assumed to
1049 be listed in the order in which they are to be applied. In cases of multiple
1050 entries matching the outbound and inbound datagram, the first match will be
1051 taken. The system will reorder the policy entry, that is, add the new entry
1052 before the old entry, only when:
1055 The level of protection is "stronger" than the old level of protection.
1058 Currently, strength is defined as:
1062 AH and ESP > ESP > AH
1069 The standard uses of \fBAH\fR and \fBESP\fR were what drove this ranking of
1070 "stronger". There are flaws with this. \fBESP \fR can be used either without
1071 authentication, which will allow cut-and-paste or replay attacks, or without
1072 encryption, which makes it equivalent or slightly weaker than \fBAH\fR. An
1073 administrator should take care to use \fBESP\fR properly. See
1074 \fBipsecesp\fR(7P) for more details.
1077 If the new entry has \fBbypass\fR as action, \fBbypass\fR has the highest
1078 precedence. It can be added in any order, and the system will still match all
1079 the \fBbypass\fR entries before matching any other entries. This is useful for
1080 key management daemons which can use this feature to bypass IPsec as it
1081 protects its own traffic.
1084 Entries with both \fBAH\fR (\fBauth_algs\fR present in the policy entry) and
1085 \fBESP\fR (\fBencr_auth_algs\fR or \fBencr_auth_algs\fR present in the policy
1086 entry) protection are ordered after all the entries with \fBAH\fR and \fBESP\fR
1087 and before any \fBAH\fR-only and \fBESP\fR-only entries. In all other cases the
1088 order specified by the user is not modified, that is, newer entries are added
1089 at the end of all the old entries. See .
1092 A new entry is considered duplicate of the old entry if an old entry matches
1093 the same traffic pattern as the new entry. See for information on duplicates.
1096 If, for example, the policy file comes over the wire from an \fBNFS\fR mounted
1097 file system, an adversary can modify the data contained in the file, thus
1098 changing the policy configured on the machine to suit his needs. Administrators
1099 should be cautious about transmitting a copy of the policy file over a network.
1102 To prevent non-privileged users from modifying the security policy, ensure that
1103 the configuration file is writable only by trusted users.
1106 The configuration file is defined by a property of the \fBpolicy\fR
1107 \fBsmf\fR(5) service. The default configuration file, is
1108 \fB/etc/inet/ipsecinit.conf\fR. This can be changed using the \fBsvcprop\fR(1)
1109 command. See \fBNOTES\fR for more details.
1112 The policy description language supports the use of tokens that can be resolved
1113 by means of a name service, using functions such as \fBgethostbyname\fR(3NSL).
1114 While convenient, these functions are only secure as the name service the
1115 system is configured to use. Great care should be taken to secure the name
1116 service if it is used to resolve elements of the security policy.
1119 If your source address is a host that can be looked up over the network and
1120 your naming system itself is compromised, then any names used will no longer be
1124 If the name switch is configured to use a name service that is not local to the
1125 system, bypass policy entries might be required to prevent the policy from
1126 preventing communication to the name service. See \fBnsswitch.conf\fR(4).
1129 Policy is latched for \fBTCP/UDP\fR sockets on which a \fBconnect\fR(3SOCKET)
1130 or \fBaccept\fR(3SOCKET) has been issued. Adding new policy entries will not
1131 have any effect on them. This feature of latching may change in the future. It
1132 is not advisable to depend upon this feature.
1135 The \fBipsecconf\fR command can only be run by a user who has sufficient
1136 privilege to open the \fBpf_key\fR(7P) socket. The appropriate privilege can be
1137 assigned to a user with the Network IPsec Management profile. See
1138 \fBprofiles\fR(1), \fBrbac\fR(5), \fBprof_attr\fR(4).
1141 Make sure to set up the policies before starting any communications, as
1142 existing connections may be affected by the addition of new policy entries.
1143 Similarly, do not change policies in the middle of a communication.
1146 Note that certain \fBndd\fR tunables affect how policies configured with this
1147 tool are enforced; see \fBipsecesp\fR(7P) for more details.
1150 \fBExample 1 \fRProtecting Outbound \fBTCP\fR Traffic With \fBESP\fR and the
1154 The following example specified that any \fBTCP\fR packet from spiderweb to
1155 arachnid should be encrypted with \fBAES\fR, and the \fB SA\fR could be a
1156 shared one. It does not verify whether or not the inbound traffic is encrypted.
