|ISAKMPD(8)||System Manager's Manual||ISAKMPD(8)|
isakmpddaemon establishes security associations for encrypted and/or authenticated network traffic. At this moment, and probably forever, this means ipsec(4) traffic. Traditionally,
isakmpdwas configured using the isakmpd.conf(5) file format. A newer, much simpler format is now available: ipsec.conf(5).
isakmpd implements the IKEv1
protocol which is defined in the standards ISAKMP/Oakley (RFC 2408), IKE
(RFC 2409), and the Internet DOI (RFC 2407). The newer IKEv2 protocol, as
defined in RFC 5996, is not supported by
isakmpd but by
iked(8). It follows
then that references to IKE in this document pertain to IKEv1 only, and not
isakmpd goes about its
work is by maintaining an internal configuration as well as a policy
database which describes what kinds of SAs to negotiate, and by listening
for different events that trigger these negotiations. The events that
isakmpd consist of negotiation
initiations from a remote party, user input via a FIFO or by signals,
upcalls from the kernel via a
socket, and lastly by scheduled events triggered by timers running out.
Most uses of
isakmpd will be to
implement so called "virtual private networks" (VPNs). The ability
to provide redundancy is made available through
other uses, some more knowledge of IKEv1 as a protocol is required. The RFCs
mentioned below are a possible starting point.
isakmpd forks into
two processes for privilege separation. The unprivileged child jails itself
with chroot(8) to
/var/empty. The privileged process
communicates with the child, reads configuration files and PKI information,
and binds to privileged ports on its behalf. See the
CAVEATS section below.
The options are as follows:
isakmpdwill use. The default is to use both IPv4 and IPv6.
isakmpddoes not set up flows automatically. Instead manual flows may be configured using ipsec.conf(5) or by programs such as bgpd(8). Thus
isakmpdonly takes care of SA establishment.
-coption specifies an alternate configuration file instead of /etc/isakmpd/isakmpd.conf. As this file may contain sensitive information, it must be readable only by the user running the daemon.
isakmpdwill reread the configuration file when sent a
Valid values for class are as follows:
Currently used values for level are 0 to 99.
-doption is used to make the daemon run in the foreground, logging to stderr.
-foption specifies the FIFO (a.k.a. named pipe) where the daemon listens for user requests. If the path given is a dash (‘-’),
isakmpdwill listen to stdin instead.
-ioption. Note that only paths beginning with /var/run are allowed.
isakmpddoes not read the policy configuration file and no keynote(4) policy check is accomplished. This option can be used when policies for flows and SA establishment are arranged by other programs like ipsecctl(8) or bgpd(8).
isakmpdwill write an unencrypted copy of the negotiation packets it is sending and receiving to the file /var/run/isakmpd.pcap, which can later be read by tcpdump(8) and other utilities using pcap(3).
-Labove, but capture to a specified file. Note that only paths beginning with /var/run are allowed.
-Noption specifies the listen port for encapsulated UDP that the daemon will bind to.
-noption is given, the kernel will not take part in the negotiations. This is a non-destructive mode, so to speak, in that it won't alter any SAs in the IPsec stack.
-poption specifies the listen port the daemon will bind to.
SIGUSR1, it will report its internal state to a report file, normally /var/run/isakmpd.report, but this can be changed by feeding the file name as an argument to the
-Rflag. Note that only paths beginning with /var/run are allowed.
isakmpdstarts in passive mode and will not initiate any connections or process any incoming traffic until sasyncd has determined that the host is the carp master. Additionally,
isakmpdwill not delete SAs on shutdown by sending delete messages to all peers.
isakmpdwill not advertise support for NAT-Traversal to its peers.
isakmpdis silent and outputs only messages when a warning or an error occurs. With verbose logging
isakmpdreports successful completion of phase 1 (Main and Aggressive) and phase 2 (Quick) exchanges (Information and Transaction exchanges do not generate any additional status information).
isakmpdstarts, it creates a FIFO (named pipe) where it listens for user requests. All commands start with a single letter, followed by command-specific options. Available commands are:
C set[section]:tag=value [
isakmpdconfiguration atomically. ‘set’ sets a configuration value consisting of a section, tag, and value triplet. ‘set’ will fail if the configuration already contains a section with the named tag; use the ‘force’ option to change this behaviour. ‘add’ appends a configuration value to the named configuration list tag, unless the value is already in the list. ‘rm’ removes a tag in a section. ‘rms’ removes an entire section. ‘rmv’ removes an entry from a list, thus reversing an ‘add’ operation.
SIGHUP or an "R" through
the FIFO will void any updates done to the configuration.
