216 lines
5.6 KiB
Groff
216 lines
5.6 KiB
Groff
.\" $OpenBSD: iked.8,v 1.30 2021/11/29 13:20:24 jmc Exp $
|
|
.\"
|
|
.\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org>
|
|
.\"
|
|
.\" Permission to use, copy, modify, and distribute this software for any
|
|
.\" purpose with or without fee is hereby granted, provided that the above
|
|
.\" copyright notice and this permission notice appear in all copies.
|
|
.\"
|
|
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
.\"
|
|
.Dd $Mdocdate: November 29 2021 $
|
|
.Dt IKED 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm iked
|
|
.Nd Internet Key Exchange version 2 (IKEv2) daemon
|
|
.Sh SYNOPSIS
|
|
.Nm iked
|
|
.Op Fl dnSTtVv
|
|
.Op Fl D Ar macro Ns = Ns Ar value
|
|
.Op Fl f Ar file
|
|
.Op Fl p Ar udpencap_port
|
|
.Op Fl s Ar socket
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
is an Internet Key Exchange (IKEv2) daemon which performs mutual
|
|
authentication and which establishes and maintains IPsec flows and
|
|
security associations (SAs) between the two peers.
|
|
.Pp
|
|
The IKEv2 protocol is defined in RFC 7296,
|
|
which combines and updates the previous standards:
|
|
ISAKMP/Oakley (RFC 2408),
|
|
IKE (RFC 2409),
|
|
and the Internet DOI (RFC 2407).
|
|
.Nm
|
|
only supports the IKEv2 protocol;
|
|
support for
|
|
ISAKMP/Oakley and IKEv1
|
|
is provided by
|
|
.Xr isakmpd 8 .
|
|
.Pp
|
|
.Nm
|
|
supports mutual authentication using RSA or ECDSA public keys and X.509
|
|
certificates.
|
|
See the
|
|
.Sx PUBLIC KEY AUTHENTICATION
|
|
section below and PKI AND CERTIFICATE AUTHORITY COMMANDS in
|
|
.Xr ikectl 8
|
|
for more information about creating and maintaining the public key
|
|
infrastructure.
|
|
.Pp
|
|
The options are as follows:
|
|
.Bl -tag -width Ds
|
|
.It Fl D Ar macro Ns = Ns Ar value
|
|
Define
|
|
.Ar macro
|
|
to be set to
|
|
.Ar value
|
|
on the command line.
|
|
Overrides the definition of
|
|
.Ar macro
|
|
in the configuration file.
|
|
.It Fl d
|
|
Do not daemonize and log to
|
|
.Em stderr .
|
|
.It Fl f Ar file
|
|
Use
|
|
.Ar file
|
|
as the configuration file, instead of the default
|
|
.Pa /etc/iked.conf .
|
|
.It Fl n
|
|
Configtest mode.
|
|
Only check the configuration file for validity.
|
|
.It Fl p Ar udpencap_port
|
|
Specify the listen port for encapsulated UDP that
|
|
the daemon will bind to as well as the UDP encapsulation port set
|
|
in resulting IPsec SAs.
|
|
In order to receive UDP encapsulated IPsec packets on ports other
|
|
than 4500, the
|
|
.Em net.inet.esp.udpencap_port
|
|
.Xr sysctl 2
|
|
variable has to be set accordingly.
|
|
Implies -t.
|
|
.It Fl S
|
|
Start
|
|
.Nm
|
|
in passive mode.
|
|
See the
|
|
.Ic set passive
|
|
option in
|
|
.Xr iked.conf 5
|
|
for more information.
|
|
.It Fl s Ar socket
|
|
Use
|
|
.Ar socket
|
|
as the control socket, instead of the default
|
|
.Pa /var/run/iked.sock .
|
|
.It Fl T
|
|
Disable NAT-Traversal and do not propose NAT-Traversal support to the peers.
|
|
.It Fl t
|
|
Enforce NAT-Traversal and only listen to NAT-Traversal messages.
|
|
This option is only recommended for testing; the default is to
|
|
negotiate NAT-Traversal with the peers.
