Hallo, dies ist ein Test.

PWD: /www/data-lst1/unixsoft/unixsoft/kaempfer/.public_html

Running in File Mode
Relative path: ./../../../../.././../usr/man/man8/ikeadm.8
Real path: /usr/share/man/man8/ikeadm.8
Zurück

'\" te
.\" Copyright (c) 2012, 2021, Oracle and/or its affiliates.
.TH ikeadm 8 "21 Jun 2021" "Oracle Solaris 11.4" "System Administration Commands"
.SH NAME
ikeadm \- manipulate Internet Key Exchange (IKE) parameters and state
.SH SYNOPSIS

.LP
.nf
\fBikeadm\fR [\fB-np\fR] [\fB-v\fR {\fB1\fR|\fB2\fR}]
.fi

.LP
.nf
\fBikeadm\fR [\fB-np\fR] [\fB-v\fR {\fB1\fR|\fB2\fR}] \fBget\fR [\fBdebug\fR | \fBpriv\fR | \fBstats\fR | \fBdefaults\fR]
.fi

.LP
.nf
\fBikeadm\fR [\fB-np\fR] [\fB-v\fR {\fB1\fR|\fB2\fR}] \fBset\fR [\fBdebug\fR | \fBpriv\fR] [\fIlevel\fR] [\fIfile\fR]
.fi

.LP
.nf
\fBikeadm\fR [\fB-np\fR] [\fB-v\fR {\fB1\fR|\fB2\fR}] [\fBget\fR | \fBdel\fR] [\fBp1\fR | \fBikesa\fR | \fBrule\fR | \fBpreshared\fR] [\fIid\fR]
.fi

.LP
.nf
\fBikeadm\fR [\fB-np\fR] [\fB-v\fR {\fB1\fR|\fB2\fR}] \fBadd\fR [\fBrule\fR | \fBpreshared\fR] { \fIdescription\fR }
.fi

.LP
.nf
\fBikeadm\fR [\fB-np\fR] [\fB-v\fR {\fB1\fR|\fB2\fR}] \fBtoken\fR [\fBlogin\fR | \fBlogout\fR] \fIPKCS#11_Token_Object\fR
.fi

.LP
.nf
\fBikeadm\fR [\fB-np\fR] [\fB-v\fR {\fB1\fR|\fB2\fR}] [\fBread\fR | \fBwrite\fR] [\fBrule\fR | \fBpreshared\fR | \fBcertcache\fR]
     \fIfile\fR
.fi

.LP
.nf
\fBikeadm\fR [\fB-np\fR] [\fB-v\fR {\fB1\fR|\fB2\fR}] \fBdump\fR [\fBp1\fR | \fBikesa\fR | \fBrule\fR | \fBpreshared\fR | \fBcertcache\fR
     | \fBgroups\fR | \fBencralgs\fR | \fBauthalgs\fR]
.fi

.LP
.nf
\fBikeadm\fR [\fB-v\fR {\fB1\fR|\fB2\fR}] [\fB-np\fR] \fBflush\fR \fB[p1\fR | \fBikesa\fR | \fBcertcache\fR]
.fi

