table of contents
IKED(8) | System Manager's Manual | IKED(8) |
NAME¶
iked
—
Internet Key Exchange version 2 (IKEv2)
daemon
SYNOPSIS¶
iked |
[-dnSTtVv ]
[-D
macro=value]
[-f
file]
[-p
udpencap_port]
[-s
socket] |
DESCRIPTION¶
iked
is an Internet Key Exchange
(IKEv2) daemon which performs mutual authentication and which
establishes and maintains IPsec flows and security associations (SAs)
between the two peers.
The IKEv2 protocol is defined in RFC 7296, which
combines and updates the previous standards: ISAKMP/Oakley (RFC
2408), IKE (RFC 2409), and the Internet DOI (RFC 2407).
iked
only supports the IKEv2 protocol;
support for ISAKMP/Oakley and IKEv1 is provided by
isakmpd(8).
iked
supports mutual
authentication using RSA or ECDSA public keys and X.509
certificates. See the
PUBLIC KEY
AUTHENTICATION section below and PKI AND CERTIFICATE AUTHORITY
COMMANDS in ikectl(8)
for more information about creating and maintaining the public key
infrastructure.
The options are as follows:
-D
macro=value- Define macro to be set to value on the command line. Overrides the definition of macro in the configuration file.
-d
- Do not daemonize and log to stderr.
-f
file- Use file as the configuration file, instead of the default /etc/iked.conf.
-n
- Configtest mode. Only check the configuration file for validity.
-p
udpencap_port- Specify the listen port for encapsulated UDP that the daemon will bind to as well as the UDP encapsulation port set in resulting IPsec SAs. In order to receive UDP encapsulated IPsec packets on ports other than 4500, the net.inet.esp.udpencap_port sysctl(2) variable has to be set accordingly. Implies -t.
-S
- Start
iked
in passive mode. See theset passive
option in iked.conf(5) for more information. -s
socket- Use socket as the control socket, instead of the default /var/run/iked.sock.
-T
- Disable NAT-Traversal and do not propose NAT-Traversal support to the peers.
-t
- Enforce NAT-Traversal and only listen to NAT-Traversal messages. This option is only recommended for testing; the default is to negotiate NAT-Traversal with the peers.
-V
- Show the version and exit.
-v
- Produce more verbose output.
PUBLIC KEY AUTHENTICATION¶
It is possible to store trusted public keys to make them
directly usable by iked
,
bypassing the need to use certificates. The keys should be saved
in PEM format (see
openssl(1)) and
named and stored as follows:
- For IPv4 identities:
- /etc/iked/pubkeys/ipv4/A.B.C.D
- For IPv6 identities:
- /etc/iked/pubkeys/ipv6/abcd:abcd::ab:bc
- For FQDN identities:
- /etc/iked/pubkeys/fqdn/foo.bar.org
- For UFQDN identities:
- /etc/iked/pubkeys/ufqdn/user@foo.bar.org
Depending on the srcid
and dstid
specifications in
iked.conf(5), keys
may be named after their IPv4 address, IPv6 address, fully qualified
domain name (FQDN) or user fully qualified domain name (UFQDN).
For example, iked
can
authenticate using the pre-generated keys if the local public key, by
default /etc/iked/local.pub, is
copied to the remote gateway as
/etc/iked/pubkeys/ipv4/local.gateway.ip.address
and the remote gateway's public key is copied to the local gateway
as
/etc/iked/pubkeys/ipv4/remote.gateway.ip.address.
Of course, new keys may also be generated (the user is not
required to use the pre-generated keys). In this example,
srcid
and
dstid
would also have to be set to the
specified addresses in
iked.conf(5).
FILES¶
- /etc/iked.conf
- The default
iked
configuration file. - /etc/iked/ca/
- The directory where CA certificates are kept.
- /etc/iked/certs/
- The directory where IKE certificates are kept, both the local certificate(s) and those of the peers, if a choice to have them kept permanently has been made.
- /etc/iked/crls/
- The directory where CRLs are kept.
- /etc/iked/private/
- The directory where local private keys used for public key authentication are kept. The file local.key is used to store the local private key.
- /etc/iked/pubkeys/
- The directory in which trusted public keys are kept. The keys must be named in the fashion described above.
- /var/run/iked.sock
- The default
iked
control socket.
SEE ALSO¶
STANDARDS¶
C. Kaufman, P. Hoffman, Y. Nir, P. Eronen, and T. Kivinen, Internet Key Exchange Protocol Version 2 (IKEv2), RFC 7296, October 2014.
HISTORY¶
The iked
program first
appeared in OpenBSD
4.8.
AUTHORS¶
The iked
program was
written by Reyk Floeter
<reyk@openbsd.org>.
November 29, 2021 | Debian |