ISAKMPD(8) | System Manager's Manual | ISAKMPD(8) |
isakmpd
—
ISAKMP/Oakley a.k.a. IKEv1 key management daemon
isakmpd |
[-46adKLnSTv ] [-c
config-file] [-D
class=level]
[-f fifo]
[-i pid-file]
[-l packetlog-file]
[-N udpencap-port]
[-p listen-port]
[-R report-file] |
The isakmpd
daemon establishes Security
Associations (SAs) for encrypted and/or authenticated network traffic. At
this moment, and probably forever, this means
ipsec(4) traffic.
Traditionally, isakmpd
was configured using the
isakmpd.conf(5) file
format. A newer, much simpler format is now available:
ipsec.conf(5).
isakmpd
implements the IKEv1 protocol
which is defined in the standards ISAKMP/Oakley (RFC 2408), IKE (RFC 2409),
and the Internet DOI (RFC 2407). The newer IKEv2 protocol, as defined in RFC
5996, is not supported by isakmpd
but by
iked(8). It follows then that
references to IKE in this document pertain to IKEv1 only, and not IKEv2.
The way isakmpd
goes about its work is by
maintaining an internal configuration as well as a policy database which
describes what kinds of SAs to negotiate, and by listening for different
events that trigger these negotiations. The events that control
isakmpd
consist of negotiation initiations from a
remote party, user input via a FIFO or by signals, upcalls from the kernel
via a PF_KEY
socket, and lastly by scheduled events
triggered by timers running out.
Most uses of isakmpd
will be to implement
so called "virtual private networks" (VPNs). The ability to
provide redundancy is made available through
carp(4) and
sasyncd(8). For other uses,
some more knowledge of IKEv1 as a protocol is required. The RFCs mentioned
below are a possible starting point.
On startup isakmpd
forks into two
processes for privilege separation. The unprivileged child jails itself with
chroot(8) to
/var/empty. The privileged process communicates with
the child, reads configuration files and PKI information, and binds to
privileged ports on its behalf. See the
CAVEATS section below.
The options are as follows:
-4
|
-6
AF_INET
and/or AF_INET6
) isakmpd
will use. The default is to use both IPv4 and IPv6.-a
isakmpd
does not set up flows
automatically. Instead manual flows may be configured using
ipsec.conf(5) or by
programs such as bgpd(8).
Thus isakmpd
only takes care of SA
establishment.-c
config-file-c
option specifies an alternate
configuration file instead of
/etc/isakmpd/isakmpd.conf. As this file may
contain sensitive information, it must be readable only by the user
running the daemon. isakmpd
will reread the
configuration file when sent a SIGHUP
signal.
Note that this option applies only to configuration files in the isakmpd.conf(5) format, not those in the ipsec.conf(5) format.
-D
class=levelValid values for class are as follows:
Currently used values for level are 0 to 99.
-d
-d
option is used to make the daemon run in
the foreground, logging to stderr.-f
fifo-f
option specifies the FIFO (a.k.a. named
pipe) where the daemon listens for user requests. If the path given is a
dash (‘-’), isakmpd
will listen to
stdin instead.-i
pid-file-i
option. Note that only paths beginning with
/var/run are allowed.-K
isakmpd
does not read
the policy configuration file and no
keynote(4) policy check is
accomplished. This option can be used when policies for flows and SA
establishment are arranged by other programs like
ipsecctl(8) or
bgpd(8).-L
isakmpd
will write an unencrypted copy of the
negotiation packets it is sending and receiving to the file
/var/run/isakmpd.pcap, which can later be read by
tcpdump(8) and other
utilities using
pcap_open_offline(3).-l
packetlog-file-L
above, but capture to a specified
file. Note that only paths beginning with /var/run
are allowed.-N
udpencap-port-N
option specifies the listen port for
encapsulated UDP that the daemon will bind to.-n
-n
option is given, the kernel will not
take part in the negotiations. This is a non-destructive mode, so to
speak, in that it won't alter any SAs in the IPsec stack.-p
listen-port-p
option specifies the listen port the daemon
will bind to.-R
report-fileisakmpd
a
SIGUSR1
, it will report its internal state to a
report file, normally /var/run/isakmpd.report, but
this can be changed by feeding the file name as an argument to the
-R
flag. Note that only paths beginning with
/var/run are allowed.-S
isakmpd
starts in passive mode and
will not initiate any connections or process any incoming traffic until
sasyncd has determined that the host is the carp master. Additionally,
isakmpd
will not delete SAs on shutdown by sending
delete messages to all peers.-T
isakmpd
will not advertise support for
NAT-Traversal to its peers.-v
isakmpd
is
silent and outputs only messages when a warning or an error occurs. With
verbose logging isakmpd
reports successful
completion of phase 1 (Main and Aggressive) and phase 2 (Quick) exchanges
(Information and Transaction exchanges do not generate any additional
status information).When isakmpd
starts, it creates a FIFO
(named pipe) where it listens for user requests. All commands start with a
single letter, followed by command-specific options. Available commands
are:
C add
[section]:tag=valueC
rmv
[section]:tag=valueC rm
[section]:tagC
rms
[section]C
set
[section]:tag=value
[force
]isakmpd
configuration
atomically. ‘set’ sets a configuration value consisting of a
section, tag, and value triplet. ‘set’ will fail if the
configuration already contains a section with the named tag; use the
‘force’ option to change this behaviour. ‘add’
appends a configuration value to the named configuration list tag, unless
the value is already in the list. ‘rm’ removes a tag in a
section. ‘rms’ removes an entire section.
