1IKECTL(8)                 BSD System Manager's Manual                IKECTL(8)
2

NAME

4     ikectl — control the IKEv2 daemon
5

SYNOPSIS

7     ikectl [-q] [-s socket] command [arg ...]
8

DESCRIPTION

10     The ikectl program controls the iked(8) daemon and provides commands to
11     maintain a simple X.509 certificate authority (CA) for IKEv2 peers.
12
13     The options are as follows:
14
15     -q      Don't ask for confirmation of any default options.
16
17     -s socket
18             Use socket instead of the default /var/run/iked.sock to communi‐
19             cate with iked(8).
20

IKED CONTROL COMMANDS

22     The following commands are available to control iked(8):
23
24     active  Set iked(8) to active mode.
25
26     passive
27             Set iked(8) to passive mode.  In passive mode no packets are sent
28             to peers and no connections are initiated by iked(8).
29
30     couple  Load the negotiated security associations (SAs) and flows into
31             the kernel.
32
33     decouple
34             Unload the negotiated SAs and flows from the kernel.  This mode
35             is only useful for testing and debugging.
36
37     load filename
38             Reload the configuration from the specified file.
39
40     log brief
41             Disable verbose logging.
42
43     log verbose
44             Enable verbose logging.
45
46     monitor
47             Monitor internal messages of the iked(8) subsystems.
48
49     reload  Reload the configuration from the default configuration file.
50
51     reset all
52             Reset the running state.
53
54     reset ca
55             Reset the X.509 CA and certificate state.
56
57     reset policy
58             Flush the configured policies.
59
60     reset sa
61             Flush the running SAs.
62
63     reset user
64             Flush the local user database.
65
66     reset id ikeid
67             Delete all IKE SAs with matching ID.
68
69     show sa
70             Show internal state of active IKE SAs, Child SAs and IPsec flows.
71

PKI AND CERTIFICATE AUTHORITY COMMANDS

73     In order to use public key based authentication with IKEv2, a public key
74     infrastructure (PKI) has to be set up to create and sign the peer cer‐
75     tificates.  ikectl includes commands to simplify maintenance of the PKI
76     and to set up a simple certificate authority (CA) for iked(8) and its
77     peers.
78
79     The following commands are available to control the CA:
80
81     ca name create [password password]
82             Create a new certificate authority with the specified name.  The
83             command will prompt for a CA password unless it is specified with
84             the optional password argument.  The password will be saved in a
85             protected file ikeca.passwd in the CA directory and used for sub‐
86             sequent commands.
87
88     ca name delete
89             Delete the certificate authority with the specified name.
90
91     ca name export [peer peer] [password password]
92             Export the certificate authority with the specified name into the
93             current directory for transport to other systems.  This command
94             will create a compressed tarball called ca.tgz in the local di‐
95             rectory and optionally ca.zip if the ‘zip’ tool is installed.
96             The optional peer argument can be used to specify the address or
97             FQDN of the local gateway which will be written into a text file
98             peer.txt and included in the archives.
99
100     ca name install [path]
101             Install the certificate and Certificate Revocation List (CRL) for
102             CA name as the currently active CA or into the specified path.
103
104     ca name certificate host create [server | client | ocsp]
105             Create a private key and certificate for host and sign then with
106             the key of certificate authority with the specified name.
107
108             The certificate will be valid for client and server authentica‐
109             tion by default by setting both flags as the extended key usage
110             in the certificate; this can be restricted using the optional
111             server or client argument.  If the ocsp argument is specified the
112             extended key usage will be set for OCSP signing.
113
114     ca name certificate host delete
115             Deletes the private key and certificates associated with host.
116
117     ca name certificate host export [peer peer] [password password]
118             Export key files for host of the certificate authority with the
119             specified name into the current directory for transport to other
120             systems.  This command will create a compressed tarball host.tgz
121             in the local directory and optionally host.zip if the ‘zip’ tool
122             is installed.  The optional peer argument can be used to specify
123             the address or FQDN of the local gateway which will be written
124             into a text file peer.txt and included in the archives.
125
126     ca name certificate host install [path]
127             Install the private and public key for host into the active con‐
128             figuration or specified path.
129
130     ca name certificate host revoke
131             Revoke the certificate specified by host and generate a new Cer‐
132             tificate Revocation List (CRL).
133
134     show ca name certificates [host]
135             Display a listing of certificates associated with CA name or dis‐
136             play certificate details if host is specified.
137
138     ca name key host create
139             Create a private key for host if one does not already exist.
140
141     ca name key host install [path]
142             Install the private and public keys for host into the active con‐
143             figuration or specified path.
144
145     ca name key host delete
146             Delete the private key for host.
147
148     ca name key host import file
149             Source the private key for host from the named file.
150

FILES

152     /etc/iked/            Active configuration.
153     /etc/ssl/             Directory to store the CA files.
154     /usr/share/iked/      If this optional directory exists, ikectl will in‐
155                           clude the contents with the ca export commands.
156     /var/run/iked.sock    Default UNIX-domain socket used for communication
157                           with iked(8).
158

EXAMPLES

160     First create a new certificate authority:
161
162           # ikectl ca vpn create
163
164     Now create the certificates for the VPN peers.  The specified hostname,
165     either IP address or FQDN, will be saved in the signed certificate and
166     has to match the IKEv2 identity, or srcid, of the peers:
167
168           # ikectl ca vpn certificate 10.1.2.3 create
169           # ikectl ca vpn certificate 10.2.3.4 create
170           # ikectl ca vpn certificate 10.3.4.5 create
171
172     It is possible that the host that was used to create the CA is also one
173     of the VPN peers.  In this case you can install the peer and CA certifi‐
174     cates locally:
175
176           # ikectl ca vpn install
177           # ikectl ca vpn certificate 10.1.2.3 install
178
179     Now export the individual host key, the certificate and the CA certifi‐
180     cate to each other peer.  First run the export command to create tarballs
181     that include the required files:
182
183           # ikectl ca vpn certificate 10.2.3.4 export
184           # ikectl ca vpn certificate 10.3.4.5 export
185
186     These commands will produce two tarballs 10.2.3.4.tgz and 10.3.4.5.tgz.
187     Copy these tarballs over to the appropriate peers and extract them to the
188     /etc/iked/ directory:
189
190           10.2.3.4# tar -C /etc/iked -xzpf 10.2.3.4.tgz
191           10.3.4.5# tar -C /etc/iked -xzpf 10.3.4.5.tgz
192
193     ikectl will also create ‘zip’ archives 10.2.3.4.zip and 10.3.4.5.zip in
194     addition to the tarballs if the zip tool is found in /usr/local/bin/zip.
195     These archives can be exported to peers running Windows and will include
196     the certificates in a format that is supported by the OS.  The zip tool
197     can be installed from the OpenBSD packages or ports collection before
198     running the export commands, see packages(7) for more information.  For
199     example:
200
201           # pkg_add zip
202

SEE ALSO

204     packages(7), iked(8), ssl(8)
205

HISTORY

207     The ikectl program first appeared in OpenBSD 4.8.
208

AUTHORS

210     The ikectl program was written by Reyk Floeter <reyk@openbsd.org> and
211     Jonathan Gray <jsg@openbsd.org>.
212

CAVEATS

214     For ease of use, the ca commands maintain all peers' private keys on the
215     CA machine.  In contrast to a ‘real’ CA, it does not support signing of
216     public keys that have been imported from peers that do not want to expose
217     their private keys to the CA.
218
219BSD                             April 25, 2020                             BSD
Impressum