'\" te .\" Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved. .TH ikev2.preshared 4 "2 Jan 2014" "SunOS 5.11" "File Formats" .SH NAME ikev2.preshared \- pre-shared keys file for IKEv2 .SH SYNOPSIS .LP .nf \fB/etc/inet/ike/ikev2.preshared\fR .fi .SH DESCRIPTION .sp .LP The \fB/etc/inet/ike/ikev2.preshared\fR file contains secret keying material that two \fBIKE\fR instances can use to authenticate each other. Because of the sensitive nature of this data, it should be readable only by the user \fBikeuser\fR. .sp .LP The \fBikev2.preshared\fR file is composed of a list of pre-shared key entries. Each entry must contain key information, as well as one or more label attributes. When the pre-shared key file is loaded, the key information from each entry will be added to all existing IKEv2 rules that match a label in the entry. If a label does not match any existing IKEv2 rule, it is ignored. For information about IKEv2 rules, see \fBikev2.config\fR(4) man page. .sp .LP A pre-shared key entry may have either a single key attribute, or \fBlocal_key\fR and/or \fBremote_key\fRattributes. Keys set via \fBlocal_key\fR and \fBremote_key\fR attributes will only be used to compute local AUTH values or validate remote AUTH values respectively. .sp .LP Pre-shared keys are delimited by open-curly-brace (\fB{\fR) and close-curly-brace (\fB}\fR) characters. There are four attribute-value pairs allowed inside a pre-shared key: .sp .sp .TS tab(); cw(1.83i) cw(1.83i) cw(1.83i) lw(1.83i) lw(1.83i) lw(1.83i) . NameValueExample \fBlabel\fRASCII-string\fB"My IKEv2 rule"\fR \fBkey\fRhex-string\fB1234567890abcdef\fR \fBlocal_key\fRhex-string\fB0x1234567890abcdef\fR \fBremote_key\fRASCII-string\fB"This is my preshared key"\fR .TE .sp .LP Comment lines with \fB#\fR appearing in the first column are also legal. .sp .LP An ASCII-string can consist of any valid ASCII character except for NEWLINE. A backslash (\fB\e\fR) is considered an escape character when it precedes a double quote or itself. Otherwise, a backslash is taken literally. .sp .LP Files in this format can also be used by the \fBikeadm\fR(1M) command to load additional pre-shared keys into running an \fBin.ikev2d\fR(1M) process. .SH EXAMPLES .LP \fBExample 1 \fRA Sample \fBikev2.preshared\fR File .sp .LP The following is an example of an \fBikev2.preshared\fR file: .sp .in +2 .nf #### BEGINNING OF FILE { label "IP identities and PSK auth" # Not secure key 0001020304050607 } { # Use these pre-shared keys with both rules listed label "IP address prefixes and PSK auth" label "IPv6 address prefixes and PSK auth" # Also not secure local_key "This my password" remote_key "This their password" } { # This rule uses pre-shared keys for local auth only label "Mixed auth types" # Might have been secure if it wasn't published here local_key aa567d1fc6a5530e1a2628d4f2f06e73 } .fi .in -2 .sp .LP Refer to the first example provided in the \fBikev2.config\fR(4) man page for a compatible \fBikev2.config\fR file. .SH SECURITY .sp .LP If this file is compromised, the attacker can use the pre-shared key values to impersonate this system, and any other systems using the same keys, during the IKEv2 authentication exchange. The full impact of a compromise depends on the IKEv2 configuration and the extent to which keys have been reused. .sp .LP The IKEv2 protocol does not protect the pre-shared keys from brute force or dictionary attacks. So, strong keys must be chosen. The IKEv2 protocol specification recommends that pre-shared keys contain as much randomness as the strongest keys to be negotiated using the protocol, and that plain-text passwords never be used. .sp .LP The default and recommended file permissions for \fBikev2.preshared\fR are \fB0600\fR. The \fBpfedit\fR(1M) command should not be used to modify this file as it has the potential to put sensitive keying material into the audit log. .SH ATTRIBUTES .sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp .sp .TS tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) . ATTRIBUTE TYPEATTRIBUTE VALUE _ Availability\fBnetwork/ike\fR _ Interface Stability\fBCommitted\fR .TE .SH SEE ALSO .sp .LP \fBikeadm\fR(1M), \fBin.ikev2d\fR(1M), \fBikev2.config\fR(4), \fBipseckey\fR(1M), \fBattributes\fR(5), \fBrandom\fR(7D)