NAME
iked
—
Internet Key Exchange version 2 (IKEv2)
daemon
SYNOPSIS
iked |
[-6dnSTtv ] [-D
macro=value]
[-f file] |
DESCRIPTION
iked
is an Internet Key Exchange (IKEv2)
daemon which performs mutual authentication and which establishes and
maintains IPsec flows and security associations (SAs) between the two
peers.
The IKEv2 protocol is defined in RFC 5996, which combines and
updates the previous standards: ISAKMP/Oakley (RFC 2408), IKE (RFC 2409),
and the Internet DOI (RFC 2407). iked
only supports
the IKEv2 protocol; support for ISAKMP/Oakley and IKEv1 is provided by
isakmpd(8).
iked
supports mutual authentication using
RSA public keys and X.509 certificates. See the
FILES section below and
PKI AND
CERTIFICATE AUTHORITY COMMANDS in
ikectl(8) for more information about creating and maintaining the
public key infrastructure.
The options are as follows:
-6
- Disable automatic blocking of IPv6 traffic. By default,
iked
blocks any IPv6 traffic unless a flow for this address family has been negotiated. This option is used to prevent VPN traffic leakages on dual stack hosts. -D
macro=value- Define macro to be set to value on the command line. Overrides the definition of macro in the configuration file.
-d
- Do not daemonize and log to stderr.
-f
file- Use file as the configuration file, instead of the default /etc/iked.conf.
-n
- Configtest mode. Only check the configuration file for validity.
-S
- Start
iked
in passive mode. See theset passive
option in iked.conf(5) for more information. -T
- Disable NAT-Traversal and do not propose NAT-Traversal support to the peers.
-t
- Enforce NAT-Traversal and only listen to NAT-Traversal messages. This option is only recommended for testing; the default is to negotiate NAT-Traversal with the peers.
-v
- Produce more verbose output.
FILES
- /etc/iked.conf
- The default
iked
configuration file. - /etc/iked/ca/
- The directory where CA certificates are kept.
- /etc/iked/certs/
- The directory where IKE certificates are kept, both the local certificate(s) and those of the peers, if a choice to have them kept permanently has been made.
- /etc/iked/crls/
- The directory where CRLs are kept.
- /etc/iked/private/
- The directory where local private keys used for public key authentication are kept. The file local.key is used to store the local private key.
- /etc/iked/pubkeys/
- The directory in which trusted public keys are kept. The keys must be named in the fashion described above.
- /var/run/iked.sock
- The default
iked
control socket.
SEE ALSO
STANDARDS
C. Kaufman, P. Hoffman, Y. Nir, and P. Eronen, Internet Key Exchange Protocol Version 2 (IKEv2), RFC 5996, September 2010.
HISTORY
The iked
program first appeared in
OpenBSD 4.8.
AUTHORS
The iked
program was written by
Reyk Floeter ⟨reyk@openbsd.org⟩.
CAVEATS
iked
is not yet finished and is missing
some important security features. It should not yet be used in production
networks.