D Ttoggles all debug classes to level zero. Another
D Tcommand will toggle them back to the earlier levels.
isakmpdto active or passive mode. In passive mode no packets are sent to peers.
isakmpdshould capture the packets to (the default is /var/run/isakmpd.pcap). Note that only paths beginning with /var/run are allowed.
isakmpd, as when sent a
isakmpdinternal state to syslog(3). See the
-Roption. Same as when sent a
isakmpdshould take part in, or there will be a need to set one up. The procedures for using a pre-existing PKI varies depending on the actual Certificate Authority (CA) used, and is therefore not covered here, other than mentioning that openssl(1) needs to be used to create a Certificate Signing Request (CSR) that the CA understands.
A number of methods exist to allow authentication:
key- and certificate-based authentication, the “Transforms”
should include “RSA_SIG”. For example, the transform
“3DES-SHA-RSA_SIG” means: 3DES encryption, SHA hash,
authentication using RSA signatures.
isakmpd, bypassing the need to use certificates. The keys should be saved in PEM format (see openssl(1)) and named and stored after this easy formula:
Depending on the
keys may be named after their IPv4 address (IPV4_ADDR or IPV4_ADDR_SUBNET),
IPv6 address (IPV6_ADDR or IPV6_ADDR_SUBNET), fully qualified domain name
(FDQN), user fully qualified domain name (USER_FQDN), or key ID
authenticate using the pre-generated keys if the local public key, by
default /etc/isakmpd/local.pub, is copied
to the remote gateway as
and the remote gateway's public key is copied to the local gateway as
Of course, new keys may also be generated (the user is not required to use
the pre-generated keys). In this example,
ID-type would also have to be set to
IPV4_ADDR or IPV4_ADDR_SUBNET in
First, create a private key for the CA, and a Certificate Signing Request (CSR) to enable the CA to sign its own key:
# openssl genrsa -out /etc/ssl/private/ca.key 2048 # openssl req -new -key /etc/ssl/private/ca.key \ -out /etc/ssl/private/ca.csr
openssl req will prompt for
information that will be incorporated into the certificate request. The
information entered comprises a Distinguished Name (DN). There are quite
a few fields, but some can be left blank. For some fields there will be
a default value; if ‘.’ is entered, the field will be left
After the CSR has been generated, it is used to create and sign a certificate for the CA:
# openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \ -signkey /etc/ssl/private/ca.key \ -extfile /etc/ssl/x509v3.cnf -extensions x509v3_CA \ -out /etc/ssl/ca.crt
This step, as well as the next one, needs to be done for every peer. Furthermore the last step will need to be done once for each ID you want the peer to have. The 10.0.0.1 below symbolizes that ID, in this case an IPv4 ID, and should be changed for each invocation. You will be asked for a DN for each run. Encoding the ID in the common name is recommended, as it should be unique.
# openssl req -new -key /etc/isakmpd/private/local.key \ -out /etc/isakmpd/private/10.0.0.1.csr
Now take these certificate signing requests to your CA and
process them as below. A subjectAltName
extension field should be added to the certificate. Replace 10.0.0.1
with the IP address which
will use as the certificate identity.
Copy /etc/ssl/x509v3.cnf to
a temporary file and edit it to replace
$ENV::CERTIP with 10.0.0.1, then
# openssl x509 -req \ -days 365 -in 10.0.0.1.csr \ -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \ -CAcreateserial -extfile /etc/ssl/x509v3.cnf \ -extensions x509v3_IPAddr -out 10.0.0.1.crt
For a FQDN certificate, replace
$ENV::CERTIP with the hostname and
# openssl x509 -req \ -days 365 -in somehost.somedomain.csr \ -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \ -CAcreateserial -extfile /etc/ssl/x509v3.cnf \ -extensions x509v3_FQDN -out somehost.somedomain.crt
If CERTFQDN is being used, make sure that the
subjectAltName field of the certificate
is specified using
A similar setup will be required if
is being used instead.
Put the certificate (the file ending in .crt) in /etc/isakmpd/certs/ on your local system. Also carry over the CA cert /etc/ssl/ca.crt and put it in /etc/isakmpd/ca/.
To revoke certificates, create a Certificate Revocation List (CRL) file and install it in the /etc/isakmpd/crls/ directory. See openssl(1) and the ‘crl’ subcommand for more info.keynote(1) and provide an alternative means for
isakmpdto authenticate. See keynote(4) for further information.
D. Maughan, M. Schertler, M. Schneider, and J. Turner, Internet Security Association and Key Management Protocol (ISAKMP), RFC 2408, November 1998.
D. Harkins and D. Carrel, The Internet Key Exchange (IKE), RFC 2409, November 1998.
T. Kivinen, B. Swander, A. Huttunen, and V. Volpe, Negotiation of NAT-Traversal in the IKE, RFC 3947, January 2005.
isakmpduses the output from getnameinfo(3) for the address-to-name translation. The privileged process only allows binding to the default port 500 or unprivileged ports (>1024). It is not possible to change the interfaces
isakmpdlistens on without a restart.
For redundant setups,
be manually restarted every time
|March 5, 2016||OpenBSD-6.1|