1162 # Protect the outbound TCP traffic between hosts spiderweb
1163 # and arachnid with ESP and use AES algorithm.
1177 \fBExample 2 \fRVerifying Whether or Not Inbound Traffic is Encrypted
1180 Example 1 does not verify whether or not the inbound traffic is encrypted. The
1181 entry in this example protects inbound traffic:
1187 # Protect the TCP traffic on inbound with ESP/DES from arachnid
1203 \fBsa\fR can be absent for inbound policy entries as it implies that it can be
1204 a shared one. Uniqueness is not verified on inbound. Note that in both the
1205 above entries, authentication was never specified. This can lead to cut and
1206 paste attacks. As mentioned previously, though the authentication is not
1207 specified, the system will still use an \fBESP\fR \fBSA\fR with
1208 \fBencr_auth_alg\fR specified, if it was found in the \fBSA\fR tables.
1211 \fBExample 3 \fRProtecting All Traffic Between Two Hosts
1214 The following example protects both directions at once:
1230 \fBExample 4 \fRAuthenticating All Inbound Traffic to the Telnet Port
1233 This entry specifies that any inbound datagram to telnet port should come in
1234 authenticated with the SHA1 algorithm. Otherwise the datagram should not be
1235 permitted. Without this entry, traffic destined to port number 23 can come in
1236 clear. \fBsa\fR is not specified, which implies that it is shared. This can be
1237 done only for inbound entries. You need to have an equivalent entry to protect
1238 outbound traffic so that the outbound traffic is authenticated as well, remove
1245 # All the inbound traffic to the telnet port should be
1258 \fBExample 5 \fRVerifying Inbound Traffic is Null-Encrypted
1261 The first entry specifies that any packet with address host-B should not be
1262 checked against any policies. The second entry specifies that all inbound
1263 traffic from network-B should be encrypted with a \fBNULL\fR encryption
1264 algorithm and the \fBMD5\fR authentication algorithm. \fBNULL\fR encryption
1265 implies that \fBESP\fR header will be used without encrypting the datagram. As
1266 the first entry is \fBbypass\fR it need not be given first in order, as
1267 \fBbypass\fR entries have the highest precedence. Thus any inbound traffic will
1268 be matched against all \fBbypass\fR entries before any other policy entries.
1274 # Make sure that all inbound traffic from network-B is NULL
1275 # encrypted, but bypass for host-B alone from that network.
1276 # Add the bypass first.
1282 # Now add for network-B.
1294 \fBExample 6 \fREntries to Bypass Traffic from IPsec
1297 The first two entries provide that any datagram leaving the machine with source
1298 port 53 or coming into port number 53 should not be subjected to IPsec policy
1299 checks, irrespective of any other policy entry in the system. Thus the latter
1300 two entries will be considered only for ports other than port number 53.
1306 # Bypass traffic for port no 53
1308 {lport 53} bypass {}
1309 {rport 53} bypass {}
1310 {raddr spiderweb } ipsec {encr_algs any sa unique}
1315 \fBExample 7 \fRProtecting Outbound Traffic
1320 # Protect the outbound traffic from all interfaces.
1322 {raddr spiderweb dir out} ipsec {auth_algs any sa unique}
1328 If the \fBgethostbyname\fR(3XNET) call for spiderweb yields multiple addresses,
1329 multiple policy entries will be added for all the source address with the same
1339 } ipsec {auth_algs any sa unique}
1345 If the \fBgethostbyname\fR(3XNET) call for spiderweb and the
1346 \fBgethostbyname\fR(3XNET) call for arachnid yield multiple addresses, multiple
1347 policy entries will be added for each (\fBsaddr\fR \fBdaddr\fR) pair with the
1348 same properties. Use \fBipsecconf\fR \fB-l\fR to view all the policy entries
1352 \fBExample 8 \fRBypassing Unauthenticated Traffic
1357 # Protect all the outbound traffic with ESP except any traffic
1358 # to network-b which should be authenticated and bypass anything
1361 {raddr network-b/16 dir out} ipsec {auth_algs any}
1362 {dir out} ipsec {encr_algs any}
1363 {raddr network-c/16 dir out} bypass {} # NULL properties
1369 Note that \fBbypass\fR can be given anywhere and it will take precedence over
1370 all other entries. \fBNULL\fR pattern matches all the traffic.
