1IKED(8) BSD System Manager's Manual IKED(8)
2
4 iked — Internet Key Exchange protocol daemon
5
7 iked [-46hvFV] [-f configfile] [-l logfile] [-p port] [-I peer-address]
8 [-S selector-index] [-d] [-D level] [-P outfile]
9
11 iked is a key management daemon, which supports the Internet Key Exchange
12 (IKE) protocol version 1 (RFC2409) and version 2 (RFC4306). It is driven
13 by upcalls from the kernel via the PF_KEYv2 interface or by negotiation
14 requests from remote peers, and manages IPsec SAs according to
15 racoon2.conf.
16 The following options are available:
18 -4 Use IPv4 addresses only for local sockets.
20 -6 Use IPv6 addresses only for local sockets.
22 -d Increase the debugging level. This flag may occur multiple
24 times.
25 -f configfile
27 Read configurations from the specified file.
28 -I peer-address
30 Immediately initiate to the peer specified.
31 -S selector_index
33 Immediately initiate using the selector specified.
34 -h Show simple help messages.
36 -l logfile
38 Output log to logfile instead of syslog.
39 -p portnum
41 Specify default port number for IKE sockets.
42 -v Output log to stdout in addition to syslog.
44 -D num Set debug flag.
46 -F Run in the foreground. iked does not detach itself from the ter‐
48 minal and does not become a daemon. Logs are output to the
49 stderr.
50 -P outfile
52 Record unencrypted IKE communication packets to the file. This
53 option is available only if iked was compiled with --enable-pcap
54 configuration option.
55 -V Show the version.
57 Upon receiving SIGINT or SIGTERM, iked shuts down IKEv2 IKE_SAs with peer
59 nodes by sending Informational exchange with Delete payload, deletes rel‐
60 evant IPsec SAs, and then exits. Upon receiving SIGHUP, iked similarly
61 shuts down IKEv2 IKE_SAs and deletes relevant IPsec SAs, then reloads the
62 configuration file.
63 IPsec policies are managed by spmd(8), thus it must be started before
65 iked. When spmd(8) restarts, iked needs to be reloaded to reconnect with
66 it.
67
69 @sysconfdir@/racoon2.conf
70 The default configuration file for racoon2.
71 /var/run/iked.pid The PID file of the current instance of the daemon.
72
74 racoon2(7), racoon2.conf(5), spmd(8), kinkd(8), ipsec(4)
75 The Internet Key Exchange (IKE), RFC2409, November 1998.
77 Internet Key Exchange (IKEv2) Protocol, RFC4306, December 2005.
79
81 The iked command was developed for racoon2 in 2004-2005.
82
84 iked was written and is maintained by WIDE/racoon2 project
85 ⟨http://www.racoon2.wide.ad.jp/⟩
86
88 Part of the codes are derived from ipsec-tools racoon daemon, which was
89 derived from KAME racoon daemon.
90
92 "default" clause of configuration file is used for two purposes: to pro‐
93 vide default values for individual field for other sections of configura‐
94 tion, and to specify default kmp configuration when the responder
95 received a message from unknown peer. In latter case, when "default"
96 clause lacks some necessary fields, error message may be cryptic, since
97 it is not checked by configuration check routine of iked. (Probably it
98 will result in "no proposal chosen".)
99 On FreeBSD/NetBSD, when IPsec SA expires by IPsec SA lifetime, kernel
101 does not notify iked about the sa expiration. To remedy this, iked main‐
102 tains its own expiration timer for each IPsec SA. Since the iked can't
103 know how much bytes used for the SA, lifetime_bytes in the configuration
104 are ignored for now.
105 SA bundles (e.g. AH+ESP) does not conform to protocol spec.
107 After rekeying IKE_SA, iked may spit some warning messages, if the rekey
109 negotiation or delete request was started from both ends at once.
110RACOON2 August 18, 2006 RACOON2