.LP
.nf
\fBikeadm\fR \fBhelp\fR
     [\fBget\fR | \fBset\fR | \fBadd\fR | \fBdel\fR | \fBread\fR | \fBwrite\fR | \fBdump\fR | \fBflush\fR | \fBtoken\fR]
.fi
.SH DESCRIPTION
.sp
.LP
The \fBikeadm\fR utility retrieves information from and manipulates the configuration of the Internet Key Exchange (\fBIKE\fR) protocol daemon, \fBin.iked\fR(8).
.sp
.LP
The \fBikeadm\fR utility communicates with the running Internet Key Exchange (IKE) daemon(s). This utility can retrieve information from or change the configuration of the running daemon without restarting it. There are two IKE protocol daemons, \fBin.iked\fR(8) and \fBin.ikev2d\fR(8), supporting version one and two of the Internet Key Exchange Protocol respectively.
.sp
.LP
The \fBikeadm\fR utility provides an alternate configuration mechanism to the configuration files described in \fBike.config\fR(5) and \fBikev2.config\fR(5). Additionally it provides a unique interface for gathering statistics and other information only available from the running daemon(s).
.sp
.LP
\fBikeadm\fR supports a set of operations, which may be performed on one or more of the supported object types. When invoked without arguments, \fBikeadm\fR enters interactive mode which prints a prompt to the standard output and accepts commands from the standard input until the end-of-file is reached.
.sp
.LP
Because \fBikeadm\fR manipulates sensitive keying information, you must be superuser or be granted the Network IPsec Management rights profile to use this command. Additionally, some of the commands available require that the daemon be running in a privileged mode, which is established when the daemon is started.
.sp
.LP
For details on how to use this command securely see \fBSECURITY\fR.
.SH OPTIONS
.sp
.LP
The following options are supported:
.sp
.ne 2
.mk
.na
\fB\fB-n\fR\fR
.ad
.br
.sp .6
.RS 4n
Prevent attempts to print host and network names symbolically when reporting actions. This is useful, for example, when all name servers are down or are otherwise unreachable. 
.RE

.sp
.ne 2
.mk
.na
\fB\fB-p\fR\fR
.ad
.br
.sp .6
.RS 4n
Paranoid. Do not print any keying material, even if saving Security Associations. Instead of an actual hexadecimal digit, print an \fBX\fR when this flag is turned on. 
.RE

.sp
.ne 2
.mk
.na
\fB\fB-v\fR {\fB1\fR|\fB2\fR}\fR
.ad
.br
.sp .6
.RS 4n
IKE version number. If only one of the \fBin.iked\fR(8) or \fBin.ikev2d\fR(8) daemons are running, this flag is optional. Otherwise, this flag designates which version of the IKE daemon is the target of this operation.
.RE

.SH USAGE
.SS "Commands"
.sp
.LP
The following commands are supported:
.sp
.ne 2
.mk
.na
\fB\fBadd\fR\fR
.ad
.br
.sp .6
.RS 4n
Add the specified object. This option can be used to add a new policy rule or a new preshared key to the current (running) IKE configuration. New preshared key values can only be entered by running \fBikeadm\fR interactively. See SECURITY. The rule or key being added is specified using appropriate \fIid\fR-\fIvalue\fR pairs as described in the \fBID FORMATS\fR section.
.RE

.sp
.ne 2
.mk
.na
\fB\fBdel\fR\fR
.ad
.br
.sp .6
.RS 4n
Delete a specific object or objects from the IKE daemon's current configuration. This operation is available for \fBIKE\fR (Phase 1) \fBSA\fRs, IKEv2 IKE \fBSA\fRs, policy rules, and preshared keys. The object to be deleted is specified as described in the \fBId Formats\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBdump\fR\fR
.ad
.br
.sp .6
.RS 4n
Display all objects of the specified type known to the IKE daemon. This option can be used to display all Phase 1 \fBSA\fRs, IKEv2 IKE \fBSA\fRs, policy rules, preshared keys, implemented Diffie-Hellman groups, encryption, and authentication algorithms available for Phase 1 or IKE SAs, or the certificate cache. A large amount of output might be generated by this command.
.RE

.sp
.ne 2
.mk
.na
\fB\fBflush\fR\fR
.ad
.br
.sp .6
.RS 4n
Remove all \fBIKE\fR (Phase 1) \fBSA\fRs, IKEv2 IKE SAs, or cached certificates from the IKE daemon.
.sp
Note that flushing the \fBcertcache\fR will also (as a side-effect) update IKEv1 with any new certificates added or removed. Note that IKEv2 does not have an exposed certificate cache.
.RE

.sp
.ne 2
.mk
.na
\fB\fBget\fR\fR
.ad
.br
.sp .6
.RS 4n
Lookup and display the specified object. May be used to view the current debug or privilege level, global statistics and default values for the daemon, or a specific \fBIKE\fR (Phase 1) \fBSA\fR, IKEv2 IKE SA, policy rule, or preshared key. The latter three object types require that identifying information be passed in; the appropriate specification for each object type is described below. 
.RE

