1 Reply Latest reply: Aug 12, 2010 12:39 PM by 807567 RSS

    ipsec/ike packages for Solaris 10 x86

    807567
      # cat /etc/release
      Solaris 10 8/07 s10x_u4wos_12b X86
      Copyright 2007 Sun Microsystems, Inc. All Rights Reserved.
      Use is subject to license terms.
      Assembled 16 August 2007

      # svcadm enable svc:/network/ipsec/policy:default
      svcadm: Pattern 'svc:/network/ipsec/policy:default' doesn't match any instances
      # svcs -x svc:/network/ipsec/ike:default
      svcs: Pattern 'svc:/network/ipsec/ike:default' doesn't match any instances

      bash-3.00# svcs -l ike
      svcs: Pattern 'ike' doesn't match any instances

      bash-3.00# pkginfo |grep -i cry
      system SUNWcrman Encryption Kit On-Line Manual Pages
      system SUNWcry Crypt Utilities
      system SUNWcryr Solaris Root Crypto
      system SUNWdcaf DCA Crypto Accelerator (usr)
      system SUNWdcar DCA Crypto Accelerator (Root)
      EVO146 SUNWlibgcrypt Libgcrypt - Cryptographic Library
      EVO146 SUNWlibgcrypt-devel Libgcrypt - Cryptographic Library - developer files

      What package am I missing?
      Thanks.
        • 1. Re: ipsec/ike packages for Solaris 10 x86
          807567
          SMF control for IPSEC didn't come along until Solaris 10 5/09. You would need this release (this ability is not provided by patches) in order to control ipsec via SMF:

          docs.sun.com Home > Solaris 10 What's New Collection > Solaris 10 5/09 What's New > 1. What's New in the Solaris 10 5/09 Release

          SMF Services for IPsec

          IP security (IPsec) is now managed by the following Solaris Management Facility (SMF) services:

          * svc:/network/ipsec/policy:default – The policy service checks for the /etc/inet/ipsecinit.conf file and feeds the data into the IPsec Security Policy Database (SPD). The policy service must be started and its file, /etc/inet/ipsecinit.conf, must exist for boot-time IPsec policy configuration.
          * svc:/network/ipsec/ike:default – The ike service controls the Internet Key Exchange (IKE) daemon in iked(1M). This service controls ike in a manner similar to other daemon-controlled services like ssh or sendmail.
          * svc:/network/ipsec/manual-key:default – The manual-key service checks for the /etc/inet/secret/ipseckeys file and feeds the keys into the IPsec Security Association Database (SADB). Prior to SMF, the mere existence of the /etc/inet/secret/ipseckeys file was sufficient, but now the service should also be enabled to load manual IPsec keys.
          * svc:/network/ipsec/ipsecalgs:default – The ipsecalgs service is enabled by default and maps Solaris Cryptographic Framework algorithms to their use in IPsec. Changes enabled with ipsecalgs(1M) subsequently refresh the ipsecalgs service.

          The SMF management brings all the SMF features to IPsec, for example, interface consistency, capability of restarting, and fault-tracking.