1. MDM PKI Interface with SSM
In order to setup, query and remove the Ipsec/IKE and PKI on the local workstation, both MDM and SSM will manipulate the solaris IP security database. The interface between MDM and SSM is mainly on the Solaris Ipsec IKE and PKI config files and its daemon. The behaviours of MDM and SSM manipulation are compatible with Solaris standard in term of the file format and patterns used.
1.1 Provisioning Interface
1.1.1 ike.config
The /etc/inet/ike/config file, which is configuration file for IKE policy, contains rules for matching inbound IKE requests. It also contains rules for preparing outbound IKE requests.
The ike.config is the most important interface between MDM and SSM:
· Either MDM or SSM could create, duplicated, append, removal, chmod etc.
· MDM will create this file if it does not exist (at IKE preshared key), else, it will append/edit it.
· SSM could create it for MDM at rsasig if it does not exit.
· Shared the items definition and values
1.1.1.1 Interaction overview
ike.config items | definition | Impact SSM | Impact MDM |
Global parameters shared by MDM and SSM |
p1_nonce_len | Nonce length of Phase1 negotiation | Y | Y |
######## ## Global parameters | cert_root and cert_trust required for MDM/MSS IKE rsasig. . | Y | Y |
cert_root "CN=PKBRoot01, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20" |
cert_trust "CN=PKBRoot01, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20" |
ignore_crls | To ignore the CRL( Cert Revocation List) ignore_crls for root CAs | Y | Y |
# ## Phase 1 transform defaults | | | |
p1_lifetime_secs 28800 | IKE phase1 SAs lifetime | Y | Y |
SSM appended entries ( for instance, default phase1 xform) |
# ## Defaults that individual rules can override. p1_xform { auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des } p2_pfs 0 | Default Phase1 transform | Y | N |
MDM appended IKE preshared rules |
{ label INDEXID_1 | Label used as the search string. for in.iked to looks up phase 1 policy rules | Y | Y |
local_id_type ip | The type of local address. | SS N** (SSM could display it at M GUI) |
local_addr 47.154.135.86 | local Ip address |
remote_addr 47.154.135.81 | remote ip address |
p2_pfs 2 p2_lifetime_secs 28800 | oakley group and the phase2 SAs lifetime, used for P2 negotiation, |
p1_xform { p1_lifetime_secs 86400 auth_method preshared oakley_group 1 auth_alg sha1 encr_alg des} } | The transform of phase1 with authenticated by preshared |
MDM appended IKE rsasig rules |
{ label INDEXID_2 | Label used as the search string. for in.iked to looks up phase 1 policy rules | Y | Y |
local_id_type dn | The local id type, “dn” means the DNX.509 distinguished name | N | Y |
local_addr 47.154.135.86 | local IP address |
local_id "CN=SSM0 47.154.135.86, ST=North Carolina , C=US, L=Research Triangle Park, O=Security, OU=3X20" | The DNX.509 distinguished name | Y |
remote_addr 47.154.136.69 | IP address of the remote entry with IPv4 format | N |
remote_id "" | Use remote_addr for access control. when null means “take any,” |
p2_pfs 1 | oakley group used for P2 negotiation, |
p1_xform { p1_lifetime_secs 86400 auth_method rsa_sig oakley_group 1 auth_alg sha1 encr_alg des} } | P1’s transform information ; |
10年积累的成都网站制作、做网站经验,可以快速应对客户对网站的新想法和需求。提供各种问题对应的解决方案。让选择我们的客户得到更好、更有力的网络服务。我虽然不认识你,你也不认识我。但先网站设计后付款的网站建设流程,更有巴彦淖尔免费网站建设让你可以放心的选择与我们合作。
1.1.1.2 Interaction details
ike.config items | definition | Interaction details/Issues | Solution |
Global parameters shared by MDM and SSM |
p1_nonce_len 20 | Nonce length of Phase1 negotiation | MSS requires 20 for MDM-MSS IKE rsasig relationship. SSM sets it to 40 as SPFS required. | MDM forces it to 20 SSM must not overwrite it if it’s not null. |
cert_root "CN=PKBRoot01, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20" cert_trust "CN=PKBRoot01, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20" | cert_root and cert_trust required for MDM/MSS IKE rsasig. . | Appended by SSM after the certs generated/installed for MDM. Removed by SSM after the MDM certs were removed | MDM does not touch it |