1373 \fBExample 9 \fREncrypting IPv6 Traffic with 3DES and MD5
1376 The following entry on the host with the link local address
1377 \fBfe80::a00:20ff:fe21:4483\fR specifies that any outbound traffic between the
1378 hosts with IPv6 link-local addresses \fBfe80::a00:20ff:fe21:4483\fR and
1379 \fBfe80::a00:20ff:felf:e346\fR must be encrypted with \fB3DES\fR and \fBMD5.\fR
1385 laddr fe80::a00:20ff:fe21:4483
1386 raddr fe80::a00:20ff:felf:e346
1396 \fBExample 10 \fRVerifying IPv6 Traffic is Authenticated with SHA1
1399 The following two entries require that all IPv6 traffic to and from the IPv6
1400 site-local network \fBfec0:abcd::0/32\fR be authenticated with \fBSHA1\fR.
1405 {raddr fec0:abcd::0/32} ipsec { auth_algs SHA1 }
1410 \fBExample 11 \fRKey Lengths
1414 # use aes at any key length
1415 {raddr spiderweb} ipsec {encr_algs aes}
1417 # use aes with a 192 bit key
1418 {raddr spiderweb} ipsec {encr_algs aes(192)}
1420 # use aes with any key length up to 192 bits
1421 # i.e. 192 bits or less
1422 {raddr spiderweb} ipsec {encr_algs aes(..192)}
1424 # use aes with any key length of 192 or more
1425 # i.e. 192 bits or more
1426 {raddr spiderweb} ipsec {encr_algs aes(192..)}
1428 #use aes with any key from 192 to 256 bits
1429 {raddr spiderweb} ipsec {encr_algs aes(192..256)}
1431 #use any algorithm with a key of 192 bits or longer
1432 {raddr spiderweb} ipsec {encr_algs any(192..)}
1437 \fBExample 12 \fRCorrect and Incorrect Policy Entries
1440 The following are examples of correctly formed policy entries:
1445 { raddr that_system rport telnet } ipsec { encr_algs 3des encr_auth_algs
1457 { raddr that_system rport telnet } ipsec
1458 { encr_algs 3des encr_auth_algs sha1 sa shared}
1460 { raddr that_system rport telnet } ipsec
1461 { encr_algs 3des encr_auth_algs sha1 sa shared} or ipsec
1462 { encr_algs aes encr_auth_algs sha1 sa shared}
1469 \&...and the following is an incorrectly formed entry:
1474 { raddr that_system rport telnet } ipsec
1475 { encr_algs 3des encr_auth_algs sha1 sa shared}
1476 or ipsec { encr_algs aes encr_auth_algs sha1 sa shared}
1483 In the preceding, incorrect entry, note that the third line begins with "\fBor
1484 ipsec\fR". Such an entry causes \fBipsecconf\fR to return an error.
1487 \fBExample 13 \fRAllowing Neighbor Discovery to Occur in the Clear
1490 The following two entries require that all IPv6 traffic to and from the IPv6
1491 site-local network \fBfec0:abcd::0/32\fR be authenticated with SHA1. The second
1492 entry allows neighbor discovery to operate correctly.
1497 {raddr fec0:abcd::0/32} ipsec { auth_algs SHA1 }
1498 {raddr fec0:abcd::0/32 ulp ipv6-icmp type 133-137 dir both }
1504 \fBExample 14 \fRUsing "or"
1507 The following entry allows traffic using the AES or Blowfish algorithms from
1508 the remote machine spiderweb:
1513 {raddr spiderweb} ipsec {encr_algs aes} or ipsec {encr_algs blowfish}
1518 \fBExample 15 \fRConfiguring a Tunnel to be Backward-Compatible with Solaris 9
1521 The following example is equivalent to "\fBencr_algs aes encr_auth_algs md5\fR"
1522 in \fBifconfig\fR(1M):
1527 {tunnel ip.tun0 negotiate transport} ipsec {encr_algs aes
1533 \fBExample 16 \fRConfiguring a Tunnel to a VPN client with an Assigned Address
1536 The following example assumes a distinct "inside" network with its own
1537 topology, such that a client's default route goes "inside".
1542 # Unlike route(1m), the default route has to be spelled-out.