‘rmv’ removes an entry from a list, thus reversing an
‘add’ operation.
NOTE: Sending isakmpd
a
SIGHUP
or an "R" through the FIFO will
void any updates done to the configuration.
C
get
[section]:tagc
nameD
class levelD A
levelD T
D T
toggles all debug classes to level zero.
Another D T
command will toggle them back to the
earlier levels.
d
cookies msgidM
active
M
passive
isakmpd
to active or passive mode. In passive
mode no packets are sent to peers.
p on
[=path]p off
isakmpd
should capture the
packets to (the default is /var/run/isakmpd.pcap).
Note that only paths beginning with /var/run are
allowed.
Q
SIGTERM
signal.
R
isakmpd
, as when sent a
SIGHUP
signal.
r
isakmpd
internal state to
syslog(3). See the
-R
option. Same as when sent a
SIGUSR1
signal.
S
T
t
[phase] nameIn order to use public key based authentication, there has to be
an infrastructure managing the key signing. Either there is an already
existing PKI isakmpd
should take part in, or there
will be a need to set one up. The procedures for using a pre-existing PKI
varies depending on the actual Certificate Authority (CA) used, and is
therefore not covered here, other than mentioning that
openssl(1) needs to be used
to create a Certificate Signing Request (CSR) that the CA understands.
A number of methods exist to allow authentication:
When configuring isakmpd
for key- and
certificate-based authentication, the “Transforms” tag in
isakmpd.conf(5) should
include “RSA_SIG”. For example, the transform
“3DES-SHA-RSA_SIG” means: 3DES encryption, SHA hash,
authentication using RSA signatures.
It is possible to store trusted public keys to make them directly
usable by isakmpd
, bypassing the need to use
certificates. The keys should be saved in PEM format (see
openssl(1)) and named and
stored after this easy formula:
Depending on the ID-type
field of
isakmpd.conf(5), keys
may be named after their IPv4 address (IPV4_ADDR or IPV4_ADDR_SUBNET), IPv6
address (IPV6_ADDR or IPV6_ADDR_SUBNET), fully qualified domain name (FDQN),
user fully qualified domain name (USER_FQDN), or key ID (KEY_ID).
For example, isakmpd
can authenticate
using the pre-generated keys if the local public key, by default
/etc/isakmpd/local.pub, is copied to the remote
gateway as
/etc/isakmpd/pubkeys/ipv4/local.gateway.ip.address
and the remote gateway's public key is copied to the local gateway as
/etc/isakmpd/pubkeys/ipv4/remote.gateway.ip.address.
Of course, new keys may also be generated (the user is not required to use
the pre-generated keys). In this example, ID-type
would also have to be set to IPV4_ADDR or IPV4_ADDR_SUBNET in
isakmpd.conf(5).
X.509 is a framework for public key certificates. Certificates can be generated using openssl(1) and provide a means for PKI authentication. In the following example, a CA is created along with host certificates to be signed by the CA.
First, create a private key for the CA, and a Certificate Signing Request (CSR) to enable the CA to sign its own key:
# openssl genrsa -out /etc/ssl/private/ca.key 2048 # openssl req -new -key /etc/ssl/private/ca.key \ -out /etc/ssl/private/ca.csr
openssl req
will prompt for
information that will be incorporated into the certificate request. The
information entered comprises a Distinguished Name (DN). There are quite
a few fields, but some can be left blank. For some fields there will be
a default value; if ‘.’ is entered, the field will be left
blank.
