|IKED(8)||System Manager's Manual||IKED(8)|
iked — Internet
Key Exchange version 2 (IKEv2) daemon
iked is an Internet Key Exchange (IKEv2)
daemon which performs mutual authentication and which establishes and
maintains IPsec flows and security associations (SAs) between the two
The IKEv2 protocol is defined in RFC 5996, which combines and
updates the previous standards: ISAKMP/Oakley (RFC 2408), IKE (RFC 2409),
and the Internet DOI (RFC 2407).
iked only supports
the IKEv2 protocol; support for ISAKMP/Oakley and IKEv1 is provided by
iked supports mutual authentication using
RSA or ECDSA public keys and X.509 certificates. See the
AUTHENTICATION section below and PKI AND CERTIFICATE AUTHORITY COMMANDS
in ikectl(8) for more
information about creating and maintaining the public key
The options are as follows:
ikedblocks any IPv6 traffic unless a flow for this address family has been negotiated. This option is used to prevent VPN traffic leakages on dual stack hosts.
ikedin passive mode. See the
set passiveoption in iked.conf(5) for more information.
It is possible to store trusted public keys to make them directly
iked, bypassing the need to use
certificates. The keys should be saved in PEM format (see
openssl(1)) and named and
stored as follows:
Depending on the
dstid specifications in
iked.conf(5), keys may be
named after their IPv4 address, IPv6 address, fully qualified domain name
(FQDN) or user fully qualified domain name (UFQDN).
iked can authenticate using
the pre-generated keys if the local public key, by default
/etc/iked/local.pub, is copied to the remote gateway
and the remote gateway's public key is copied to the local gateway as
course, new keys may also be generated (the user is not required to use the
pre-generated keys). In this example,
dstid would also have to be set to the specified
C. Kaufman, P. Hoffman, Y. Nir, and P. Eronen, Internet Key Exchange Protocol Version 2 (IKEv2), RFC 5996, September 2010.
iked program first appeared in
iked program was written by
|March 27, 2017||OpenBSD-6.1|