ISAKMPD(8) | System Manager's Manual | ISAKMPD(8) |
isakmpd
—
isakmpd |
[-46adKLnSTv ] [-c
config-file] [-D
class=level]
[-f fifo]
[-i pid-file]
[-l packetlog-file]
[-N udpencap-port]
[-p listen-port]
[-R report-file] |
isakmpd
daemon establishes Security Associations
(SAs) for encrypted and/or authenticated network traffic. At this moment, and
probably forever, this means ipsec(4)
traffic. Traditionally, isakmpd
was configured using
the isakmpd.conf(5) file format. A
newer, much simpler format is now available:
ipsec.conf(5).
isakmpd
implements the IKEv1 protocol
which is defined in the standards ISAKMP/Oakley (RFC 2408), IKE (RFC 2409),
and the Internet DOI (RFC 2407). The newer IKEv2 protocol, as defined in RFC
5996, is not supported by isakmpd
but by
iked(8). It follows then that references to
IKE in this document pertain to IKEv1 only, and not IKEv2.
The way isakmpd
goes about its work is by
maintaining an internal configuration as well as a policy database which
describes what kinds of SAs to negotiate, and by listening for different
events that trigger these negotiations. The events that control
isakmpd
consist of negotiation initiations from a
remote party, user input via a FIFO or by signals, upcalls from the kernel
via a PF_KEY
socket, and lastly by scheduled events
triggered by timers running out.
Most uses of isakmpd
will be to implement
so called "virtual private networks" (VPNs). The ability to
provide redundancy is made available through
carp(4) and
sasyncd(8). For other uses, some more
knowledge of IKEv1 as a protocol is required. The RFCs mentioned below are a
possible starting point.
On startup isakmpd
forks into two
processes for privilege separation. The unprivileged child jails itself with
chroot(8) to
/var/empty. The privileged process communicates with
the child, reads configuration files and PKI information, and binds to
privileged ports on its behalf. See the
CAVEATS section below.
The options are as follows:
-4
|
-6
AF_INET
and/or AF_INET6
) isakmpd
will use. The default is to use both IPv4 and IPv6.-a
isakmpd
does not set up flows
automatically. Instead manual flows may be configured using
ipsec.conf(5) or by programs such
as bgpd(8). Thus
isakmpd
only takes care of SA establishment.-c
config-file-c
option specifies an alternate
configuration file instead of
/etc/isakmpd/isakmpd.conf. As this file may
contain sensitive information, it must be readable only by the user
running the daemon. isakmpd
will reread the
configuration file when sent a SIGHUP
signal.
Note that this option applies only to configuration files in the isakmpd.conf(5) format, not those in the ipsec.conf(5) format.
-D
class=levelValid values for class are as follows:
Currently used values for level are 0 to 99.
-d
-d
option is used to make the daemon run in
the foreground, logging to stderr.-f
fifo-f
option specifies the FIFO (a.k.a. named
pipe) where the daemon listens for user requests. If the path given is a
dash (‘-’), isakmpd
will listen to
stdin instead.-i
pid-file-i
option. Note that only paths beginning with
/var/run are allowed.-K
isakmpd
does not read
the policy configuration file and no
keynote(4) policy check is
accomplished. This option can be used when policies for flows and SA
establishment are arranged by other programs like
ipsecctl(8) or
bgpd(8).-L
isakmpd
will write an unencrypted copy of the
negotiation packets it is sending and receiving to the file
/var/run/isakmpd.pcap, which can later be read by
tcpdump(8) and other utilities using
pcap(3).-l
packetlog-file-L
above, but capture to a specified
file. Note that only paths beginning with /var/run
are allowed.-N
udpencap-port-N
option specifies the listen port for
encapsulated UDP that the daemon will bind to.-n
-n
option is given, the kernel will not
take part in the negotiations. This is a non-destructive mode, so to
speak, in that it won't alter any SAs in the IPsec stack.-p