ignore_crls | To ignore the CRL( Cert Revocation List) ignore_crls for root CAs (as given in cert_root) | SSM appended it. | If not exist, MDM will append it. |
p1_lifetime_secs 28800 | IKE phase1 SAs lifetime, it’s global and could be override by values in the rule entry | SSM sets it to 28800, MDM requires 86400 by default. | If does not exist, MDM will append that item with 86400. No matter the value, MDM sets p1_lifetime to 86400 per IKE rule locally. |
SSM appended entries ( for instance, default phase1 xform) |
p1_xform { auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des } p2_pfs 0 | # ## Defaults that individual rules can override. | Added by SSM.It is from SSPFS installation | No action required for MDM |
MDM appended IKE preshared rules |
{ label INDEXID_1 | Label used as the search string. for in.iked to looks up phase 1 policy rules | SSM required INDEXID_x, where x is the integer identical among this file. | MDM follows SSM’s rule. |
local_id_type ip | The type of local address. | No action required for SSM | MDM always set to “ip” if IKE preshared |
local_addr 47.154.135.86 | local Ip address | These values are set by MDM ike scripts, either from the operator input or the system derived. |
remote_addr 47.154.135.81 | remote ip address |
p2_pfs 2 p2_lifetime_secs 28800 | oakley group and the phase2 SAs lifetime, used for P2 negotiation, |
p1_xform { p1_lifetime_secs 86400 auth_method preshared oakley_group 1 auth_alg sha1 encr_alg des} } | The transform of phase1 with authenticated by preshared |
{ | The IKE rsasig rule added by MDM IKE provisioning scripts | These IKE rules appended would be displayed by SSM GUI. | Added by MDM Removed by MDM when deletion |
MDM appended IKE rsasig rules |
label INDEXID_2 | See above for label | | |
local_id_type dn | The local id type, “dn” means theDNX.509 distinguished name | No action required for SSM SSM should not touch it. | MDM always set it to “dn” if at rsasig. |
local_addr 47.154.135.86 | local IP address | | |
local_id "CN=SSM0 47.154.135.86, ST=North Carolina , C=US, L=Research Triangle Park, O=Security, OU=3X20" | The DNX.509 distinguished name | SSM must modify it when MDM certs were replaced/revoked. | MDM sets its value firstly by retrieving it from the local workstation Removed by MDM when delete IKE rules |
remote_addr 47.154.136.69 | IP address of the remote entry with IPv4 format | No action required for SSM. SSM should not touch it. | Set by MDM |
remote_id "" | Use remote_addr for access control. when null means “take any” | No action required for SSM SSM should not touch it. | Set by MDM |
p2_pfs 1 | oakley group used for P2 negotiation | No action required for SSM SSM should not touch it. | this value is set by MDM ike scripts( the operator) |
p1_xform { p1_lifetime_secs 86400 auth_method rsa_sig oakley_group 1 auth_alg sha1 encr_alg des} } | P1’s transform information | No action required for SSM SSM should not modify them. | All these name-value pairs are set by MDM IKE scripts. MDM sets p1_lifetime locally here at rule entry. |
1.1.1.3 Scenario 1: Create ike.config if does not exist
The in.iked refuses to start if this file is missed.
MDM ike scripts will create this file at first with permission 755 if it does not exist.
SSM will create this file when putting data to it( such as generate/install certs)
1.1.1.4 Scenario 2: IKE PSK only
Here is the sample file after MDM Ike phase1 provisioned with preshared:
p1_lifetime_secs 86400
p1_nonce_len 20
########
{
label INDEXID_1
local_id_type ip
local_addr 47.154.135.86
remote_addr 47.154.136.69
p2_pfs 2 p2_lifetime_secs 28800
p1_xform { auth_method preshared oakley_group 2 auth_alg md5 encr_alg 3des}
}
1.1.1.5 Scenario 3 : certs installed by SSM when IKE PSK already provisioned
If the ike phase1 preshared key provisioned already, using the SSM GUI to generate and install certs for MDM, here is the ike.config should look like:
p1_nonce_len 20
## Global parameters
cert_root "CN=PKBRoot0000, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
cert_trust "CN=PKBRoot0000, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
ignore_crls
#
## Phase 1 tranform defaults
p1_lifetime_secs 28800
#
## Defaults that individual rules can override.
p1_xform
{ auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des }
p2_pfs 0
--->The following is used by MDM:
#
{
label INDEXID_1
local_id_type ip
local_addr 47.154.135.86
remote_addr 47.154.136.69
p2_pfs 2 p2_lifetime_secs 28800
p1_xform { p1_lifetime_secs 86400 auth_method preshared oakley_group 2 auth_alg md5 encr_alg 3des}
}
~
1.1.1.6 Scenario 4: IKE rsasig provisioned from none security
Here is the example if the MDM IKE rsasig provisioned from none security
p1_nonce_len 20
## Global parameters
cert_root "CN=PKBRoot0000, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
cert_trust "CN=PKBRoot0000, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
ignore_crls
#
## Phase 1 tranform defaults
p1_lifetime_secs 28800
#
## Defaults that individual rules can override.
p1_xform
{ auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des }
p2_pfs 0
#
{
label INDEXID_1
local_id_type dn
local_addr 47.154.135.85
local_id "CN=SSM0 47.154.135.85, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
remote_addr 47.154.136.135
remote_id ""
p2_pfs 2 p2_lifetime_secs 28800
p1_xform { p1_lifetime_secs 86400 auth_method rsa_sig oakley_group 2 auth_alg sha1 encr_alg des}
}
1.1.1.7 Scenario 5: IKE transition from PSK to rsasig
The config file, ike.config used the same as the IKE rsasig provisioned from none security
1.1.1.8 Scenario 6: IKE rsasig with IKE PSK co-existence
IKE PSK and IKE rsasig together after MDM ike phase1 provisioned, Here the IKE rsasig and preshared rule refers to the different remote entries
p1_nonce_len 20
########
## Global parameters
cert_root "CN=PKBRoot01, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
cert_trust "CN=PKBRoot01, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
ignore_crls
#
## Phase 1 tranform defaults
p1_lifetime_secs 28800
#
## Defaults that individual rules can override.
p1_xform
{ auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des }
p2_pfs 0
#
{
label INDEXID_1
local_id_type ip
local_addr 47.154.135.86
remote_addr 47.154.135.81
p2_pfs 2 p2_lifetime_secs 28800
p1_xform { p1_lifetime_secs 86400 auth_method preshared oakley_group 1 auth_alg sha1 encr_alg des}
}
{
label INDEXID_2
local_id_type dn
local_addr 47.154.135.86
local_id "CN=SSM0 47.154.135.86, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
remote_addr 47.154.136.69
remote_id ""
p2_pfs 1
p1_xform { p1_lifetime_secs 86400 auth_method rsa_sig oakley_group 1 auth_alg sha1 encr_alg des}
}
~
1.1.2 Public keys used by MDM
Public keys used by MDM are stored at /etc/inet/ike/publickeys
The /etc/inet/ike/publickeys directory contains the public part of a public-private key pair and its certificate in files, or “slots”, which is protected at 0755(not changeable other than root). The “ikecert certdb” command to populate the directory.
MDM ike_add_phase1 (at rsasig mode) will check the existence of the public keys by /usr/sbin/ikecert certdb –l before it’s going further on the config of IKE phase 1 rules.
This dir is filled by SSM when generation certs for MDM.
These files should get updated by SSM if the certs were replaced /deleted.
1.1.3 Private keys used by MDM
MDM’s private keys are stored at /etc/inet/secret/ike.privatekeys.
The ike.privatekeys directory holds private key files that are part of a public-private key pair, keying material for ISAKMP SAs. The directory is protected at 0700. The private key in this database must have a public key counterpart in the publickeys database.The ikecert certlocal command populates this directory. Private keys are not effective until their public key counterparts, self-signed certificates or CAs, are installed in the /etc/inet/ike/publickeys directory.
MDM application does not populate it explicitly, it relies on the SSM at the succession PKI framework (with CM) to own it(create/remove and permission).
This dir is filled by SSM when generation certs for MDM.
These files should get updated by SSM if the certs replaced/deleted.
1.1.4 in.iked
in.iked is the Solaris ike daemon shared by MDM, SSM so far.
In order to get the privilege to manipulate the IKE database, when provisioning IKE between MDM and MSS such as adding ike phase1 and removal of them. MDM would restart the in.iked with privilege 2if it’s not running or running without proper right.
