ipsecd(8)ipsecd(8)NAMEipsecd - The IP Security (IPsec) daemon
SYNOPSIS
/usr/sbin/ ipsecd [-b] [-d] [-h] [-l] [-f file] [-m level] [-o file]
OPTIONS
Reads the default backup SPD file (/etc/ipsec.spd.bak). This overrides
the normal default SPD file (/etc/ipsec.spd) and any file specified
with the -f option. If the daemon is subsequently signaled to reload,
it will use the normal default SPD file or the policy file specified
with -f. Use this option when restarting the daemon after a failure
that might be due to an invalid policy file. Runs as a daemon process,
detached from the controlling terminal. You should typically run ipsecd
with this option. Reserved. Specifies the IPsec Security Policy Data‐
base (SPD) file that the daemon should read. The default file is
/etc/ipsec.spd. Displays a summary of command line options and exits.
Logs packets that do not match any selectors to the /var/adm/sys‐
log.dated/current/auth.log file. You can also enable this option from
within the SysMan Menu IPsec application. Specifies the message level
for messages reported by the ipsecd daemon. Valid values for the mes‐
sage level are as follows: Very quiet mode. The ipsecd daemon reports
only warnings and errors. Default mode. In addition to warnings and
errors, the ipsecd daemon reports limited messages for each IKE negoti‐
ation. Verbose mode. In addition to warnings and errors, the ipsecd
daemon reports detailed messages about each IKE negotiation. Redirects
debugging output to the specified file. Parses the contents of the SPD
file, reporting any syntax errors, and then exits. There may be policy
errors which are not detectable until the policy takes effect and will
not be detected by this option.
DESCRIPTION
The ipsecd daemon controls the operation of the IP security protocols
in the system. It combines the function of an IPsec policy manager and
Internet Key Exchange (IKE) daemon.
When started, ipsecd reads and parses the specified Security Policy
Database (SPD) file. The daemon transfers the information needed for
enforcing the policy into the IPsec kernel packet processing engine.
The daemon manages all requests to create security associations (SAs)
needed to communicate securely with other IPsec systems. It receives
Internet Key Exchange (IKE) requests from other systems, validates that
they match local policy, and generates the cryptographic keys needed
for the the SAs. The daemon initiates IKE exchanges with other systems
in response to requests from the kernel packet processing engine. The
kernel and the daemon communicate through the /dev/ipsec_engine pseudo-
device. By default, the daemon listens on UDP port 500 for IKE traffic
with other systems.
When IPsec is enabled on the system, the default action is to drop all
IP packets into and out of the system. The ipsecd daemon must be run‐
ning to instantiate a policy that allows packets to flow. If the daemon
is not started or is killed, all network traffic will be blocked. The
daemon is started automatically at system boot time if IPsec is
enabled.
If ipsecd receives a HUP signal, it rereads its SPD file and instanti‐
ates a new security policy. If an existing connection rule is modified
by the new policy, the SAs associated with that connection will be
deleted. Other existing SAs will remain in effect until they reach the
end of their configured lifetimes.
You typically manage IPsec by using the SysMan IPsec application. How‐
ever, you can manage the daemon directly using the /sbin/init.d/ipsec
script. The following list shows the script options and their action:
Starts ipsecd if IPsec has been enabled through SysMan. After you run
this script, the system is in "IP secure" mode. The ipsecd daemon must
be running in order for IP traffic to flow into and out of the system.
Stops ipsecd. If the system is in "IP secure" mode, no IP traffic will
flow into or out of the system. If IPsec processing has been disabled
through SysMan, the system is taken out of "IP secure" mode. Forces
ipsecd to reread its SPD file and enforce a new security policy. If an
existing connection rule is modified by the new policy, the SAs associ‐
ated with that connection will be deleted. Other existing SAs will
remain in effect until they reach the end of their configured life‐
times. Places the system into "IP secure" mode. If ipsecd is not run‐
ning, no IP traffic will flow into or out of the system. Takes the
system out of "IP secure" mode. If ipsecd is not running, IP packets
will flow with no security processing. If ipsecd is running, IP packets
will flow with existing IPsec policy.
When running in a cluster, the default IPsec SPD file, /etc/ipsec.spd,
applies to all cluster members because the cluster is a single security
domain. A copy of ipsecd runs on each member of the cluster.
FILES
Specifies the default SPD file for the system. The file will contain
keys when manual keying or pre-shared keys are in use. Therefore, the
file must have root-only access. In a cluster configuration, this is a
cluster common file and contains the (common) IP security policy for
the cluster. The SysMan IPsec application saves the previous
/etc/ipsec.spd file with this name whenever the policy is changed (for
example, after a reload signal). If an invalid SPD file is found when
the daemon is started or reloaded, the /sbin/init.d/ipsec script
attempts to start the daemon with this SPD file. This file contains
template IPsec and IKE proposals as well as configuration parameters
that are not changed during normal operation.
SEE ALSO
Commands: ipsec_certmake(8), ipsec_certview(8), ipsec_convert(8),
ipsec_keypaircheck(8), ipsec_keytool(8), ipsec_mgr(8)
Information: ipsec(7)ipsecd(8)