listen-port-p
option specifies the listen port the daemon
will bind to.-R
report-fileisakmpd
a
SIGUSR1
, it will report its internal state to a
report file, normally /var/run/isakmpd.report, but
this can be changed by feeding the file name as an argument to the
-R
flag. Note that only paths beginning with
/var/run are allowed.-S
isakmpd
starts in passive mode and will not
initiate any connections or process any incoming traffic until sasyncd has
determined that the host is the carp master. Additionally,
isakmpd
will not delete SAs on shutdown by sending
delete messages to all peers.-T
isakmpd
will not advertise support for
NAT-Traversal to its peers.-v
isakmpd
is
silent and outputs only messages when a warning or an error occurs. With
verbose logging isakmpd
reports successful
completion of phase 1 (Main and Aggressive) and phase 2 (Quick) exchanges
(Information and Transaction exchanges do not generate any additional
status information).isakmpd
starts, it creates a FIFO (named pipe)
where it listens for user requests. All commands start with a single letter,
followed by command-specific options. Available commands are:
C
add
[section]:tag=valueC
rmv
[section]:tag=valueC
rm
[section]:tagC
rms
[section]C
set
[section]:tag=value
[force
]isakmpd
configuration
atomically. ‘set’ sets a configuration value consisting of a
section, tag, and value triplet. ‘set’ will fail if the
configuration already contains a section with the named tag; use the
‘force’ option to change this behaviour. ‘add’
appends a configuration value to the named configuration list tag, unless
the value is already in the list. ‘rm’ removes a tag in a
section. ‘rms’ removes an entire section.
‘rmv’ removes an entry from a list, thus reversing an
‘add’ operation.
NOTE: Sending isakmpd
a
SIGHUP
or an "R" through the FIFO will
void any updates done to the configuration.
C
get
[section]:tagc
nameD
class levelD A
levelD
T
D T
toggles all debug classes to level zero.
Another D T
command will toggle them back to the
earlier levels.
d
cookies msgidM
active
M
passive
isakmpd
to active or passive mode. In passive
mode no packets are sent to peers.
p
on
[=path]p
off
isakmpd
should capture the
packets to (the default is /var/run/isakmpd.pcap).
Note that only paths beginning with /var/run are
allowed.
Q
SIGTERM
signal.
R
isakmpd
, as when sent a
SIGHUP
signal.
r
isakmpd
internal state to
syslog(3). See the
-R
option. Same as when sent a
SIGUSR1
signal.
S
T
t
[phase] nameisakmpd
should take part in, or there will be a
need to set one up. The procedures for using a pre-existing PKI varies
depending on the actual Certificate Authority (CA) used, and is therefore not
covered here, other than mentioning that
openssl(1) needs to be used to create a
Certificate Signing Request (CSR) that the CA understands.
A number of methods exist to allow authentication:
When configuring isakmpd
for key- and
certificate-based authentication, the “Transforms” tag in
isakmpd.conf(5) should include
“RSA_SIG”. For example, the transform
“3DES-SHA-RSA_SIG” means: 3DES encryption, SHA hash,
authentication using RSA signatures.
isakmpd
, bypassing the need to use certificates. The
keys should be saved in PEM format (see
openssl(1)) and named and stored after
this easy formula:
Depending on the ID-type
field of
isakmpd.conf(5), keys may be named
after their IPv4 address (IPV4_ADDR or IPV4_ADDR_SUBNET), IPv6 address
(IPV6_ADDR or IPV6_ADDR_SUBNET), fully qualified domain name (FDQN), user
fully qualified domain name (USER_FQDN), or key ID (KEY_ID).
For example, isakmpd
can authenticate
using the pre-generated keys if the local public key, by default
/etc/isakmpd/local.pub, is copied to the remote
gateway as
/etc/isakmpd/pubkeys/ipv4/local.gateway.ip.address
and the remote gateway's public key is copied to the local gateway as
/etc/isakmpd/pubkeys/ipv4/remote.gateway.ip.address.