1.1.4.1 To get the privilege:
"/usr/sbin/ikeadm get priv",
The privilege level should be 2(can access keying materials), if not, MDM will kill and start it again.
1.1.4.2 To kill it:
/usr/bin/pkill in.iked
1.1.4.3 To start it:
IKE daemon is started with privilege 2 as the following:
/usr/lib/inet/in.iked -p 2
1.1.5 ipsec config file
The ipsecconf file, located at /etc/inet/ipsecinit.conf, is shareable between MDM and SSM.
At MDM: Used for manual key SAs config (mdm_pki_initial and ipsec***) and IKE phase2 policies
At SSM: Used for config IKE phase 2 policies
SSM is enhanced to support the 2 patterns of ipsec policy entry: pattern1 and pattern2, so the Ipsec policies, provisioned by MDM, will be displayed correctly at SSM GUI.
These two ipsec policy entry: pattern1 and pattern as:
pattern_name_value_pair1 ::=
saddr / |
src / |
srcaddr / |
smask |
sport |
daddr / |
dst / |
dstaddr / |
dmask |
dport |
ulp |
proto
pattern_name_value_pair2 ::=
raddr / |
remote / |
rport |
laddr / |
local / |
lport |
ulp |
1.1.6 ipseckeys
Ipsec Keys, one of the config file for manual Ipsec, located at /etc/inet/secret/.
SSM does not make use of it since it does not support manual key Ipsec. MDM manipulates it as the following MDM scripts:
PKI involved (used for protection TCP829 for CMP messages)
· mdm_pki_initial_script
· pki_decommissioning_script
The example of the /etc/inet/secret/ipseckeys after the mdm_pki_initial looks like:
=====example Content of /etc/inet/secret/ipseckeys=====
add esp spi 691 proto 6 src 47.154.135.141 sport 829 dst 47.154.136.69 encralg aes encrkey d70c26a909cb52e41432e42ce1eea9a9 authalg sha1 authkey 66ea64653dea86a
5d00f90ce14b3e188991360d7
add esp spi 690 proto 6 dst 47.154.135.141 dport 829 src 47.154.136.69 encralg aes encrkey d70c26a909cb52e41432e42ce1eea9a9 authalg sha1 authkey 66ea64653dea86a
5d00f90ce14b3e188991360d7
#
#ident "@(#)ipseckeys.sample 1.1 01/09/28 SMI"
#
# Copyright (c) 2001 by Sun Microsystems, Inc.
# All rights reserved.
#
# ipseckeys - This file takes the file format documented in ipseckey(1m).
# Note that naming services might not be available when this file
# loads, just like ipsecinit.conf.
#
# This file should be copied into /etc/inet/secret/ipseckeys to load the
# IPsec Security Association Database (SADB). A side-effect of this is that
# IPsec kernel modules will load.
=====End of example Content /etc/inet/secret/ipseckeys=====
1.2 Messages Follow
There are no messages flowing within MDM and SSM tool. They both invoked PKBClient to communication with CM.
2. MDM PKI Interface with MSS
2.1 Supported IKE parameters and their scope
2.1.1 IKE attribute supported
2.1.1.1 For phase1 rule:
Following is the attributes and their values supported by ike phase1:
Parameters | Values |
-p1_pfs | <1|2> |
-p1_lifetime | <1800-172800> seconds |
-enc_alg |
|
-auth_alg |
|
-p2_pfs | <0|1|2> |
-p2_lifetime | <1800-172800> seconds |
2.1.1.2 For phase2 rule:
Following is the attributes and their values supported by ike phase2:
Parameters | Values |
-proto |
|
-srcPort -dstPort | Port must be one of: any, ftpdata, ftp, telnet, ntp, snmp, ike, pki, rip, radius, fmip, 1-19, 22-24, 124-160, 162-499, 501-519, 521-828, 830-1811, 1813-5927, 5929-65535 |
-enc_alg |
|
-auth_alg |
|
-p2_pfs | <0|1|2> |
-p2_lifetime | <1800-172800> seconds |
-antiReplay |
|
2.1.1.3 Attributes Combination
Here is their combination supported from MSS design doc [CD5054 MD-2004.0387]:
For Phase 1, authentication has to be there as per the RFC. The MSS IKE supports the following combinations for encryption-authentication for the Phase 1 transforms:
- DES-SHA1
- DES-MD5
- 3DES-SHA1
- 3DES-MD5
For Phase 2 proposals, MSS IKE supports the following combinations for encryption-authentication:
- none-SHA1
- none-MD5
- DES-SHA1
- DES-MD5
- 3DES-SHA1
- 3DES-MD5
- AES-SHA11
The above can be supported with Diffie-Hellman group 1 or group 2.