|
|
.It Fl V
|
|
Show the version and exit.
|
|
.It Fl v
|
|
Produce more verbose output.
|
|
.El
|
|
.Sh PUBLIC KEY AUTHENTICATION
|
|
It is possible to store trusted public keys to make them directly
|
|
usable by
|
|
.Nm ,
|
|
bypassing the need to use certificates.
|
|
The keys should be saved in PEM format (see
|
|
.Xr openssl 1 )
|
|
and named and stored as follows:
|
|
.Pp
|
|
.Bl -tag -width "for_ufqdn_identitiesXX" -offset 3n -compact
|
|
.It For IPv4 identities:
|
|
/etc/iked/pubkeys/ipv4/A.B.C.D
|
|
.It For IPv6 identities:
|
|
/etc/iked/pubkeys/ipv6/abcd:abcd::ab:bc
|
|
.It For FQDN identities:
|
|
/etc/iked/pubkeys/fqdn/foo.bar.org
|
|
.It For UFQDN identities:
|
|
/etc/iked/pubkeys/ufqdn/user@foo.bar.org
|
|
.El
|
|
.Pp
|
|
Depending on the
|
|
.Ic srcid
|
|
and
|
|
.Ic dstid
|
|
specifications in
|
|
.Xr iked.conf 5 ,
|
|
keys may be named after their IPv4 address, IPv6 address,
|
|
fully qualified domain name (FQDN) or user fully qualified domain name (UFQDN).
|
|
.Pp
|
|
For example,
|
|
.Nm
|
|
can authenticate using the pre-generated keys if the local public key,
|
|
by default
|
|
.Pa /etc/iked/local.pub ,
|
|
is copied to the remote gateway as
|
|
.Pa /etc/iked/pubkeys/ipv4/local.gateway.ip.address
|
|
and the remote gateway's public key
|
|
is copied to the local gateway as
|
|
.Pa /etc/iked/pubkeys/ipv4/remote.gateway.ip.address .
|
|
Of course, new keys may also be generated
|
|
(the user is not required to use the pre-generated keys).
|
|
In this example,
|
|
.Ic srcid
|
|
and
|
|
.Ic dstid
|
|
would also have to be set to the specified addresses
|
|
in
|
|
.Xr iked.conf 5 .
|
|
.Sh FILES
|
|
.Bl -tag -width "/etc/iked/private/XXX" -compact
|
|
.It Pa /etc/iked.conf
|
|
The default
|
|
.Nm
|
|
configuration file.
|
|
.It Pa /etc/iked/ca/
|
|
The directory where CA certificates are kept.
|
|
.It Pa /etc/iked/certs/
|
|
The directory where IKE certificates are kept, both the local
|
|
certificate(s) and those of the peers, if a choice to have them kept
|
|
permanently has been made.
|
|
.It Pa /etc/iked/crls/
|
|
The directory where CRLs are kept.
|
|
.It Pa /etc/iked/private/
|
|
The directory where local private keys used for public key authentication
|
|
are kept.
|
|
The file
|
|
.Pa local.key
|
|
is used to store the local private key.
|
|
.It Pa /etc/iked/pubkeys/
|
|
The directory in which trusted public keys are kept.
|
|
The keys must be named in the fashion described above.
|
|
.It Pa /var/run/iked.sock
|
|
The default
|
|
.Nm
|
|
control socket.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr iked.conf 5 ,
|
|
.Xr ikectl 8 ,
|
|
.Xr isakmpd 8
|
|
.Sh STANDARDS
|
|
.Rs
|
|
.%A C. Kaufman
|
|
.%A P. Hoffman
|
|
.%A Y. Nir
|
|
.%A P. Eronen
|
|
.%A T. Kivinen
|
|
.%D October 2014
|
|
.%R RFC 7296
|
|
.%T Internet Key Exchange Protocol Version 2 (IKEv2)
|
|
.Re
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
program first appeared in
|
|
.Ox 4.8 .
|
|
.Sh AUTHORS
|
|
The
|
|
.Nm
|
|
program was written by
|
|
.An Reyk Floeter Aq Mt reyk@openbsd.org .
|