Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1m‎ > ‎


     ipsecalgs - configure the  IPsec  protocols  and  algorithms


     ipsecalgs -l

     ipsecalgs -s

     ipsecalgs -a [-P protocol-number | -p protocol-name] -k keylen-list
          [-i inc] [-K default-keylen] -b blocklen-list -n alg-names
          -N alg-number -m mech-name [-f] [-s]

     ipsecalgs -P protocol-number -p protocol-name
          [-e exec-mode] [-f] [-s]

     ipsecalgs -r -p protocol-name [] -n alg-name [-s]

     ipsecalgs -r -p protocol-name [] -N alg-number [-s]

     ipsecalgs -R -P protocol-number [-s]

     ipsecalgs -R -p protocol-name [-s]

     ipsecalgs -e exec-mode -P protocol-number [-s]

     ipsecalgs -e exec-mode -p protocol-name [-s]

     Use the ipsecalgs command to query and modify the IPsec pro-
     tocol  and algorithms stored in /etc/inet/ipsecalgs. You can
     use the ipsecalgs command to do the following:

         o    list the  currently  defined  IPsec  protocols  and

         o    modify IPsec protocols definitions

         o    modify IPsec algorithms definitions

     Never edit the /etc/inet/ipsecalgs file manually. The  valid
     IPsec  protocols  and algorithms are described by the ISAKMP
     DOI. See RFC  2407.  In  the  general  sense,  a  Domain  of
     Interpretation  (DOI)  defines data formats, network traffic
     exchange types, and conventions for naming security-relevant
     information such as security policies or cryptographic algo-
     rithms and modes. For ipsecalgs, the DOI defines naming  and
     numbering  conventions for algorithms and the protocols they
     belong  to.  These  numbers  are  defined  by  the  Internet
     Assigned Numbers Authority (IANA). Each algorithm belongs to
     a protocol. Algorithm  information  includes  supported  key
     lengths,  block  or  MAC length, and the name of the crypto-
     graphic mechanism  corresponding  to  that  algorithm.  This
     information  is  used by the IPsec modules, ipsecesp(7P) and
     ipsecah(7P), to determine the authentication and  encryption
     algorithms that can be applied to IPsec traffic.

     The following protocols are predefined:

     IPSEC_PROTO_ESP    Defines   the    encryption    algorithms
                        (transforms) that can be used by IPsec to
                        provide data confidentiality.

     IPSEC_PROTO_AH     Defines  the  authentication   algorithms
                        (transforms) that can be used by IPsec to
                        provide authentication.

     The mechanism name specified  by  an  algorithm  entry  must
     correspond   to  a  valid  Solaris  Cryptographic  Framework
     mechanism. You can obtain the list of  available  mechanisms
     by using the cryptoadm(1M) command.

     Applications can retrieve the supported algorithms and their
     associated     protocols     by    using    the    functions
     getipsecalgbyname(3NSL),             getipsecalgbynum(3NSL),
     getipsecprotobyname(3NSL) and getipsecprotobynum(3NSL).

     Modifications to the  protocols  and  algorithm  by  default
     update  only  the contents of the /etc/inet/ipsecalgs confi-
     guration file. In order for the new definitions to  be  used
     for  IPsec  processing,  the changes must be communicated to
     the kernel using the -s option. See NOTES for a  description
     of  how the ipsecalgs configuration is synchronized with the
     kernel at system restart.

     When invoked without arguments, ipsecalgs displays the  list
     of     mappings    that    are    currently    defined    in
     /etc/inet/ipsecalgs. You can obtain the corresponding kernel
     table of protocols and algorithms by using the -l option.

     ipsecalgs supports the following options:

     -a    Adds an algorithm of the protocol specified by the  -P
           option.  The  algorithm name(s) are specified with the
           -n option. The supported key lengths and  block  sizes
           are specified with the -k, -i, and -b options.

     -b    Specifies the block or MAC lengths of an algorithm, in
           bytes.  Set  more  than one block length by separating
           the values with commas.

     -e    Designates  the  execution   mode   of   cryptographic
           requests  for the specified protocol in the absence of
           cryptographic hardware  provider.  See  cryptoadm(1M).
           exec-mode can be one of the following values:

           sync     Cryptographic requests are processed synchro-
                    nously  in  the  absence  of  a cryptographic
                    hardware provider. This execution mode  leads
                    to   better  latency  when  no  cryptographic
                    hardware providers are available

           async    Cryptographic requests are  always  processed
                    asynchronously  in  the  absence  of  crypto-
                    graphic hardware provider. This execution can
                    improve  the resource utilization on a multi-
                    CPU system, but can lead  to  higher  latency
                    when  no cryptographic hardware providers are

           This option can be specified when defining a new  pro-
           tocol  or  to modify the execution mode of an existing
           protocol. By default, the sync execution mode is  used
           in the absence of a cryptographic hardware provider.

     -f    Used with the -a option to force the  addition  of  an
           algorithm  or  protocol if an entry with the same name
           or number already exists.

     -i    Specifies the valid key  length  increments  in  bits.
           This  option  must  be used when the valid key lengths
           for an algorithm are specified by a range with the  -k

     -K    Specifies the default key lengths for an algorithm, in
           bits.  If  the -K option is not specified, the minimum
           key length will be determined as follows:

               o    If the supported key lengths are specified by
                    range,  the  default  key  length will be the
                    minimum key length.

               o    If the supported key lengths are specified by
                    enumeration,  the  default key length will be
                    the first listed key length.

     -k    Specifies the supported key lengths for an  algorithm,
           in  bits.  You can designate the supported key lengths
           by enumeration or by range.