.sp
.ne 2
.mk
.na
\fB\fBhelp\fR\fR
.ad
.br
.sp .6
.RS 4n
Print a brief summary of commands, or, when followed by a command, prints information about that command. 
.RE

.sp
.ne 2
.mk
.na
\fB\fBread\fR\fR
.ad
.br
.sp .6
.RS 4n
Update the current IKE configuration by reading the policy rules or preshared keys from either the default location or from the file specified. 
.RE

.sp
.ne 2
.mk
.na
\fB\fBset\fR\fR
.ad
.br
.sp .6
.RS 4n
Adjust the current debug or privilege level. If the debug level is being modified, an output file may optionally be specified; the output file \fBmust\fR be specified if the daemon is running in the background and is not currently printing to a file. When changing the privilege level, adjustments may only be made to lower the access level; it cannot be increased using \fBikeadm\fR. Note that the privilege level applies to IKEv1 only.
.RE

.sp
.ne 2
.mk
.na
\fB\fBwrite\fR\fR
.ad
.br
.sp .6
.RS 4n
Write the current IKE/IKEv2 policy rule set or preshared key set to the specified file. A destination file must be specified. This command should not be used to overwrite the existing configuration files.
.RE

.sp
.ne 2
.mk
.na
\fB\fBtoken\fR\fR
.ad
.br
.sp .6
.RS 4n
Log into a PKCS#11 token object and grant access to keying material or log out and invalidate access to keying material.
.sp
\fBtoken\fR can be run as a normal user with the Network IPsec Management rights profile.
.RE

.SS "Object Types"
.sp
.ne 2
.mk
.na
\fBdebug\fR
.ad
.br
.sp .6
.RS 4n
Specifies the daemon's debug level. This determines the amount and type of output provided by the daemon about its operations. The debug level is actually a bitmask, with individual bits enabling different types of information.
.sp
.sp
.in +2
.nf
IKEv1 and IKEv2

Certificate management   0x00000001               cert
Key management           0x00000002               key
Operational              0x00000004               op
Phase 1 SA creation      0x00000008               phase1
Phase 2 SA creation      0x00000010               phase2
PF_KEY interface         0x00000020               pfkey
Policy management        0x00000040               policy
Proposal construction    0x00000080               prop
Door interface           0x00000100               door
Config file processing   0x00000200               config
Label processing         0x00000400               label

IKEv2 only

Packet processing        0x00000800               packet
Audit interaction        0x00002000               audit
Additional Notes         0x00004000               note
Threading issues         0x00008000               thread
Extra PF_KEY dumps       0x00010000               pfkeymsg
Verbose                  0x00006204               verbose
All debug flags          0x0001ffff               all
.fi
.in -2
.sp
When specifying the debug level, either a number (decimal or hexadecimal) or a string of nicknames may be given. For example, \fB88\fR, \fB0x58\fR, and \fBphase1\fR+\fBphase2\fR+\fBpolicy\fR are all equivalent, and will turn on debug for \fBphase 1\fR  \fBsa\fR creation, \fBphase 2 sa\fR creation, and policy management. A string of nicknames may also be used to remove certain types of information; \fBall-op\fR has the effect of turning on all debug \fBexcept\fR for operational messages; it is equivalent to the numbers \fB1019\fR or \fB0x3fb\fR.
.RE

.sp
.ne 2
.mk
.na
\fBpriv\fR
.ad
.br
.sp .6
.RS 4n
IKEv1 only
.sp
Specifies the daemon's access privilege level. The possible values are:
.sp
.sp
.in +2
.nf
Description                  Level   Nickname