After the CSR has been generated, it is used to create and sign a certificate for the CA:
# openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \ -signkey /etc/ssl/private/ca.key \ -extfile /etc/ssl/x509v3.cnf -extensions x509v3_CA \ -out /etc/ssl/ca.crt
This step, as well as the next one, needs to be done for every peer. Furthermore the last step will need to be done once for each ID you want the peer to have. The 10.0.0.1 below symbolizes that ID, in this case an IPv4 ID, and should be changed for each invocation. A fully qualified domain name (FQDN) may be used instead of an IPv4 ID. You will be asked for a DN for each run. Encoding the ID in the common name is recommended, as it should be unique.
# openssl req -new -key /etc/isakmpd/private/local.key \ -out /etc/isakmpd/private/10.0.0.1.csr
Now take these certificate signing
requests to your CA and process them as below. A configuration file is
used to add a
subjectAltName
extension field matching the ID used by isakmpd
to the certificate.
If using an IPv4 ID, copy
/etc/ssl/x509v3.cnf to a temporary file and edit
it to replace $ENV::CERTIP
with the IP address
(10.0.0.1 in this example), then generate a signed certificate:
# sed 's,\$ENV::CERTIP,10.0.0.1,' \ < /etc/ssl/x509v3.cnf > ~/tmp_x509v3.cnf # openssl x509 -req \ -days 365 -in 10.0.0.1.csr \ -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \ -CAcreateserial -extfile ~/tmp_x509v3.cnf \ -extensions x509v3_IPAddr -out 10.0.0.1.crt
For an FQDN certificate, replace
$ENV::CERTFQDN
with the hostname and generate a
signed certificate:
# sed 's,\$ENV::CERTFQDN,somehost.somedomain,' \ < /etc/ssl/x509v3.cnf > ~/tmp_x509v3.cnf # openssl x509 -req \ -days 365 -in somehost.somedomain.csr \ -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \ -CAcreateserial -extfile ~/tmp_x509v3.cnf \ -extensions x509v3_FQDN -out somehost.somedomain.crt
If CERTFQDN is being used, make sure that the
subjectAltName field of the certificate is
specified using srcid
in
ipsec.conf(5). A
similar setup will be required if
isakmpd.conf(5) is
being used instead.
Put the certificate (the file ending in .crt) in /etc/isakmpd/certs/ on your local system. Also carry over the CA cert /etc/ssl/ca.crt and put it in /etc/isakmpd/ca/.
To revoke certificates, create a Certificate Revocation List (CRL) file and install it in the /etc/isakmpd/crls/ directory. See openssl(1) and the ‘crl’ subcommand for more info.
Keynote is a trust-management framework. Keys can be generated
using keynote(1) and provide
an alternative means for isakmpd
to authenticate.
See keynote(4) for further
information.
isakmpd
.isakmpd
.SIGUSR1
is
received.openssl(1), getnameinfo(3), pcap_open_offline(3), ipsec(4), ipsec.conf(5), isakmpd.conf(5), isakmpd.policy(5), iked(8), sasyncd(8), ssl(8), tcpdump(8)
D. Piper, The Internet IP Security Domain of Interpretation for ISAKMP, RFC 2407, November 1998.
D. Maughan, M. Schertler, M. Schneider, and J. Turner, Internet Security Association and Key Management Protocol (ISAKMP), RFC 2408, November 1998.
D. Harkins and D. Carrel, The Internet Key Exchange (IKE), RFC 2409, November 1998.
T. Kivinen, B. Swander, A. Huttunen, and V. Volpe, Negotiation of NAT-Traversal in the IKE, RFC 3947, January 2005.
This implementation of the ISAKMP/Oakley key management protocol was done in 1998 by Niklas Hallqvist and Niels Provos, sponsored by Ericsson Radio Systems.
When storing a trusted public key for an IPv6 identity, the
most
efficient form of address representation, i.e. "::"
instead of ":0:0:0:", must be used or the matching will fail.
isakmpd
uses the output from
getnameinfo(3) for the
address-to-name translation. The privileged process only allows binding to
the default port 500 or unprivileged ports (>1024). It is not possible to
change the interfaces isakmpd
listens on without a
restart.
For redundant setups with
carp(4) and
sasyncd(8),
sasyncd(8) must be manually
restarted every time isakmpd
is restarted, and
isakmpd.conf(5) must
explicitly configure isakmpd
to listen on the
virtual IP address of each
carp(4) interface.
August 30, 2019 | OpenBSD-6.7 |