IKE Policy File
The configuration file for the IKE policy, /etc/inet/ike/config, manages the keys for
the interfaces that are being protected in the IPsec policy file, /etc/inet/ipsecinit.conf. The IKE
policy file manages keys for IKE, and for the IPsec SAs. The
IKE daemon itself requires keying material in the Phase 1 exchange.
Key management with IKE includes rules and global parameters. An IKE rule identifies
the systems or networks that the keying material secures. The rule also specifies
the authentication method. Global parameters include such items as the path to an
attached hardware accelerator. For examples of IKE policy files, see Configuring IKE With Preshared Keys (Task Map). For examples
and descriptions of IKE policy entries, see the ike.config(4) man page.
The IPsec SAs that IKE supports protect the IP datagrams according to policies
that are set up in the configuration file for the IPsec policy,
/etc/inet/ipsecinit.conf. The IKE policy file determines if perfect forward security (PFS) is used
when creating the IPsec SAs.
The ike/config file can include the path to a library that is implemented
according to the following standard: RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki).
IKE uses this PKCS #11 library to access hardware for key acceleration and key
The security considerations for the ike/config file are similar to the considerations for
the ipsecinit.conf file. For details, see Security Considerations for ipsecinit.conf and ipsecconf.