ipsecd - The IP Security (IPsec) daemon
/usr/sbin/ ipsecd [-b] [-d] [-h] [-l] [-f file] [-m level]
[-o file]
Reads the default backup SPD file (/etc/ipsec.spd.bak).
This overrides the normal default SPD file
(/etc/ipsec.spd) and any file specified with the -f
option. If the daemon is subsequently signaled to reload,
it will use the normal default SPD file or the policy file
specified with -f. Use this option when restarting the
daemon after a failure that might be due to an invalid
policy file. Runs as a daemon process, detached from the
controlling terminal. You should typically run ipsecd with
this option. Reserved. Specifies the IPsec Security Policy
Database (SPD) file that the daemon should read. The
default file is /etc/ipsec.spd. Displays a summary of
command line options and exits. Logs packets that do not
match any selectors to the /var/adm/syslog.dated/current/auth.log
file. You can also enable this option from
within the SysMan Menu IPsec application. Specifies the
message level for messages reported by the ipsecd daemon.
Valid values for the message level are as follows: Very
quiet mode. The ipsecd daemon reports only warnings and
errors. Default mode. In addition to warnings and errors,
the ipsecd daemon reports limited messages for each IKE
negotiation. Verbose mode. In addition to warnings and
errors, the ipsecd daemon reports detailed messages about
each IKE negotiation. Redirects debugging output to the
specified file. Parses the contents of the SPD file,
reporting any syntax errors, and then exits. There may be
policy errors which are not detectable until the policy
takes effect and will not be detected by this option.
The ipsecd daemon controls the operation of the IP security
protocols in the system. It combines the function of
an IPsec policy manager and Internet Key Exchange (IKE)
daemon.
When started, ipsecd reads and parses the specified Security
Policy Database (SPD) file. The daemon transfers the
information needed for enforcing the policy into the IPsec
kernel packet processing engine.
The daemon manages all requests to create security associations
(SAs) needed to communicate securely with other
IPsec systems. It receives Internet Key Exchange (IKE)
requests from other systems, validates that they match
local policy, and generates the cryptographic keys needed
for the the SAs. The daemon initiates IKE exchanges with
other systems in response to requests from the kernel
packet processing engine. The kernel and the daemon communicate
through the /dev/ipsec_engine pseudo-device. By
default, the daemon listens on UDP port 500 for IKE traffic
with other systems.
When IPsec is enabled on the system, the default action is
to drop all IP packets into and out of the system. The
ipsecd daemon must be running to instantiate a policy that
allows packets to flow. If the daemon is not started or is
killed, all network traffic will be blocked. The daemon is
started automatically at system boot time if IPsec is
enabled.
If ipsecd receives a HUP signal, it rereads its SPD file
and instantiates a new security policy. If an existing
connection rule is modified by the new policy, the SAs
associated with that connection will be deleted. Other
existing SAs will remain in effect until they reach the
end of their configured lifetimes.
You typically manage IPsec by using the SysMan IPsec
application. However, you can manage the daemon directly
using the /sbin/init.d/ipsec script. The following list
shows the script options and their action: Starts ipsecd
if IPsec has been enabled through SysMan. After you run
this script, the system is in "IP secure" mode. The ipsecd
daemon must be running in order for IP traffic to flow
into and out of the system. Stops ipsecd. If the system
is in "IP secure" mode, no IP traffic will flow into or
out of the system. If IPsec processing has been disabled
through SysMan, the system is taken out of "IP secure"
mode. Forces ipsecd to reread its SPD file and enforce a
new security policy. If an existing connection rule is
modified by the new policy, the SAs associated with that
connection will be deleted. Other existing SAs will remain
in effect until they reach the end of their configured
lifetimes. Places the system into "IP secure" mode. If
ipsecd is not running, no IP traffic will flow into or out
of the system. Takes the system out of "IP secure" mode.
If ipsecd is not running, IP packets will flow with no
security processing. If ipsecd is running, IP packets will
flow with existing IPsec policy.
When running in a cluster, the default IPsec SPD file,
/etc/ipsec.spd, applies to all cluster members because
the cluster is a single security domain. A copy of ipsecd
runs on each member of the cluster.
Specifies the default SPD file for the system. The file
will contain keys when manual keying or pre-shared keys
are in use. Therefore, the file must have root-only
access. In a cluster configuration, this is a cluster common
file and contains the (common) IP security policy for
the cluster. The SysMan IPsec application saves the previous
/etc/ipsec.spd file with this name whenever the policy
is changed (for example, after a reload signal). If an
invalid SPD file is found when the daemon is started or
reloaded, the /sbin/init.d/ipsec script attempts to start
the daemon with this SPD file. This file contains template
IPsec and IKE proposals as well as configuration
parameters that are not changed during normal operation.
Commands: ipsec_certmake(8), ipsec_certview(8), ipsec_convert(8), ipsec_keypaircheck(8), ipsec_keytool(8),
ipsec_mgr(8)
Information: ipsec(7)
ipsecd(8)
[ Back ] |
