|IKECTL(8)||System Manager's Manual||IKECTL(8)|
ikectlprogram controls the iked(8) daemon and provides commands to maintain a simple X.509 certificate authority (CA) for IKEv2 peers.
The options are as follows:
ikectlincludes commands to simplify maintenance of the PKI and to set up a simple certificate authority (CA) for iked(8) and its peers.
The following commands are available to control the CA:
The certificate will be valid for client and server
authentication by default by setting both flags as the extended key
usage in the certificate; this can be restricted using the optional
argument. If the
ocsp argument is specified the
extended key usage will be set for OCSP signing.
ikectlwill include the contents with the
# ikectl ca vpn create
Now create the certificates for the VPN peers. The specified hostname, either IP address or FQDN, will be saved in the signed certificate and has to match the IKEv2 identity, or srcid, of the peers:
# ikectl ca vpn certificate 10.1.2.3 create # ikectl ca vpn certificate 10.2.3.4 create # ikectl ca vpn certificate 10.3.4.5 create
It is possible that the host that was used to create the CA is also one of the VPN peers. In this case you can install the peer and CA certificates locally:
# ikectl ca vpn install # ikectl ca vpn certificate 10.1.2.3 install
Now export the individual host key, the certificate and the CA
certificate to each other peer. First run the
command to create tarballs that include the required files:
# ikectl ca vpn certificate 10.2.3.4 export # ikectl ca vpn certificate 10.3.4.5 export
These commands will produce two tarballs 10.2.3.4.tgz and 10.3.4.5.tgz. Copy these tarballs over to the appropriate peers and extract them to the /etc/iked/ directory:
10.2.3.4# tar -C /etc/iked -xzpf 10.2.3.4.tgz 10.3.4.5# tar -C /etc/iked -xzpf 10.3.4.5.tgz
ikectl will also create
‘zip’ archives 10.2.3.4.zip and 10.3.4.5.zip in addition to
the tarballs if the zip tool is found in
/usr/local/bin/zip. These archives can be exported
to peers running Windows and will include the certificates in a format that
is supported by the OS. The zip tool can be installed from the
OpenBSD packages or ports collection before running
export commands, see
packages(7) for more information. For
# pkg_add zip
ikectlprogram first appeared in OpenBSD 4.8.
ikectlprogram was written by Reyk Floeter <email@example.com> and
cacommands maintain all peers' private keys on the CA machine. In contrast to a ‘real’ CA, it does not support signing of public keys that have been imported from peers that do not want to expose their private keys to the CA.
|November 2, 2015||OpenBSD-current|