1IKECTL(8) BSD System Manager's Manual IKECTL(8)
2
4 ikectl — control the IKEv2 daemon
5
7 ikectl [-q] [-s socket] command [arg ...]
8
10 The ikectl program controls the iked(8) daemon and provides commands to
11 maintain a simple X.509 certificate authority (CA) for IKEv2 peers.
12 The options are as follows:
14 -q Don't ask for confirmation of any default options.
16 -s socket
18 Use socket instead of the default /var/run/iked.sock to communi‐
19 cate with iked(8).
20
22 The following commands are available to control iked(8):
23 active Set iked(8) to active mode.
25 passive
27 Set iked(8) to passive mode. In passive mode no packets are sent
28 to peers and no connections are initiated by iked(8).
29 couple Load the negotiated security associations (SAs) and flows into
31 the kernel.
32 decouple
34 Unload the negotiated SAs and flows from the kernel. This mode
35 is only useful for testing and debugging.
36 load filename
38 Reload the configuration from the specified file.
39 log brief
41 Disable verbose logging.
42 log verbose
44 Enable verbose logging.
45 monitor
47 Monitor internal messages of the iked(8) subsystems.
48 reload Reload the configuration from the default configuration file.
50 reset all
52 Reset the running state.
53 reset ca
55 Reset the X.509 CA and certificate state.
56 reset policy
58 Flush the configured policies.
59 reset sa
61 Flush the running SAs.
62 reset user
64 Flush the local user database.
65 reset id ikeid
67 Delete all IKE SAs with matching ID.
68 show sa
70 Show internal state of active IKE SAs, Child SAs and IPsec flows.
71
73 In order to use public key based authentication with IKEv2, a public key
74 infrastructure (PKI) has to be set up to create and sign the peer cer‐
75 tificates. ikectl includes commands to simplify maintenance of the PKI
76 and to set up a simple certificate authority (CA) for iked(8) and its
77 peers.
78 The following commands are available to control the CA:
80 ca name create [password password]
82 Create a new certificate authority with the specified name. The
83 command will prompt for a CA password unless it is specified with
84 the optional password argument. The password will be saved in a
85 protected file ikeca.passwd in the CA directory and used for sub‐
86 sequent commands.
87 ca name delete
89 Delete the certificate authority with the specified name.
90 ca name export [peer peer] [password password]
92 Export the certificate authority with the specified name into the
93 current directory for transport to other systems. This command
94 will create a compressed tarball called ca.tgz in the local di‐
95 rectory and optionally ca.zip if the ‘zip’ tool is installed.
96 The optional peer argument can be used to specify the address or
97 FQDN of the local gateway which will be written into a text file
98 peer.txt and included in the archives.
99 ca name install [path]
101 Install the certificate and Certificate Revocation List (CRL) for
102 CA name as the currently active CA or into the specified path.
103 ca name certificate host create [server | client | ocsp]
105 Create a private key and certificate for host and sign then with
106 the key of certificate authority with the specified name.
107 The certificate will be valid for client and server authentica‐
109 tion by default by setting both flags as the extended key usage
110 in the certificate; this can be restricted using the optional
111 server or client argument. If the ocsp argument is specified the
112 extended key usage will be set for OCSP signing.
113 ca name certificate host delete
115 Deletes the private key and certificates associated with host.
116 ca name certificate host export [peer peer] [password password]
118 Export key files for host of the certificate authority with the
119 specified name into the current directory for transport to other
120 systems. This command will create a compressed tarball host.tgz
121 in the local directory and optionally host.zip if the ‘zip’ tool
122 is installed. The optional peer argument can be used to specify
123 the address or FQDN of the local gateway which will be written
124 into a text file peer.txt and included in the archives.
125 ca name certificate host install [path]
127 Install the private and public key for host into the active con‐
128 figuration or specified path.
129 ca name certificate host revoke
131 Revoke the certificate specified by host and generate a new Cer‐
132 tificate Revocation List (CRL).
133 show ca name certificates [host]
135 Display a listing of certificates associated with CA name or dis‐
136 play certificate details if host is specified.
137 ca name key host create
139 Create a private key for host if one does not already exist.
140 ca name key host install [path]
142 Install the private and public keys for host into the active con‐
143 figuration or specified path.
144 ca name key host delete
146 Delete the private key for host.
147 ca name key host import file
149 Source the private key for host from the named file.
150
152 /etc/iked/ Active configuration.
153 /etc/ssl/ Directory to store the CA files.
154 /usr/share/iked/ If this optional directory exists, ikectl will in‐
155 clude the contents with the ca export commands.
156 /var/run/iked.sock Default UNIX-domain socket used for communication
157 with iked(8).
158
160 First create a new certificate authority:
161 # ikectl ca vpn create
163 Now create the certificates for the VPN peers. The specified hostname,
165 either IP address or FQDN, will be saved in the signed certificate and
166 has to match the IKEv2 identity, or srcid, of the peers:
167 # ikectl ca vpn certificate 10.1.2.3 create
169 # ikectl ca vpn certificate 10.2.3.4 create
170 # ikectl ca vpn certificate 10.3.4.5 create
171 It is possible that the host that was used to create the CA is also one
173 of the VPN peers. In this case you can install the peer and CA certifi‐
174 cates locally:
175 # ikectl ca vpn install
177 # ikectl ca vpn certificate 10.1.2.3 install
178 Now export the individual host key, the certificate and the CA certifi‐
180 cate to each other peer. First run the export command to create tarballs
181 that include the required files:
182 # ikectl ca vpn certificate 10.2.3.4 export
184 # ikectl ca vpn certificate 10.3.4.5 export
185 These commands will produce two tarballs 10.2.3.4.tgz and 10.3.4.5.tgz.
187 Copy these tarballs over to the appropriate peers and extract them to the
188 /etc/iked/ directory:
189 10.2.3.4# tar -C /etc/iked -xzpf 10.2.3.4.tgz
191 10.3.4.5# tar -C /etc/iked -xzpf 10.3.4.5.tgz
192 ikectl will also create ‘zip’ archives 10.2.3.4.zip and 10.3.4.5.zip in
194 addition to the tarballs if the zip tool is found in /usr/local/bin/zip.
195 These archives can be exported to peers running Windows and will include
196 the certificates in a format that is supported by the OS. The zip tool
197 can be installed from the OpenBSD packages or ports collection before
198 running the export commands, see packages(7) for more information. For
199 example:
200 # pkg_add zip
202
204 packages(7), iked(8), ssl(8)
205
207 The ikectl program first appeared in OpenBSD 4.8.
208
210 The ikectl program was written by Reyk Floeter <reyk@openbsd.org> and
211 Jonathan Gray <jsg@openbsd.org>.
212
214 For ease of use, the ca commands maintain all peers' private keys on the
215 CA machine. In contrast to a ‘real’ CA, it does not support signing of
216 public keys that have been imported from peers that do not want to expose
217 their private keys to the CA.
218BSD April 25, 2020 BSD