iked —
Internet
Key Exchange version 2 (IKEv2) daemon
| iked |
[-6dnSTtv]
[-D
macro=value]
[-f
file] |
iked is an Internet Key Exchange (IKEv2) daemon
which performs mutual authentication and which establishes and maintains IPsec
flows and security associations (SAs) between the two peers.
The IKEv2 protocol is defined in RFC 5996, which combines and updates the
previous standards: ISAKMP/Oakley (RFC 2408), IKE (RFC 2409), and the Internet
DOI (RFC 2407).
iked only supports the IKEv2
protocol; support for ISAKMP/Oakley and IKEv1 is provided by
isakmpd(8).
iked supports mutual authentication using RSA or
ECDSA public keys and X.509 certificates. See the
PUBLIC KEY
AUTHENTICATION section below and PKI AND CERTIFICATE AUTHORITY COMMANDS in
ikectl(8) for more information
about creating and maintaining the public key infrastructure.
The options are as follows:
-
-
- -6
- Disable automatic blocking of IPv6 traffic. By default,
iked blocks any IPv6 traffic unless a flow
for this address family has been negotiated. This option is used to
prevent VPN traffic leakages on dual stack hosts.
-
-
- -D
macro=value
- Define macro to be set to
value on the command line. Overrides the
definition of macro in the configuration
file.
-
-
- -d
- Do not daemonize and log to
stderr.
-
-
- -f
file
- Use file as the
configuration file, instead of the default
/etc/iked.conf.
-
-
- -n
- Configtest mode. Only check the configuration file for
validity.
-
-
- -S
- Start iked in passive mode.
See the set passive option in
iked.conf(5) for more
information.
-
-
- -T
- Disable NAT-Traversal and do not propose NAT-Traversal
support to the peers.
-
-
- -t
- Enforce NAT-Traversal and only listen to NAT-Traversal
messages. This option is only recommended for testing; the default is to
negotiate NAT-Traversal with the peers.
-
-
- -v
- Produce more verbose output.
It is possible to store trusted public keys to make them directly usable by
iked, bypassing the need to use certificates. The
keys should be saved in PEM format (see
openssl(1)) and named and
stored as follows:
- For IPv4 identities:
- /etc/iked/pubkeys/ipv4/A.B.C.D
- For IPv6 identities:
- /etc/iked/pubkeys/ipv6/abcd:abcd::ab:bc
- For FQDN identities:
- /etc/iked/pubkeys/fqdn/foo.bar.org
- For UFQDN identities:
- /etc/iked/pubkeys/ufqdn/user@foo.bar.org
Depending on the
srcid and
dstid specifications in
iked.conf(5), keys may be
named after their IPv4 address, IPv6 address, fully qualified domain name
(FQDN) or user fully qualified domain name (UFQDN).
For example,
iked can authenticate using the
pre-generated keys if the local public key, by default
/etc/iked/local.pub, is copied to the remote
gateway as
/etc/iked/pubkeys/ipv4/local.gateway.ip.address
and the remote gateway's public key is copied to the local gateway as
/etc/iked/pubkeys/ipv4/remote.gateway.ip.address.
Of course, new keys may also be generated (the user is not required to use the
pre-generated keys). In this example,
srcid and
dstid would also have to be set to the specified
addresses in
iked.conf(5).
- /etc/iked.conf
- The default iked configuration
file.
- /etc/iked/ca/
- The directory where CA certificates are kept.
- /etc/iked/certs/
- The directory where IKE certificates are kept, both the
local certificate(s) and those of the peers, if a choice to have them kept
permanently has been made.
- /etc/iked/crls/
- The directory where CRLs are kept.
- /etc/iked/private/
- The directory where local private keys used for public key
authentication are kept. The file local.key
is used to store the local private key.
- /etc/iked/pubkeys/
- The directory in which trusted public keys are kept. The
keys must be named in the fashion described above.
- /var/run/iked.sock
- The default iked control
socket.
iked.conf(5),
ikectl(8),
isakmpd(8)
C. Kaufman,
P. Hoffman, Y. Nir, and
P. Eronen, Internet Key Exchange
Protocol Version 2 (IKEv2), RFC 5996,
September 2010.
The
iked program first appeared in
OpenBSD 4.8.
The
iked program was written by
Reyk Floeter
<
reyk@openbsd.org>.
![[OpenBSD]](/openbsd.gif){kind=small}