|IKED(8)||System Manager's Manual||IKED(8)|
ikedis an Internet Key Exchange (IKEv2) daemon which performs mutual authentication and which establishes and maintains IPsec flows and security associations (SAs) between the two peers. The IKEv2 protocol is defined in RFC 5996, which combines and updates the previous standards: ISAKMP/Oakley (RFC 2408), IKE (RFC 2409), and the Internet DOI (RFC 2407).
ikedonly supports the IKEv2 protocol; support for ISAKMP/Oakley and IKEv1 is provided by isakmpd(8).
ikedsupports mutual authentication using RSA or ECDSA public keys and X.509 certificates. See the PUBLIC KEY AUTHENTICATION section below and PKI AND CERTIFICATE AUTHORITY COMMANDS in ikectl(8) for more information about creating and maintaining the public key infrastructure. The options are as follows:
ikedblocks any IPv6 traffic unless a flow for this address family has been negotiated. This option disables VPN traffic leakage prevention on dual stack hosts (RFC 7359).
ikedin passive mode. See the
set passiveoption in iked.conf(5) for more information.
iked, bypassing the need to use certificates. The keys should be saved in PEM format (see openssl(1)) and named and stored as follows:
dstidspecifications in iked.conf(5), keys may be named after their IPv4 address, IPv6 address, fully qualified domain name (FQDN) or user fully qualified domain name (UFQDN). For example,
ikedcan authenticate using the pre-generated keys if the local public key, by default /etc/iked/local.pub, is copied to the remote gateway as /etc/iked/pubkeys/ipv4/local.gateway.ip.address and the remote gateway's public key is copied to the local gateway as /etc/iked/pubkeys/ipv4/remote.gateway.ip.address. Of course, new keys may also be generated (the user is not required to use the pre-generated keys). In this example,
dstidwould also have to be set to the specified addresses in iked.conf(5).
ikedprogram first appeared in OpenBSD 4.8.
ikedprogram was written by Reyk Floeter <email@example.com>.
|July 3, 2018||OpenBSD-current|