2.1.2 Certs related parameters
The MDM certs should generate with the following parameters:
Key-Type: rsa-sha1 or rsa-md5
Key-Size: 2048 or 1024
2.1.3 Default values and their scope used by MDM
· Value scope for Phase1 and phase2 lifetime:
MIN_PI_LIFETIME = 1800
MAX_PI_LIFETIME = 172800
MIN_P2_LIFETIME = 1800
MAX_P2_LIFETIME = 172800
· The default values
DEFAULT_P2_PFS = "2";
DEFAULT_P1_LIFETIME = "86400";
DEFAULT_P2_LIFETIME = "28800";
· The constant values
P1_NONCE_LENGTH 20
2.1.4 IKE commissioning parameters
For phase1: enc_alg = 3des, auth_alg = sha1, DHG_Group =2
For phase2: enc_alg = aes, auth_alg= md5 (for ftpdata) or sha1(others), DHG_group=2
2.2 Provisioning Interface
The provisioned interface with MSS is via CAS of the MSS, which will manipulate the components and their attributes, please refer [3] for more. Here is the description on the command used for MDM IKE provisioning scripts:
2.2.1 Procedure to add initial PKI relationship
Before the IKE_Add_Phase1 is executed, the operator should ensure the ipsec feature installed on MSS, that is:
Here lists the steps to add PKI at MSS part below:
It takes the example as MSS OAM port with IPaddress , and MDM1 with IPaddress , MDM2 with IPaddress for redundancy.
These steps should be put in pki_initial_script.
add -s vr/0 ip pmm ip
set vr/0 ip pmm ca/1 ip
add -s vr/0 ip pmm ca/2 ip
# for ssh from the two mdms
add -s vr/0 ip spd/1 pol/10 dport 22, action bypass, proto tcp, saddr , daddr
add -s vr/0 ip spd/1 pol/20 sport 22, action bypass, dir out, proto tcp, daddr , saddr
add -s vr/0 ip spd/1 pol/30 dport 22, action bypass, proto tcp, saddr , daddr
add -s vr/0 ip spd/1 pol/40 sport 22, action bypass, dir out, proto tcp, daddr , saddr
# for pki messaging from the two mdms
add -s vr/0 ip spd/1 pol/100 proto tcp, sport pki, saddr , daddr
add -s vr/0 ip spd/1 pol/101 proto tcp, dport pki, daddr , saddr
add -s vr/0 ip spd/1 pol/102 proto tcp, sport pki, saddr , daddr
add -s vr/0 ip spd/1 pol/103 proto tcp, dport pki, daddr , saddr
# added the ipsec SAs for the two em_pmm mdms
a -s vr/0 ip spd/1 pol/100 sa/,esp,700
a -s vr/0 ip spd/1 pol/101 sa/,esp,701
a -s vr/0 ip spd/1 pol/102 sa/,esp,702
a -s vr/0 ip spd/1 pol/103 sa/,esp,703
set vr/0 ip spd/1 pol/100 sa/,esp,700 manespsa encAlg aes, encKey , authAlg sha1, authKey
set vr/0 ip spd/1 pol/101 sa/,esp,701 manespsa encAlg aes, encKey , authAlg sha1, authKey
set vr/0 ip spd/1 pol/102 sa/,esp,702 manespsa encAlg aes, encKey , authAlg sha1, authKey
set vr/0 ip spd/1 pol/103 sa/,esp,703 manespsa encAlg aes, encKey , authAlg sha1, authKey
2.2.2 Add ike with rsasig
These steps should be handled by IKE_Add_Phase1 and IKE_MSS_Commissioning
The operator would provide the
and the (RSA_SIG) in the Commandline.
