|ISAKMPD(8)||System Manager's Manual||ISAKMPD(8)|
ISAKMP/Oakley a.k.a. IKEv1 key management daemon
isakmpd daemon establishes Security
Associations (SAs) for encrypted and/or authenticated network traffic. At
this moment, and probably forever, this means
ipsec(4) traffic. Traditionally,
isakmpd was configured using the
isakmpd.conf(5) file format. A
newer, much simpler format is now available:
isakmpd implements the IKEv1 protocol
which is defined in the standards ISAKMP/Oakley (RFC 2408), IKE (RFC 2409),
and the Internet DOI (RFC 2407). The newer IKEv2 protocol, as defined in RFC
5996, is not supported by
isakmpd but by
iked(8). It follows then that references to
IKE in this document pertain to IKEv1 only, and not IKEv2.
isakmpd goes about its work is by
maintaining an internal configuration as well as a policy database which
describes what kinds of SAs to negotiate, and by listening for different
events that trigger these negotiations. The events that control
isakmpd consist of negotiation initiations from a
remote party, user input via a FIFO or by signals, upcalls from the kernel
PF_KEY socket, and lastly by scheduled events
triggered by timers running out.
Most uses of
isakmpd will be to implement
so called "virtual private networks" (VPNs). The ability to
provide redundancy is made available through
sasyncd(8). For other uses, some more
knowledge of IKEv1 as a protocol is required. The RFCs mentioned below are a
possible starting point.
isakmpd forks into two
processes for privilege separation. The unprivileged child jails itself with
/var/empty. The privileged process communicates with
the child, reads configuration files and PKI information, and binds to
privileged ports on its behalf. See the
CAVEATS section below.
The options are as follows:
isakmpdwill use. The default is to use both IPv4 and IPv6.
isakmpddoes not set up flows automatically. Instead manual flows may be configured using ipsec.conf(5) or by programs such as bgpd(8). Thus
isakmpdonly takes care of SA establishment.
-coption specifies an alternate configuration file instead of /etc/isakmpd/isakmpd.conf. As this file may contain sensitive information, it must be readable only by the user running the daemon.
isakmpdwill reread the configuration file when sent a
Valid values for class are as follows:
Currently used values for level are 0 to 99.
-doption is used to make the daemon run in the foreground, logging to stderr.
-foption specifies the FIFO (a.k.a. named pipe) where the daemon listens for user requests. If the path given is a dash (‘-’),
isakmpdwill listen to stdin instead.
-ioption. Note that only paths beginning with /var/run are allowed.
isakmpddoes not read the policy configuration file and no keynote(4) policy check is accomplished. This option can be used when policies for flows and SA establishment are arranged by other programs like ipsecctl(8) or bgpd(8).
isakmpdwill write an unencrypted copy of the negotiation packets it is sending and receiving to the file /var/run/isakmpd.pcap, which can later be read by tcpdump(8) and other utilities using pcap_open_offline(3).
-Labove, but capture to a specified file. Note that only paths beginning with /var/run are allowed.
-Noption specifies the listen port for encapsulated UDP that the daemon will bind to.
-noption is given, the kernel will not take part in the negotiations. This is a non-destructive mode, so to speak, in that it won't alter any SAs in the IPsec stack.
-poption specifies the listen port the daemon will bind to.
SIGUSR1, it will report its internal state to a report file, normally /var/run/isakmpd.report, but this can be changed by feeding the file name as an argument to the
-Rflag. Note that only paths beginning with /var/run are allowed.
isakmpdstarts in passive mode and will not initiate any connections or process any incoming traffic until sasyncd has determined that the host is the carp master. Additionally,
isakmpdwill not delete SAs on shutdown by sending delete messages to all peers.
isakmpdwill not advertise support for NAT-Traversal to its peers.
isakmpdis silent and outputs only messages when a warning or an error occurs. With verbose logging
isakmpdreports successful completion of phase 1 (Main and Aggressive) and phase 2 (Quick) exchanges (Information and Transaction exchanges do not generate any additional status information).
isakmpd starts, it creates a FIFO
(named pipe) where it listens for user requests. All commands start with a
single letter, followed by command-specific options. Available commands
C set[section]:tag=value [
isakmpdconfiguration atomically. ‘set’ sets a configuration value consisting of a section, tag, and value triplet. ‘set’ will fail if the configuration already contains a section with the named tag; use the ‘force’ option to change this behaviour. ‘add’ appends a configuration value to the named configuration list tag, unless the value is already in the list. ‘rm’ removes a tag in a section. ‘rms’ removes an entire section. ‘rmv’ removes an entry from a list, thus reversing an ‘add’ operation.
SIGHUP or an "R" through the FIFO will
void any updates done to the configuration.
D Ttoggles all debug classes to level zero. Another
D Tcommand will toggle them back to the earlier levels.
isakmpdto active or passive mode. In passive mode no packets are sent to peers.
isakmpdshould capture the packets to (the default is /var/run/isakmpd.pcap). Note that only paths beginning with /var/run are allowed.
isakmpd, as when sent a
isakmpdinternal state to syslog(3). See the
-Roption. Same as when sent a
In order to use public key based authentication, there has to be
an infrastructure managing the key signing. Either there is an already
isakmpd should take part in, or there
will be a need to set one up. The procedures for using a pre-existing PKI
varies depending on the actual Certificate Authority (CA) used, and is
therefore not covered here, other than mentioning that
openssl(1) needs to be used to create a
Certificate Signing Request (CSR) that the CA understands.