Base level                   0       base
Access to preshared key info 1       modkeys
Access to keying material    2       keymat
.fi
.in -2
.sp
By default, \fBin.iked\fR is started at the base level. A command-line option can be used to start the daemon at a higher level. \fBikeadm\fR can be used to lower the level, but it cannot be used to raise the level.
.sp
Either the numerical level or the nickname may be used to specify the target privilege level.
.sp
See \fBin.iked\fR(8) for a description of the \fBconfig/admin_privilege\fR SMF property. This property allows you to establish a baseline privilege level that can be subsequently modified by \fBikeadm\fR.
.sp
In order to get, add, delete, dump, read, or write preshared keys, the privilege level must at least give access to preshared key information. However, when viewing preshared keys (either using the get or dump command), the key itself will only be available if the privilege level gives access to keying material. This is also the case when viewing Phase 1 \fBSA\fRs.
.RE

.sp
.ne 2
.mk
.na
\fBstats\fR
.ad
.br
.sp .6
.RS 4n
Global statistics from the daemon.
.sp
IKEv1 stats cover both successful and failed Phase 1 SA creation.
.sp
Reported statistics include:
.sp
.RS +4
.TP
.ie t \(bu
.el o
Count of current P1 \fBSA\fRs which the local entity initiated

.RE
.RS +4
.TP
.ie t \(bu
.el o
Count of current P1 \fBSA\fRs where the local entity was the responder

.RE
.RS +4
.TP
.ie t \(bu
.el o
Count of all P1 \fBSA\fRs which the local entity initiated since boot

.RE
.RS +4
.TP
.ie t \(bu
.el o
Count of all P1 \fBSA\fRs where the local entity was the responder since boot

.RE
.RS +4
.TP
.ie t \(bu
.el o
Count of all attempted \fBP1\fR  \fBSA\fRs since boot, where the local entity was the initiator; includes failed attempts

.RE
.RS +4
.TP
.ie t \(bu
.el o
Count of all attempted P1 \fBSA\fRs since boot, where the local entity was the responder; includes failed attempts

.RE
.RS +4
.TP
.ie t \(bu
.el o
Count of all failed attempts to initiate a \fBP1\fR  \fBSA\fR, where the failure occurred because the peer did not respond

.RE
.RS +4
.TP
.ie t \(bu
.el o
Count of all failed attempts to initiate a P1 \fBSA\fR, where the peer responded

.RE
.RS +4
.TP
.ie t \(bu
.el o
Count of all failed \fBP1\fR  \fBSA\fRs where the peer was the initiator

.RE
.RS +4
.TP
.ie t \(bu
.el o
Whether a PKCS#11 library is in use, and if applicable, the PKCS#11 library that is loaded. See \fBike.config\fR(5).

.RE
IKEv2 stats cover both successful and failed IKE SA creation.
.RS +4
.TP
.ie t \(bu
.el o
Count of all successful IKEv2 SA creations

.RE
.RS +4
.TP
.ie t \(bu
.el o
Count of all failed IKEv2 SA creations

.RE
.RS +4
.TP
.ie t \(bu
.el o
Count of all successful IKEv2 rekeys

.RE
.RS +4
.TP
.ie t \(bu
.el o
Count of all failed IKEv2 rekeys

.RE
.RS +4
.TP
.ie t \(bu
.el o
Count of all memory allocation failures

.RE
.RE

.sp
.ne 2
.mk
.na
\fBdefaults\fR
.ad
.br
.sp .6
.RS 4n
IKEv1 only
.sp
Display default values used by the \fBin.iked\fR daemon. Some values can be overridden in the daemon configuration file (see \fBike.config\fR(5)); for these values, the token name is displayed in the \fBget defaults\fR output. The output will reflect where a configuration token has changed the default.
.sp
Default values might be ignored in the event a peer system makes a valid alternative proposal or they can be overridden by per-rule values established in \fBike.config\fR. In such instances, a \fBget defaults\fR command continues to display the default values, not the values used to override the defaults.
.RE

.sp
.ne 2
.mk
.na
\fBikesa\fR
.ad
.br
.sp .6
.RS 4n
An IKEv2 IKE SA. An \fBikesa\fR object is identified by an IP address pair or a local SPI; identification formats are described below.
.RE

