|ISAKMPD(8)||System Manager's Manual||ISAKMPD(8)|
isakmpddaemon establishes Security Associations (SAs) for encrypted and/or authenticated network traffic. At this moment, and probably forever, this means ipsec(4) traffic. Traditionally,
isakmpdwas configured using the isakmpd.conf(5) file format. A newer, much simpler format is now available: ipsec.conf(5).
isakmpdimplements the IKEv1 protocol which is defined in the standards ISAKMP/Oakley (RFC 2408), IKE (RFC 2409), and the Internet DOI (RFC 2407). The newer IKEv2 protocol, as defined in RFC 5996, is not supported by
isakmpdbut by iked(8). It follows then that references to IKE in this document pertain to IKEv1 only, and not IKEv2. The way
isakmpdgoes about its work is by maintaining an internal configuration as well as a policy database which describes what kinds of SAs to negotiate, and by listening for different events that trigger these negotiations. The events that control
isakmpdconsist of negotiation initiations from a remote party, user input via a FIFO or by signals, upcalls from the kernel via a
PF_KEYsocket, and lastly by scheduled events triggered by timers running out. Most uses of
isakmpdwill be to implement so called "virtual private networks" (VPNs). The ability to provide redundancy is made available through carp(4) and sasyncd(8). For other uses, some more knowledge of IKEv1 as a protocol is required. The RFCs mentioned below are a possible starting point. On startup
isakmpdforks into two processes for privilege separation. The unprivileged child jails itself with chroot(8) to /var/empty. The privileged process communicates with the child, reads configuration files and PKI information, and binds to privileged ports on its behalf. See the CAVEATS section below. The options are as follows:
isakmpdwill use. The default is to use both IPv4 and IPv6.
isakmpddoes not set up flows automatically. Instead manual flows may be configured using ipsec.conf(5) or by programs such as bgpd(8). Thus
isakmpdonly takes care of SA establishment.
-coption specifies an alternate configuration file instead of /etc/isakmpd/isakmpd.conf. As this file may contain sensitive information, it must be readable only by the user running the daemon.
isakmpdwill reread the configuration file when sent a
SIGHUPsignal. Note that this option applies only to configuration files in the isakmpd.conf(5) format, not those in the ipsec.conf(5) format.
-doption is used to make the daemon run in the foreground, logging to stderr.
-foption specifies the FIFO (a.k.a. named pipe) where the daemon listens for user requests. If the path given is a dash (‘-’),
isakmpdwill listen to stdin instead.
-ioption. Note that only paths beginning with /var/run are allowed.
isakmpddoes not read the policy configuration file and no keynote(4) policy check is accomplished. This option can be used when policies for flows and SA establishment are arranged by other programs like ipsecctl(8) or bgpd(8).
isakmpdwill write an unencrypted copy of the negotiation packets it is sending and receiving to the file /var/run/isakmpd.pcap, which can later be read by tcpdump(8) and other utilities using pcap(3).
-Labove, but capture to a specified file. Note that only paths beginning with /var/run are allowed.
-Noption specifies the listen port for encapsulated UDP that the daemon will bind to.
-noption is given, the kernel will not take part in the negotiations. This is a non-destructive mode, so to speak, in that it won't alter any SAs in the IPsec stack.
-poption specifies the listen port the daemon will bind to.
SIGUSR1, it will report its internal state to a report file, normally /var/run/isakmpd.report, but this can be changed by feeding the file name as an argument to the
-Rflag. Note that only paths beginning with /var/run are allowed.
isakmpdstarts in passive mode and will not initiate any connections or process any incoming traffic until sasyncd has determined that the host is the carp master. Additionally,
isakmpdwill not delete SAs on shutdown by sending delete messages to all peers.
isakmpdwill not advertise support for NAT-Traversal to its peers.
isakmpdis silent and outputs only messages when a warning or an error occurs. With verbose logging
isakmpdreports successful completion of phase 1 (Main and Aggressive) and phase 2 (Quick) exchanges (Information and Transaction exchanges do not generate any additional status information).
isakmpdstarts, it creates a FIFO (named pipe) where it listens for user requests. All commands start with a single letter, followed by command-specific options. Available commands are:
isakmpdconfiguration atomically. ‘set’ sets a configuration value consisting of a section, tag, and value triplet. ‘set’ will fail if the configuration already contains a section with the named tag; use the ‘force’ option to change this behaviour. ‘add’ appends a configuration value to the named configuration list tag, unless the value is already in the list. ‘rm’ removes a tag in a section. ‘rms’ removes an entire section. ‘rmv’ removes an entry from a list, thus reversing an ‘add’ operation. NOTE: Sending
SIGHUPor an "R" through the FIFO will void any updates done to the configuration.