Of course, new keys may also be generated (the user is not required to use
the pre-generated keys). In this example, ID-type
would also have to be set to IPV4_ADDR or IPV4_ADDR_SUBNET in
isakmpd.conf(5).
First, create a private key for the CA, and a Certificate Signing Request (CSR) to enable the CA to sign its own key:
# openssl genrsa -out /etc/ssl/private/ca.key 2048 # openssl req -new -key /etc/ssl/private/ca.key \ -out /etc/ssl/private/ca.csr
openssl req
will prompt for
information that will be incorporated into the certificate request. The
information entered comprises a Distinguished Name (DN). There are quite
a few fields, but some can be left blank. For some fields there will be
a default value; if ‘.’ is entered, the field will be left
blank.
After the CSR has been generated, it is used to create and sign a certificate for the CA:
# openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \ -signkey /etc/ssl/private/ca.key \ -extfile /etc/ssl/x509v3.cnf -extensions x509v3_CA \ -out /etc/ssl/ca.crt
This step, as well as the next one, needs to be done for every peer. Furthermore the last step will need to be done once for each ID you want the peer to have. The 10.0.0.1 below symbolizes that ID, in this case an IPv4 ID, and should be changed for each invocation. You will be asked for a DN for each run. Encoding the ID in the common name is recommended, as it should be unique.
# openssl req -new -key /etc/isakmpd/private/local.key \ -out /etc/isakmpd/private/10.0.0.1.csr
Now take these certificate signing requests to your CA and
process them as below. A subjectAltName extension
field should be added to the certificate. Replace 10.0.0.1 with the IP
address which isakmpd
will use as the
certificate identity.
Copy /etc/ssl/x509v3.cnf to a
temporary file and edit it to replace
$ENV::CERTIP
with 10.0.0.1, then run:
# openssl x509 -req \ -days 365 -in 10.0.0.1.csr \ -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \ -CAcreateserial -extfile /etc/ssl/x509v3.cnf \ -extensions x509v3_IPAddr -out 10.0.0.1.crt
For a FQDN certificate, replace
$ENV::CERTIP
with the hostname and run:
# openssl x509 -req \ -days 365 -in somehost.somedomain.csr \ -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \ -CAcreateserial -extfile /etc/ssl/x509v3.cnf \ -extensions x509v3_FQDN -out somehost.somedomain.crt
If CERTFQDN is being used, make sure that the
subjectAltName field of the certificate is
specified using srcid
in
ipsec.conf(5). A similar setup
will be required if
isakmpd.conf(5) is being used
instead.
Put the certificate (the file ending in .crt) in /etc/isakmpd/certs/ on your local system. Also carry over the CA cert /etc/ssl/ca.crt and put it in /etc/isakmpd/ca/.
To revoke certificates, create a Certificate Revocation List (CRL) file and install it in the /etc/isakmpd/crls/ directory. See openssl(1) and the ‘crl’ subcommand for more info.
isakmpd
to authenticate. See
keynote(4) for further information.
isakmpd
.isakmpd
.SIGUSR1
is
received.D. Maughan, M. Schertler, M. Schneider, and J. Turner, Internet Security Association and Key Management Protocol (ISAKMP), RFC 2408, November 1998.
D. Harkins and D. Carrel, The Internet Key Exchange (IKE), RFC 2409, November 1998.
T. Kivinen, B. Swander, A. Huttunen, and V. Volpe, Negotiation of NAT-Traversal in the IKE, RFC 3947, January 2005.
isakmpd
uses the output from
getnameinfo(3) for the address-to-name
translation. The privileged process only allows binding to the default port
500 or unprivileged ports (>1024). It is not possible to change the
interfaces isakmpd
listens on without a restart.
For redundant setups with carp(4)
and sasyncd(8),
sasyncd(8) must be manually restarted
every time isakmpd
is restarted, and
isakmpd.conf(5) must explicitly
configure isakmpd
to listen on the virtual IP
address of each carp(4) interface.
April 17, 2018 | OpenBSD-current |