# Add IKE bypass policies
add -s vr/0 ip spd/1 pol/50 proto udp, dport ike, action bypass, saddr , daddr
add -s vr/0 ip spd/1 pol/60 proto udp, sport ike, action bypass, daddr , saddr , dir out
add -s vr/0 ip spd/1 pol/70 proto udp, dport ike, action bypass, saddr , daddr
add -s vr/0 ip spd/1 pol/80 proto udp, sport ike, action bypass, daddr , saddr , dir out
# Add IKE with the ip address of the OAM port on mss
add -s vr/0 ip spd/1 ike srcIpAddress
# add pkiClient, also link the pki to pmm
add -s vr/0 ip spd/1 ike pki,linkToPmm Vr/0 Ip Pmm
# link ike policy to pkiClient and set the destination ip address of the Ike policy
set Vr/0 Ip Spd/1 Ike Policy/1 linkToPkiClient vr/0 ip spd/1 ike pki, dest
# refer the Policy to ike Proposal with rsaSig
set vr/0 ip spd/1 ike pol/1 pfs on
set Vr/0 Ip Spd/1 Ike Policy/1 ikeProposal Vr/0 Ip Spd/1 ike Proposal/1
(The one default proposal is automatically added under ike)
set vr/0 ip spd/1 ike prop/1 trans/1 authMethod rsaSig
(The one default transform is also added automatically)
2.2.3 IKE Phase2 provisioning
IKE phase2 provisioned as normal, IKE_add_phase2 would be invoked to do that: e.g. below is for any-any ipsec (phase 2)
a -s vr/0 ip spd/1 pol/200 action apply, dir inbound, ikePolicy Vr/0 Ip Spd/1 Ike Policy/1, srcIpAddress , dstIpAddress
a -s vr/0 ip spd/1 pol/201 action apply, dir outbound, ikePolicy Vr/0 Ip Spd/1 Ike Policy/1, srcIpAddress , dstIpAddress
a -s vr/0 ip spd/1 prop/1 ipSecPolicyList vr/0 ip spd/1 pol/200 vr/0 ip spd/1 pol/201
s Vr/0 Ip Spd/1 Proposal/1 Transform/1 diffieHellmanGroup gp1, antiReplay on
2.3 Messages Format and Walk through
The message Interface residents within MDM EM_PMM, its south-bound named MSS PMM, and the north bound is CM.
The messages that are supported between EM PMM and MSS PMM are the following:
· Certification Request
· Certification Response
· Key Recovery Request
· Key Recovery Response
· Error Message
· Confirmation
· Certificate Announcement
Please refer NM0542 Design Specification [5] for more of the CMP messages definition.
2.4 IKE stack interactive between Solaris and MSS
MSS communicate with Solaris IKE where MDM residents directly, MDM does not change the behaviour, however, since the limitation of the Solaris IKE implementation, there are two interactive issues found and addressed:
2.4.1 IKE SA flush
During the IKE negotiation, the remote entity will reset their SAs and yet the local Solaris maintains the existing SAs until they have expired). When the connection with MSS is lost, the local Phase2 SAs should be flushed as well as the phase1 SA.
As a result of that, SFM is enhanced to monitor the connections using ping against with all remote IKE entries, SFM identifies the remote entries through IKE phase1 SAs or phase2 SAs, then ping them one by one. If un-pingable, the local SAs will be flushed via ike_sa_refresh. The traffic will trigger the re-negotiation of SAs automatically when needed.
It applies to IKE both rsasig and preshared.
2.4.2 in.iked restarted
The solaris in.iked still refers to the old certs information when the device certs got replaced either from CM GUI or MSS. That will cause the authentication failure for IKE phase1 negotiation, as the result of that, the datapath will be down after the phase2 SAs expiration.
The solution is to restart in.iked at MDM each time the device certs got replaced. (CM/SSM has restarted the in.iked when revoked the MDM certs).
1. MSS sends CMP error with 123321 error code to indicate the MSS certs replacement occurred, thus the ike daemon at MDM is required to be restarted.
2. MDM receives the CMP error message then restarts the in.iked
3. At the redundant MDM, since there is no CMP error message arrived, the SFM is enhanced to take this action (restart in.iked) when the remote is unreachable.
3. MDM PKI Interface with CM
When talking about the PKI interface with CM, MDM acts as the proxy CA to MSS,
3.1 Provisioning Interface
None
3.2 Application Programming Interface