1IKED(8)                   BSD System Manager's Manual                  IKED(8)
2

NAME

4     iked — Internet Key Exchange version 2 (IKEv2) daemon
5

SYNOPSIS

7     iked [-dnSTtVv] [-D macro=value] [-f file] [-p udpencap_port] [-s socket]
8

DESCRIPTION

10     iked is an Internet Key Exchange (IKEv2) daemon which performs mutual au‐
11     thentication and which establishes and maintains IPsec flows and security
12     associations (SAs) between the two peers.
13
14     The IKEv2 protocol is defined in RFC 7296, which combines and updates the
15     previous standards: ISAKMP/Oakley (RFC 2408), IKE (RFC 2409), and the In‐
16     ternet DOI (RFC 2407).  iked only supports the IKEv2 protocol; support
17     for ISAKMP/Oakley and IKEv1 is provided by isakmpd(8).
18
19     iked supports mutual authentication using RSA or ECDSA public keys and
20     X.509 certificates.  See the PUBLIC KEY AUTHENTICATION section below and
21     PKI AND CERTIFICATE AUTHORITY COMMANDS in ikectl(8) for more information
22     about creating and maintaining the public key infrastructure.
23
24     The options are as follows:
25
26     -D macro=value
27             Define macro to be set to value on the command line.  Overrides
28             the definition of macro in the configuration file.
29
30     -d      Do not daemonize and log to stderr.
31
32     -f file
33             Use file as the configuration file, instead of the default
34             /etc/iked.conf.
35
36     -n      Configtest mode.  Only check the configuration file for validity.
37
38     -p udpencap_port
39             Specify the listen port for encapsulated UDP that the daemon will
40             bind to as well as the UDP encapsulation port set in resulting
41             IPsec SAs.  In order to receive UDP encapsulated IPsec packets on
42             ports other than 4500, the net.inet.esp.udpencap_port sysctl(2)
43             variable has to be set accordingly.  Implies -t.
44
45     -S      Start iked in passive mode.  See the set passive option in
46             iked.conf(5) for more information.
47
48     -s socket
49             Use socket as the control socket, instead of the default
50             /var/run/iked.sock.
51
52     -T      Disable NAT-Traversal and do not propose NAT-Traversal support to
53             the peers.
54
55     -t      Enforce NAT-Traversal and only listen to NAT-Traversal messages.
56             This option is only recommended for testing; the default is to
57             negotiate NAT-Traversal with the peers.
58
59     -V      Show the version and exit.
60
61     -v      Produce more verbose output.
62

PUBLIC KEY AUTHENTICATION

64     It is possible to store trusted public keys to make them directly usable
65     by iked, bypassing the need to use certificates.  The keys should be
66     saved in PEM format (see openssl(1)) and named and stored as follows:
67
68        For IPv4 identities:    /etc/iked/pubkeys/ipv4/A.B.C.D
69        For IPv6 identities:    /etc/iked/pubkeys/ipv6/abcd:abcd::ab:bc
70        For FQDN identities:    /etc/iked/pubkeys/fqdn/foo.bar.org
71        For UFQDN identities:   /etc/iked/pubkeys/ufqdn/user@foo.bar.org
72
73     Depending on the srcid and dstid specifications in iked.conf(5), keys may
74     be named after their IPv4 address, IPv6 address, fully qualified domain
75     name (FQDN) or user fully qualified domain name (UFQDN).
76
77     For example, iked can authenticate using the pre-generated keys if the
78     local public key, by default /etc/iked/local.pub, is copied to the remote
79     gateway as /etc/iked/pubkeys/ipv4/local.gateway.ip.address and the remote
80     gateway's public key is copied to the local gateway as
81     /etc/iked/pubkeys/ipv4/remote.gateway.ip.address.  Of course, new keys
82     may also be generated (the user is not required to use the pre-generated
83     keys).  In this example, srcid and dstid would also have to be set to the
84     specified addresses in iked.conf(5).
85

FILES

87     /etc/iked.conf         The default iked configuration file.
88     /etc/iked/ca/          The directory where CA certificates are kept.
89     /etc/iked/certs/       The directory where IKE certificates are kept,
90                            both the local certificate(s) and those of the
91                            peers, if a choice to have them kept permanently
92                            has been made.
93     /etc/iked/crls/        The directory where CRLs are kept.
94     /etc/iked/private/     The directory where local private keys used for
95                            public key authentication are kept.  The file
96                            local.key is used to store the local private key.
97     /etc/iked/pubkeys/     The directory in which trusted public keys are
98                            kept.  The keys must be named in the fashion de‐
99                            scribed above.
100     /var/run/iked.sock     The default iked control socket.
101

SEE ALSO

103     iked.conf(5), ikectl(8), isakmpd(8)
104

STANDARDS

106     C. Kaufman, P. Hoffman, Y. Nir, P. Eronen, and T. Kivinen, Internet Key
107     Exchange Protocol Version 2 (IKEv2), RFC 7296, October 2014.
108

HISTORY

110     The iked program first appeared in OpenBSD 4.8.
111

AUTHORS

113     The iked program was written by Reyk Floeter <reyk@openbsd.org>.
114
115BSD                            November 29, 2021                           BSD
Impressum