A number of methods exist to allow authentication:
isakmpd for key- and
certificate-based authentication, the “Transforms” tag in
isakmpd.conf(5) should include
“RSA_SIG”. For example, the transform
“3DES-SHA-RSA_SIG” means: 3DES encryption, SHA hash,
authentication using RSA signatures.
It is possible to store trusted public keys to make them directly
isakmpd, bypassing the need to use
certificates. The keys should be saved in PEM format (see
openssl(1)) and named and stored after
this easy formula:
Depending on the
ID-type field of
isakmpd.conf(5), keys may be named
after their IPv4 address (IPV4_ADDR or IPV4_ADDR_SUBNET), IPv6 address
(IPV6_ADDR or IPV6_ADDR_SUBNET), fully qualified domain name (FDQN), user
fully qualified domain name (USER_FQDN), or key ID (KEY_ID).
isakmpd can authenticate
using the pre-generated keys if the local public key, by default
/etc/isakmpd/local.pub, is copied to the remote
and the remote gateway's public key is copied to the local gateway as
Of course, new keys may also be generated (the user is not required to use
the pre-generated keys). In this example,
would also have to be set to IPV4_ADDR or IPV4_ADDR_SUBNET in
X.509 is a framework for public key certificates. Certificates can be generated using openssl(1) and provide a means for PKI authentication. In the following example, a CA is created along with host certificates to be signed by the CA.
First, create a private key for the CA, and a Certificate Signing Request (CSR) to enable the CA to sign its own key:
# openssl genrsa -out /etc/ssl/private/ca.key 2048 # openssl req -new -key /etc/ssl/private/ca.key \ -out /etc/ssl/private/ca.csr
openssl req will prompt for
information that will be incorporated into the certificate request. The
information entered comprises a Distinguished Name (DN). There are quite
a few fields, but some can be left blank. For some fields there will be
a default value; if ‘.’ is entered, the field will be left
After the CSR has been generated, it is used to create and sign a certificate for the CA:
# openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \ -signkey /etc/ssl/private/ca.key \ -extfile /etc/ssl/x509v3.cnf -extensions x509v3_CA \ -out /etc/ssl/ca.crt
This step, as well as the next one, needs to be done for every peer. Furthermore the last step will need to be done once for each ID you want the peer to have. The 10.0.0.1 below symbolizes that ID, in this case an IPv4 ID, and should be changed for each invocation. A fully qualified domain name (FQDN) may be used instead of an IPv4 ID. You will be asked for a DN for each run. Encoding the ID in the common name is recommended, as it should be unique.
# openssl req -new -key /etc/isakmpd/private/local.key \ -out /etc/isakmpd/private/10.0.0.1.csr
Now take these certificate signing requests to your CA and
process them as below. A configuration file is used to add a
subjectAltName extension field matching the ID used by
isakmpd to the certificate.
If using an IPv4 ID, copy
/etc/ssl/x509v3.cnf to a temporary file and edit
it to replace
$ENV::CERTIP with the IP address
(10.0.0.1 in this example), then generate a signed certificate:
# sed 's,\$ENV::CERTIP,10.0.0.1,' \ < /etc/ssl/x509v3.cnf > ~/tmp_x509v3.cnf # openssl x509 -req \ -days 365 -in 10.0.0.1.csr \ -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \ -CAcreateserial -extfile ~/tmp_x509v3.cnf \ -extensions x509v3_IPAddr -out 10.0.0.1.crt
For an FQDN certificate, replace
$ENV::CERTFQDN with the hostname and generate a
# sed 's,\$ENV::CERTFQDN,somehost.somedomain,' \ < /etc/ssl/x509v3.cnf > ~/tmp_x509v3.cnf # openssl x509 -req \ -days 365 -in somehost.somedomain.csr \ -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \ -CAcreateserial -extfile ~/tmp_x509v3.cnf \ -extensions x509v3_FQDN -out somehost.somedomain.crt
If CERTFQDN is being used, make sure that the
subjectAltName field of the certificate is
ipsec.conf(5). A similar setup
will be required if
isakmpd.conf(5) is being used
Put the certificate (the file ending in .crt) in /etc/isakmpd/certs/ on your local system. Also carry over the CA cert /etc/ssl/ca.crt and put it in /etc/isakmpd/ca/.
To revoke certificates, create a Certificate Revocation List (CRL) file and install it in the /etc/isakmpd/crls/ directory. See openssl(1) and the ‘crl’ subcommand for more info.
D. Piper, The Internet IP Security Domain of Interpretation for ISAKMP, RFC 2407, November 1998.
D. Maughan, M. Schertler, M. Schneider, and J. Turner, Internet Security Association and Key Management Protocol (ISAKMP), RFC 2408, November 1998.
D. Harkins and D. Carrel, The Internet Key Exchange (IKE), RFC 2409, November 1998.
T. Kivinen, B. Swander, A. Huttunen, and V. Volpe, Negotiation of NAT-Traversal in the IKE, RFC 3947, January 2005.
This implementation of the ISAKMP/Oakley key management protocol was done in 1998 by Niklas Hallqvist and Niels Provos, sponsored by Ericsson Radio Systems.
When storing a trusted public key for an IPv6 identity, the
most efficient form of address representation, i.e.
"::" instead of ":0:0:0:", must be used or the matching
isakmpd uses the output from
getnameinfo(3) for the
address-to-name translation. The privileged process only allows binding to
the default port 500 or unprivileged ports (>1024). It is not possible to
change the interfaces
isakmpd listens on without a
For redundant setups with carp(4)
sasyncd(8) must be manually restarted
isakmpd is restarted, and
isakmpd.conf(5) must explicitly
isakmpd to listen on the virtual IP
address of each carp(4) interface.
|August 30, 2019||OpenBSD-current|