 |
Index for
Section 8 |
|
 |
Alphabetical
listing for I |
|
 |
Bottom of
page |
|
ipsecd(8)
NAME
ipsecd - The IP Security (IPsec) daemon
SYNOPSIS
/usr/sbin/ ipsecd [-b] [-d] [-h] [-l] [-f file] [-m level] [-o file]
OPTIONS
-b Reads the default backup SPD file (/etc/ipsec.spd.bak). This overrides
the normal default SPD file (/etc/ipsec.spd) and any file specified
with the -f option. If the daemon is subsequently signaled to reload,
it will use the normal default SPD file or the policy file specified
with -f. Use this option when restarting the daemon after a failure
that might be due to an invalid policy file.
-d Runs as a daemon process, detached from the controlling terminal. You
should typically run ipsecd with this option.
-e Reserved.
-f file
Specifies the IPsec Security Policy Database (SPD) file that the daemon
should read. The default file is /etc/ipsec.spd.
-h Displays a summary of command line options and exits.
-l Logs packets that do not match any selectors to the
/var/adm/syslog.dated/current/auth.log file. You can also enable this
option from within the SysMan Menu IPsec application.
-m level
Specifies the message level for messages reported by the ipsecd daemon.
Valid values for the message level are as follows:
0 Very quiet mode. The ipsecd daemon reports only warnings and
errors.
1 Default mode. In addition to warnings and errors, the ipsecd daemon
reports limited messages for each IKE negotiation.
2 Verbose mode. In addition to warnings and errors, the ipsecd daemon
reports detailed messages about each IKE negotiation.
-o file
Redirects debugging output to the specified file.
-p Parses the contents of the SPD file, reporting any syntax errors, and
then exits. There may be policy errors which are not detectable until
the policy takes effect and will not be detected by this option.
DESCRIPTION
The ipsecd daemon controls the operation of the IP security protocols in
the system. It combines the function of an IPsec policy manager and
Internet Key Exchange (IKE) daemon.
When started, ipsecd reads and parses the specified Security Policy
Database (SPD) file. The daemon transfers the information needed for
enforcing the policy into the IPsec kernel packet processing engine.
The daemon manages all requests to create security associations (SAs)
needed to communicate securely with other IPsec systems. It receives
Internet Key Exchange (IKE) requests from other systems, validates that
they match local policy, and generates the cryptographic keys needed for
the the SAs. The daemon initiates IKE exchanges with other systems in
response to requests from the kernel packet processing engine. The kernel
and the daemon communicate through the /dev/ipsec_engine pseudo-device. By
default, the daemon listens on UDP port 500 for IKE traffic with other
systems.
When IPsec is enabled on the system, the default action is to drop all IP
packets into and out of the system. The ipsecd daemon must be running to
instantiate a policy that allows packets to flow. If the daemon is not
started or is killed, all network traffic will be blocked. The daemon is
started automatically at system boot time if IPsec is enabled.
If ipsecd receives a HUP signal, it rereads its SPD file and instantiates a
new security policy. If an existing connection rule is modified by the new
policy, the SAs associated with that connection will be deleted. Other
existing SAs will remain in effect until they reach the end of their
configured lifetimes.
You typically manage IPsec by using the SysMan IPsec application. However,
you can manage the daemon directly using the /sbin/init.d/ipsec script. The
following list shows the script options and their action:
/sbin/init.d/ipsec start
Starts ipsecd if IPsec has been enabled through SysMan. After you run
this script, the system is in "IP secure" mode. The ipsecd daemon must
be running in order for IP traffic to flow into and out of the system.
/sbin/init.d/ipsec stop
Stops ipsecd. If the system is in "IP secure" mode, no IP traffic will
flow into or out of the system. If IPsec processing has been disabled
through SysMan, the system is taken out of "IP secure" mode.
/sbin/init.d/ipsec reload
Forces ipsecd to reread its SPD file and enforce a new security policy.
If an existing connection rule is modified by the new policy, the SAs
associated with that connection will be deleted. Other existing SAs
will remain in effect until they reach the end of their configured
lifetimes.
/sbin/init.d/ipsec secure
Places the system into "IP secure" mode. If ipsecd is not running, no
IP traffic will flow into or out of the system.
/sbin/init.d/ipsec unsecure
Takes the system out of "IP secure" mode. If ipsecd is not running, IP
packets will flow with no security processing. If ipsecd is running, IP
packets will flow with existing IPsec policy.
When running in a cluster, the default IPsec SPD file, /etc/ipsec.spd,
applies to all cluster members because the cluster is a single security
domain. A copy of ipsecd runs on each member of the cluster.
FILES
/etc/ipsec.spd
Specifies the default SPD file for the system. The file will contain
keys when manual keying or pre-shared keys are in use. Therefore, the
file must have root-only access. In a cluster configuration, this is a
cluster common file and contains the (common) IP security policy for
the cluster.
/etc/ipsec.spd.bak
The SysMan IPsec application saves the previous /etc/ipsec.spd file
with this name whenever the policy is changed (for example, after a
reload signal). If an invalid SPD file is found when the daemon is
started or reloaded, the /sbin/init.d/ipsec script attempts to start
the daemon with this SPD file.
/etc/ipsec_algs.spd
This file contains template IPsec and IKE proposals as well as
configuration parameters that are not changed during normal operation.
SEE ALSO
Commands: ipsec_certmake(8), ipsec_certview(8), ipsec_convert(8),
ipsec_keypaircheck(8), ipsec_keytool(8), ipsec_mgr(8)
Information: ipsec(7)
|
Index for
Section 8 |
|
|
Alphabetical
listing for I |
|
 |
Top of
page |
|