           Without the -i option, -k specifies the supported  key
           lengths by enumeration. In this case, keylen-list con-
           sists of a list of one or more key  lengths  separated
           by commas, for example:


           The listed key lengths need not be increasing, and the
           first  listed  key  length will be used as the default
           key length for that algorithm unless the -K option  is

           With the -i option, -k specifies  the  range  of  sup-
           ported  key lengths for the algorithm. The minimum and
           maximum key lengths must be separated by a dash  ('-')
           character, for example:


     -l    Displays the kernel algorithm tables.

     -m    Specifies the  name  of  the  cryptographic  framework
           mechanism name corresponding to the algorithm. Crypto-
           graphic framework  mechanisms  are  described  in  the
           cryptoadm(1M) man page.

     -N    Specifies an algorithm number.  The  algorithm  number
           for  a protocol must be unique. IANA manages the algo-
           rithm numbers. See RFC 2407.

     -n    Specifies one or more names  for  an  algorithm.  When
           adding an algorithm with the -a option, alg-names con-
           tains a string or a comma-separated list  of  strings,
           for example:


           When used with the -r option to remove  an  algorithm,
           alg-names contains one of the valid algorithm names.

     -P    Adds a protocol of the number specified  by  protocol-
           number  with the name specified by the -p option. This
           option is also used to specify an IPsec protocol  when
           used  with the -a and the -R options. Protocol numbers
           are managed by the IANA. See RFC 2407.

     -p    Specifies the name of the IPsec protocol.

     -R    Removes and IPsec protocol from the  algorithm  table.
           The  protocol  can be specified by number by using the
           -P option or by name by using the -p option. The algo-
           rithms  associated  with  the  protocol are removed as

     -r    Removes the mapping for an algorithm The algorithm can
           be  specified  by algorithm number using the -N option
           or by algorithm name using the -A option.

     -s    Synchronizes  the  kernel   with   the   contents   of
           /etc/inet/ipsecalgs.       The       contents       of
           /etc/inet/ipsecalgs are always updated, but new infor-
           mation is not passed on to the kernel unless the -s is
           used. See NOTES for a description of how the ipsecalgs
           configuration  is synchronized with the kernel at sys-
           tem restart.

     Example 1 Adding a Protocol for IPsec Encryption

     The following example shows how to add a protocol for  IPsec

       example# ipsecalgs -P 3 -p "IPSEC_PROTO_ESP"

     Example 2 Adding the Blowfish Algorithm

     The following example shows how to add  the  Blowfish  algo-

       example# ipsecalgs -a -P 3 -k 32-488 -K 128 -i 8 -n "blowfish" \
         -b 8 -N 7 -m CKM_BF_CBC

     Example 3 Updating the Kernel Algorithm Table

     The following example updates  the  kernel  algorithm  table
     with  the  currently  defined protocol and algorithm defini-

       example# svcadm refresh ipsecalgs


         File that contains the configured  IPsec  protocols  and
         algorithm definitions. Never edit this file manually.

     See attributes(5) for descriptions of the  following  attri-

    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    | Availability                | SUNWcsu                     |
    | Interface Stability         | Evolving                    |

     cryptoadm(1M),  ipsecconf(1M),   ipseckey(1M),   svcadm(1M),
     getipsecalgbyname(3NSL),          getipsecprotobyname(3NSL),
     ike.config(4),    attributes(5),    smf(5),     ipsecah(7P),

     Piper, Derrell, RFC 2407, The Internet IP Security Domain of
     Interpretation  for  ISAKMP. Network Working Group. November

     When protocols or algorithm definitions that are removed  or
     altered,  services  that  rely  upon  these  definitions can
     become unavailable. For example, if the IPSEC_PROTO_ESP pro-
     tocol  is  removed,  then  IPsec  cannot encrypt and decrypt

     Synchronization of the ipsecalgs configuration with the ker-
     nel  at  system  startup is provided by the following smf(5)


     The IPsec services are delivered as follows:

       svc:/network/ipsec/policy:default (enabled)
       svc:/network/ipsec/ipsecalgs:default (enabled)
       svc:/network/ipsec/manual-key:default (disabled)
       svc:/network/ipsec/ike:default (disabled)

     Services that are delivered disabled are delivered that  way
     because  the  system administrator must create configuration
     files  for  those  services  before   enabling   them.   See
     ipseckey(1M)  and  ike.config(4). The default policy for the
     policy service is to allow all traffic to pass without IPsec
     protection. See ipsecconf(1M).

     The correct administrative procedure is to create the confi-
     guration  file  for  each  service, then enable each service
     using svcadm(1M), as shown in the following example:

       example# svcadm enable ipsecalgs

     The service's status can be queried using the  svcs(1)  com-

     If the ipsecalgs configuration is modified, the  new  confi-
     guration should be resynchronized as follows:

       example# svcadm refresh ipsecalgs

     Administrative actions on this service,  such  as  enabling,
     disabling,  refreshing,  and  requesting restart can be per-
     formed using svcadm(1M). A user who has  been  assigned  the
     authorization shown below can perform these actions:


     See auths(1), user_attr(4), rbac(5).

     The  ipsecalgs  smf(5)  service  does  not  have  any  user-
     configurable properties.

     The smf(5) framework records  any  errors  in  the  service-
     specific  log  file.  Use  any  of the following commands to
     examine the logfile property:

       example# svcs -l ipsecalgs
       example# svcprop ipsecalgs
       example# svccfg -s ipsecalgs listprop

     This command requires sys_ip_config privilege to operate and
     thus  can  run in the global zone and in exclusive-IP zones.
     All shared-IP zones share the same available  set  of  algo-
     rithms;  however, you can use ipsecconf(1M) to set up system
     policy that uses differing algorithms for various  shared-IP
     zones.  All  exclusive-IP  zones have their own set of algo-

Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.