1543 {tunnel ip.tun0 negotiate tunnel raddr client-inside/32
1544 laddr 0.0.0.0/0} ipsec {encr_algs aes encr_auth_algs sha1}
1549 \fBExample 17 \fRTransit VPN router between Two Tunnelled Subnets and a Third
1552 The following example specifies a configuration for a VPN router that routes
1553 between two tunnelled subnets and a third subnet that is on-link. Consider
1554 remote-site A, remote-site B, and local site C, each with a \fB/24\fR address
1560 # ip.tun0 between me (C) and remote-site A.
1561 # Cover remote-site A to remote-side B.
1562 {tunnel ip.tun0 negotiate tunnel raddr A-prefix/24 laddr
1563 B-prefix/24} ipsec {encr_algs 3des encr_auth_algs md5}
1565 # Cover remote-site A traffic to my subnet.
1566 {tunnel ip.tun0 negotiate tunnel raddr A-prefix/24 laddr
1567 C-prefix/24} ipsec {encr_algs 3des encr_auth_algs md5}
1569 # ip.tun1 between me (C) and remote-site B.
1570 # Cover remote-site B to remote-site A.
1571 {tunnel ip.tun1 negotiate tunnel raddr B-prefix/24 laddr
1572 A-prefix/24} ipsec {encr_algs aes encr_auth_algs sha1}
1574 # Cover remote-site B traffic to my subnet.
1575 {tunnel ip.tun1 negotiate tunnel raddr B-prefix/24 laddr
1576 C-prefix/24} ipsec {encr_algs aes encr_auth_algs md5}
1583 \fB\fB/var/run/ipsecpolicy.conf\fR\fR
1587 Cache of IPsec policies currently configured for the system, maintained by
1588 \fBipsecconf\fR command. Do not edit this file.
1594 \fB\fB/etc/inet/ipsecinit.conf\fR\fR
1598 File containing IPsec policies to be installed at system restart by the
1599 \fBpolicy\fR \fBsmf\fR(5) service. See \fBNOTES\fR for more information.
1605 \fB\fB/etc/inet/ipsecinit.sample\fR\fR
1609 Sample input file for \fBipseconf\fR.
1614 See \fBattributes\fR(5) for descriptions of the following attributes:
1622 ATTRIBUTE TYPE ATTRIBUTE VALUE
1624 Interface Stability Committed
1629 \fBauths\fR(1), \fBprofiles\fR(1), \fBsvcprop\fR(1), \fBsvcs\fR(1),
1630 \fBin.iked\fR(1M), \fBinit\fR(1M), \fBifconfig\fR(1M), \fBipsecalgs\fR(1M),
1631 \fBipseckey\fR(1M), \fBsvcadm\fR(1M), \fBsvccfg\fR(1M),
1632 \fBgethostbyname\fR(3NSL), \fBaccept\fR(3SOCKET), \fBconnect\fR(3SOCKET),
1633 \fBgethostbyname\fR(3XNET), \fBgetnetbyname\fR(3XNET),
1634 \fBgetprotobyname\fR(3XNET), \fBgetservbyname\fR(3XNET),
1635 \fBgetaddrinfo\fR(3SOCKET), \fBsocket\fR(3SOCKET), \fBike.config\fR(4),
1636 \fBnsswitch.conf\fR(4), \fBprof_attr\fR(4), \fBuser_attr\fR(4),
1637 \fBattributes\fR(5), \fBrbac\fR(5), \fBsmf\fR(5), \fBipsecah\fR(7P),
1638 \fBipsecesp\fR(7P), \fBpf_key\fR(7P)
1641 Glenn, R. and Kent, S. \fIRFC 2410, The NULL Encryption Algorithm and Its Use
1642 With IPsec\fR. The Internet Society. 1998.
1645 Kent, S. and Atkinson, R. \fIRFC 2402, IP Authentication Header\fR.The Internet
1649 Kent, S. and Atkinson, R. \fIRFC 2406, IP Encapsulating Security Payload
1650 (ESP)\fR. The Internet Society. 1998.