.sp
.ne 2
.mk
.na
\fBp1\fR
.ad
.br
.sp .6
.RS 4n
An \fBIKE\fR Phase 1 \fBSA\fR. A \fBp1\fR object is identified by an \fBIP\fR address pair or a cookie pair; identification formats are described below. 
.RE

.sp
.ne 2
.mk
.na
\fBrule\fR
.ad
.br
.sp .6
.RS 4n
An \fBIKE\fR policy rule, defining the acceptable security characteristics for Phase 1 or IKEv2 IKE SAs between specified local and remote identities. A rule is identified by its label; identification formats are described below. 
.RE

.sp
.ne 2
.mk
.na
\fBpreshared\fR
.ad
.br
.sp .6
.RS 4n
A preshared key, including the applicable identifier(s). In IKEv1, a \fBpreshared\fR key is identified by an IP address pair or an identity pair. In IKEv2, a \fBpreshared\fR key is identified by its rule label. Identification formats are described below.
.RE

.SS "Id Formats"
.sp
.LP
Commands like \fBadd\fR, \fBdel\fR, and \fBget\fR require that additional information be specified on the command line. In the case of the delete and get commands, all that is required is to minimally identify a given object; for the add command, the full object must be specified.
.sp
.LP
Minimal identification is accomplished in most cases by a pair of values. For \fBIP\fR addresses, the local addr and then the remote addr are specified, either in dot-notation for IPv4 addresses, colon-separated hexadecimal format for IPv6 addresses, or a host name present in the host name database. If a host name is given that expands to more than one address, the requested operation will be performed multiple times, once for each possible combination of addresses.
.sp
.LP
Identity pairs are made up of a local type-value pair, followed by the remote type-value pair. Valid types are:
.sp
.ne 2
.mk
.na
\fBprefix\fR
.ad
.br
.sp .6
.RS 4n
An address prefix.
.RE

.sp
.ne 2
.mk
.na
\fBfqdn\fR
.ad
.br
.sp .6
.RS 4n
A fully-qualified domain name. 
.RE

.sp
.ne 2
.mk
.na
\fBdomain\fR
.ad
.br
.sp .6
.RS 4n
Domain name, synonym for fqdn. 
.RE

.sp
.ne 2
.mk
.na
\fBuser_fqdn\fR
.ad
.br
.sp .6
.RS 4n
User identity of the form \fIuser\fR@fqdn. (IKEv1 only)
.RE

.sp
.ne 2
.mk
.na
\fBmailbox\fR
.ad
.br
.sp .6
.RS 4n
Synonym for \fBuser_fqdn\fR. 
.RE

.sp
.LP
A cookie pair is made up of the two cookies assigned to a Phase 1 Security Association (\fBSA\fR) when it is created; first is the initiator's, followed by the responder's. A cookie is a 64-bit number.
.sp
.LP
Finally, a label (which is used to identify a policy rule) is a character string assigned to the rule when it is created.
.sp
.LP
Formatting a rule or preshared key for the add command follows the format rules for the \fBin.iked\fR or \fBin.ikev2d\fR configuration files. Both are made up of a series of id-value pairs, contained in curly braces (\fB{\fR and \fB}\fR). For IKEv1, see \fBike.config\fR(5) and \fBike.preshared\fR(5) for details on the formatting of rules and preshared keys. For IKEv2, see \fBikev2.config\fR(5) and \fBikev2.preshared\fR(5) for its formatting rules.
.SH SECURITY
.sp
.LP
The \fBikeadm\fR command allows an authorized user with the Network IPsec Management rights profile to enter cryptographic keying information. If an adversary gains access to such information, the security of IPsec traffic is compromised. The following issues should be taken into account when using the \fBikeadm\fR command. 
.RS +4
.TP
.ie t \(bu
.el o
Is the \fBTTY\fR going over a network (interactive mode)? 
.sp
If it is, then the security of the keying material is the security of the network path for this \fBTTY\fR's traffic. Using \fBikeadm\fR over a clear-text telnet or rlogin session is risky. Even local windows may be vulnerable to attacks where a concealed program that reads window events is present.