D Ttoggles all debug classes to level zero. Another
D Tcommand will toggle them back to the earlier levels.
isakmpdto active or passive mode. In passive mode no packets are sent to peers.
isakmpdshould capture the packets to (the default is /var/run/isakmpd.pcap). Note that only paths beginning with /var/run are allowed.
isakmpd, as when sent a
isakmpdinternal state to syslog(3). See the
-Roption. Same as when sent a
isakmpdshould take part in, or there will be a need to set one up. The procedures for using a pre-existing PKI varies depending on the actual Certificate Authority (CA) used, and is therefore not covered here, other than mentioning that openssl(1) needs to be used to create a Certificate Signing Request (CSR) that the CA understands. A number of methods exist to allow authentication:
isakmpdfor key- and certificate-based authentication, the “Transforms” tag in isakmpd.conf(5) should include “RSA_SIG”. For example, the transform “3DES-SHA-RSA_SIG” means: 3DES encryption, SHA hash, authentication using RSA signatures.
isakmpd, bypassing the need to use certificates. The keys should be saved in PEM format (see openssl(1)) and named and stored after this easy formula:
ID-typefield of isakmpd.conf(5), keys may be named after their IPv4 address (IPV4_ADDR or IPV4_ADDR_SUBNET), IPv6 address (IPV6_ADDR or IPV6_ADDR_SUBNET), fully qualified domain name (FDQN), user fully qualified domain name (USER_FQDN), or key ID (KEY_ID). For example,
isakmpdcan authenticate using the pre-generated keys if the local public key, by default /etc/isakmpd/local.pub, is copied to the remote gateway as /etc/isakmpd/pubkeys/ipv4/local.gateway.ip.address and the remote gateway's public key is copied to the local gateway as /etc/isakmpd/pubkeys/ipv4/remote.gateway.ip.address. Of course, new keys may also be generated (the user is not required to use the pre-generated keys). In this example,
ID-typewould also have to be set to IPV4_ADDR or IPV4_ADDR_SUBNET in isakmpd.conf(5). openssl(1) and provide a means for PKI authentication. In the following example, a CA is created along with host certificates to be signed by the CA.
# openssl genrsa -out /etc/ssl/private/ca.key 2048 # openssl req -new -key /etc/ssl/private/ca.key \ -out /etc/ssl/private/ca.csr
openssl reqwill prompt for information that will be incorporated into the certificate request. The information entered comprises a Distinguished Name (DN). There are quite a few fields, but some can be left blank. For some fields there will be a default value; if ‘.’ is entered, the field will be left blank. After the CSR has been generated, it is used to create and sign a certificate for the CA:
# openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \ -signkey /etc/ssl/private/ca.key \ -extfile /etc/ssl/x509v3.cnf -extensions x509v3_CA \ -out /etc/ssl/ca.crt
# openssl req -new -key /etc/isakmpd/private/local.key \ -out /etc/isakmpd/private/10.0.0.1.csr
isakmpdwill use as the certificate identity. Copy /etc/ssl/x509v3.cnf to a temporary file and edit it to replace
$ENV::CERTIPwith 10.0.0.1, then run:
# openssl x509 -req \ -days 365 -in 10.0.0.1.csr \ -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \ -CAcreateserial -extfile /etc/ssl/x509v3.cnf \ -extensions x509v3_IPAddr -out 10.0.0.1.crt
$ENV::CERTIPwith the hostname and run:
# openssl x509 -req \ -days 365 -in somehost.somedomain.csr \ -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \ -CAcreateserial -extfile /etc/ssl/x509v3.cnf \ -extensions x509v3_FQDN -out somehost.somedomain.crt
srcidin ipsec.conf(5). A similar setup will be required if isakmpd.conf(5) is being used instead. Put the certificate (the file ending in .crt) in /etc/isakmpd/certs/ on your local system. Also carry over the CA cert /etc/ssl/ca.crt and put it in /etc/isakmpd/ca/.
isakmpdto authenticate. See keynote(4) for further information.
isakmpduses the output from getnameinfo(3) for the address-to-name translation. The privileged process only allows binding to the default port 500 or unprivileged ports (>1024). It is not possible to change the interfaces
isakmpdlistens on without a restart. For redundant setups with carp(4) and sasyncd(8), sasyncd(8) must be manually restarted every time
isakmpdis restarted, and isakmpd.conf(5) must explicitly configure
isakmpdto listen on the virtual IP address of each carp(4) interface.
|April 17, 2018||OpenBSD-current|