1653 Madsen, C. and Glenn, R. \fIRFC 2403, The Use of HMAC-MD5-96 within ESP and
1654 AH\fR. The Internet Society. 1998.
1657 Madsen, C. and Glenn, R. \fIRFC 2404, The Use of HMAC-SHA-1-96 within ESP and
1658 AH\fR. The Internet Society. 1998.
1661 Madsen, C. and Doraswamy, N. \fIRFC 2405, The ESP DES-CBC Cipher Algorithm With
1662 Explicit IV\fR. The Internet Society. 1998.
1665 Pereira, R. and Adams, R. \fIRFC 2451, The ESP CBC-Mode Cipher Algorithms\fR.
1666 The Internet Society. 1998.
1669 Frankel, S. and Kelly, R. Glenn, \fIThe AES Cipher Algorithm and Its Use With
1674 \fBBad "string" on line \fIN\fR.\fR
1678 \fBDuplicate "string" on line \fIN\fR.\fR
1682 \fIstring\fR refers to one of the names in pattern or properties. A Bad string
1683 indicates that an argument is malformed; a Duplicate string indicates that
1684 there are multiple arguments of a similar type, for example, multiple Source
1691 \fBInterface name already selected\fR
1695 Dual use of \fB-i\fR \fIname\fR and \fIname\fR,\fIindex\fR for an index.
1701 \fBError before or at line \fIN\fR.\fR
1705 Indicates parsing error before or at line \fIN\fR.
1711 \fBNon-existent index\fR
1715 Reported when the \fIindex\fR for delete is not a valid one.
1721 \fBspd_msg return: File exists\fR
1725 Reported when there is already a policy entry that matches the traffic of this
1731 IPsec manual keys are managed by the service management facility, \fBsmf\fR(5).
1732 The services listed below manage the components of IPsec. These services are
1733 delivered as follows:
1737 svc:/network/ipsec/policy:default (enabled)
1738 svc:/network/ipsec/ipsecalgs:default (enabled)
1739 svc:/network/ipsec/manual-key:default (disabled)
1740 svc:/network/ipsec/ike:default (disabled)
1747 The manual-key service is delivered disabled. The system administrator must
1748 create manual IPsec Security Associations (SAs), as described in
1749 \fBipseckey\fR(1M), before enabling that service.
1752 The policy service is delivered enabled, but without a configuration file, so
1753 that, as a starting condition, packets are not protected by IPsec. After you
1754 create the configuration file \fB/etc/inet/ipsecinit.conf\fR, as described in
1755 this man page, and refresh the service (\fBsvcadm refresh\fR, see below), the
1756 policy contained in the configuration file is applied. If there is an error in
1757 this file, the service enters maintenance mode.
1760 Services that are delivered disabled are delivered that way because the system
1761 administrator must create configuration files for those services before
1762 enabling them. See \fBike.config\fR(4) for the \fBike\fR service.
1765 See \fBipsecalgs\fR(1M) for the \fBipsecalgs\fR service.
1768 The correct administrative procedure is to create the configuration file for
1769 each service, then enable each service using \fBsvcadm\fR(1M).
1772 If the configuration needs to be changed, edit the configuration file then
1773 refresh the service, as follows:
1777 example# \fBsvcadm refresh policy\fR
1784 The \fBsmf\fR(5) framework will record any errors in the service-specific log
1785 file. Use any of the following commands to examine the \fBlogfile\fR property:
1789 example# \fBsvcs -l policy\fR
1790 example# \fBsvcprop policy\fR
1791 example# \fBsvccfg -s policy listprop\fR
1798 The following property is defined for the \fBpolicy\fR service:
1809 This property can be modified using \fBsvccfg\fR(1M) by users who have been
1810 assigned the following authorization:
1814 solaris.smf.value.ipsec
1821 See \fBauths\fR(1), \fBuser_attr\fR(4), \fBrbac\fR(5).
1824 The service needs to be refreshed using \fBsvcadm\fR(1M) before the new
1825 property is effective. General non-modifiable properties can be viewed with the
1826 \fBsvcprop\fR(1) command.
1830 # \fBsvccfg -s ipsec/policy setprop config/config_file = /new/config_file\fR
1831 # \fBsvcadm refresh policy\fR
1838 Administrative actions on this service, such as enabling, disabling,
1839 refreshing, and requesting restart can be performed using \fBsvcadm\fR(1M). A
1840 user who has been assigned the authorization shown below can perform these
1845 solaris.smf.manage.ipsec
1852 The service's status can be queried using the \fBsvcs\fR(1) command.
1855 The \fBipsecconf\fR command is designed to be managed by the \fBpolicy\fR
1856 \fBsmf\fR(5) service. While the \fBipsecconf\fR command can be run from the
1857 command line, this is discouraged. If the \fBipsecconf\fR command is to be run
1858 from the command line, the \fBpolicy\fR \fBsmf\fR(5) service should be disabled
1859 first. See \fBsvcadm\fR(1M).