.RE
.RS +4
.TP
.ie t \(bu
.el o
Is the file accessed over the network or readable to the world (read/write commands)? 
.sp
A network-mounted file can be sniffed by an adversary as it is being read. A world-readable file with keying material in it is also risky.

.RE
.sp
.LP
If your source address is a host that can be looked up over the network, and your naming system itself is compromised, then any names used will no longer be trustworthy.
.sp
.LP
Commands that manage keying material do not generally allow the keying material to be specified on the command line. This is because this keying material may end up in a shell history file or be visible to another user running \fBps\fR(1) and could therefore be compromised.
.sp
.LP
Security weaknesses often lie in misapplication of tools, not the tools themselves. It is recommended that administrators are cautious when using the \fBikeadm\fR command. The safest mode of operation is probably on a console, or other hard-connected \fBTTY\fR.
.sp
.LP
For additional information regarding this subject, see the afterward by Matt Blaze in Bruce Schneier's \fIApplied Cryptography: Protocols, Algorithms, and Source Code in C.\fR  
.SH EXAMPLES
.LP
\fBExample 1\fR Emptying out all Phase 1 or IKEv2 IKE Security Associations

.sp
.LP
IKEv1:

.sp
.LP
The following command empties out all Phase 1 Security Associations:

.sp
.in +2
.nf
example# \fBikeadm flush p1\fR
.fi
.in -2
.sp

.sp
.LP
IKEv2:

.sp
.LP
The following command empties out all IKEv2 IKE Security Associations:

.sp
.in +2
.nf
example# \fBikeadm flush ikesa\fR
.fi
.in -2
.sp
.LP
\fBExample 2\fR Displaying all Phase 1 or IKEv2 IKE Security Associations

.sp
.LP
IKEv1:

.sp
.LP
The following command displays all Phase 1 Security Associations:

.sp
.in +2
.nf
example# \fBikeadm dump p1\fR
.fi
.in -2
.sp

.sp
.LP
IKEv2:

.sp
.LP
The following command displays all IKEv2 IKE Security Associations:

.sp
.in +2
.nf
example# \fBikeadm dump ikesa\fR
.fi
.in -2
.sp
.LP
\fBExample 3\fR Deleting a Specific Phase 1 Security Association

.sp
.LP
The following command deletes the specified Phase 1 or IKEv2 IKE Security Associations:

.sp
.LP
IKEv1:

.sp
.in +2
.nf
example# \fBikeadm del p1 local_ip remote_ip\fR
.fi
.in -2
.sp

.sp
.LP
IKEv2:

.sp
.in +2
.nf
example# \fBikeadm del ikesa local_ip remote_ip\fR
.fi
.in -2
.sp

.sp
.LP
\&...or:

.sp
.in +2
.nf
example# \fBikeadm del ikesa 0x49bf01d5c7585ea8\fR
.fi
.in -2
.sp

.sp
.LP
Note that the value \fB0x49bf01d5c7585ea8\fR, in the preceding example command, is the local SPI of the IKE SA, as displayed by \fBikeadm dump ikesa\fR.
.LP
\fBExample 4\fR Adding a Rule From a File

.sp
.LP
The following command adds a rule from a file:

.sp
.in +2
.nf
example# \fBikeadm add rule rule_file\fR
.fi
.in -2
.sp
.LP
\fBExample 5\fR Adding a Preshared Key

.sp
.LP
The following command adds a preshared key:

.sp
.LP
IKEv1:

.sp
.in +2
.nf
example# \fBikeadm\fR
     ikeadm> \fBadd preshared { localidtype ip localid local_ip
             remoteidtype ip remoteid remote_ip ike_mode main
             key 1234567890abcdef1234567890abcdef }\fR
.fi
.in -2
.sp

.sp
.LP
IKEv2:

.sp
.in +2
.nf
example# \fBikeadm\fR
     ikeadm> \fBadd preshared { label "existing rule label"
key 0x4b6562652e0a }\fR
.fi
.in -2
.sp
.LP
\fBExample 6\fR Saving All Preshared Keys to a File

.sp
.LP
The following command saves all preshared keys to a file:

.sp
.in +2
.nf
example# \fBikeadm write preshared target_file\fR
.fi
.in -2
.sp
.LP
\fBExample 7\fR Viewing a Particular Rule

.sp
.LP
The following command views a particular rule:

.sp
.in +2
.nf
example# \fBikeadm get rule rule_label\fR
.fi
.in -2
.sp
.LP
\fBExample 8\fR Reading in New Rules from \fBike.config\fR

.sp
.LP
The following command reads in new rules from the ike.config file:

.sp
.in +2
.nf
example# \fBikeadm read rules\fR
.fi
.in -2
.sp
.LP
\fBExample 9\fR Lowering the Privilege Level

.sp
.LP
The following command lowers the privilege level for IKEv1:

.sp
.in +2
.nf
example# \fBikeadm set priv base\fR
.fi
.in -2
.sp
.LP
\fBExample 10\fR Viewing the Debug Level

.sp
.LP
The following command shows the current debug level:

.sp
.in +2
.nf
example# \fBikeadm get debug\fR
.fi
.in -2
.sp
.LP
\fBExample 11\fR Using stats to Verify Hardware Accelerator in IKEv1

.sp
.LP
The following example shows how stats may include an optional line at the end to indicate if IKE is using a PKCS#11 library to accelerate public-key operations, if applicable.

.sp
.in +2
.nf
example# \fBikeadm get stats\fR
Phase 1 SA counts:
Current:  initiator:     0    responder:      0
Total:    initiator:    21   responder:      27
Attempted:initiator:    21   responder:      27
Failed:   initiator:     0   responder:       0
	         initiator fails include 0 time-out(s)
PKCS#11 library linked in from /opt/system/core-osonn/lib/libpkcs11.so
example# 
.fi
.in -2
.sp
.LP
\fBExample 12\fR Displaying the Certificate Cache in IKEv1

.sp
.LP
The following command shows the certificate cache and the status of associated private keys, if applicable:

.sp
.in +2
.nf
example# \fBikeadm dump certcache\fR
.fi
.in -2
.sp
.LP
\fBExample 13\fR Logging into a PKCS#11 Token

.sp
.LP
The following command shows logging into a PKCS#11 token object and unlocking private keys:

.sp
.in +2
.nf
example# \fBikeadm token login "Sun Metaslot"\fR
Enter PIN for PKCS#11 token:
ikeadm: PKCS#11 operation successful
.fi
.in -2
.sp
.SH EXIT STATUS
.sp
.LP
The following exit values are returned:
.sp
.ne 2
.mk
.na
\fB\fB0\fR\fR
.ad
.RS 12n
.rt
Successful completion. 
.RE

.sp
.ne 2
.mk
.na
\fB\fBnon-zero\fR\fR
.ad
.RS 12n
.rt
An error occurred. Writes an appropriate error message to standard error.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(7) for descriptions of the following attributes:
.sp
.TS
tab(
) box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPE
ATTRIBUTE VALUE
_
Availability
system/network/ike
_
Interface Stability
Committed
.TE
.sp
.SH SEE ALSO
.sp
.LP
\fBps\fR(1), \fBipsec\fR(4P), \fBike.config\fR(5), \fBike.preshared\fR(5), \fBikev2.config\fR(5), \fBikev2.preshared\fR(5), \fBattributes\fR(7), \fBin.iked\fR(8), \fBin.ikev2d\fR(8)
.sp
.LP
Schneier, Bruce, \fIApplied Cryptography: Protocols, Algorithms, and Source Code in C\fR, Second Edition, John Wiley & Sons, New York, NY, 1996.
.SH NOTES
.sp
.LP
As \fBin.iked\fR and \fBin.ikev2d\fR can run only in the global zone, kernel zones, and exclusive-IP zones, this command is not useful in shared-IP zones.