1.\" $OpenBSD: iked.8,v 1.19 2014/11/10 13:57:32 jmc Exp $ 2.\" 3.\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org> 4.\" 5.\" Permission to use, copy, modify, and distribute this software for any 6.\" purpose with or without fee is hereby granted, provided that the above 7.\" copyright notice and this permission notice appear in all copies. 8.\" 9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16.\" 17.Dd $Mdocdate: November 10 2014 $ 18.Dt IKED 8 19.Os 20.Sh NAME 21.Nm iked 22.Nd Internet Key Exchange version 2 (IKEv2) daemon 23.Sh SYNOPSIS 24.Nm iked 25.Op Fl 6dnSTtv 26.Op Fl D Ar macro Ns = Ns Ar value 27.Op Fl f Ar file 28.Sh DESCRIPTION 29.Nm 30is an Internet Key Exchange (IKEv2) daemon which performs mutual 31authentication and which establishes and maintains IPsec flows and 32security associations (SAs) between the two peers. 33.Pp 34The IKEv2 protocol is defined in RFC 5996, 35which combines and updates the previous standards: 36ISAKMP/Oakley (RFC 2408), 37IKE (RFC 2409), 38and the Internet DOI (RFC 2407). 39.Nm 40only supports the IKEv2 protocol; 41support for 42ISAKMP/Oakley and IKEv1 43is provided by 44.Xr isakmpd 8 . 45.Pp 46.Nm 47supports mutual authentication using RSA public keys and X.509 certificates. 48See the 49.Sx PUBLIC KEY AUTHENTICATION 50section below and PKI AND CERTIFICATE AUTHORITY COMMANDS in 51.Xr ikectl 8 52for more information about creating and maintaining the public key 53infrastructure. 54.Pp 55The options are as follows: 56.Bl -tag -width Ds 57.It Fl 6 58Disable automatic blocking of IPv6 traffic. 59By default, 60.Nm 61blocks any IPv6 traffic unless a flow for this address family has been 62negotiated. 63This option is used to prevent VPN traffic leakages on dual stack hosts. 64.It Fl D Ar macro Ns = Ns Ar value 65Define 66.Ar macro 67to be set to 68.Ar value 69on the command line. 70Overrides the definition of 71.Ar macro 72in the configuration file. 73.It Fl d 74Do not daemonize and log to 75.Em stderr . 76.It Fl f Ar file 77Use 78.Ar file 79as the configuration file, instead of the default 80.Pa /etc/iked.conf . 81.It Fl n 82Configtest mode. 83Only check the configuration file for validity. 84.It Fl S 85Start 86.Nm 87in passive mode. 88See the 89.Ic set passive 90option in 91.Xr iked.conf 5 92for more information. 93.It Fl T 94Disable NAT-Traversal and do not propose NAT-Traversal support to the peers. 95.It Fl t 96Enforce NAT-Traversal and only listen to NAT-Traversal messages. 97This option is only recommended for testing; the default is to 98negotiate NAT-Traversal with the peers. 99.It Fl v 100Produce more verbose output. 101.El 102.Sh PUBLIC KEY AUTHENTICATION 103It is possible to store trusted public keys to make them directly 104usable by 105.Nm , 106bypassing the need to use certificates. 107The keys should be saved in PEM format (see 108.Xr openssl 1 ) 109and named and stored as follows: 110.Pp 111.Bl -tag -width "for_ufqdn_identitiesXX" -offset 3n -compact 112.It For IPv4 identities: 113/etc/iked/pubkeys/ipv4/A.B.C.D 114.It For IPv6 identities: 115/etc/iked/pubkeys/ipv6/abcd:abcd::ab:bc 116.It For FQDN identities: 117/etc/iked/pubkeys/fqdn/foo.bar.org 118.It For UFQDN identities: 119/etc/iked/pubkeys/ufqdn/user@foo.bar.org 120.El 121.Pp 122Depending on the 123.Ic srcid 124and 125.Ic dstid 126specifications in 127.Xr iked.conf 5 , 128keys may be named after their IPv4 address, IPv6 address, 129fully qualified domain name (FQDN) or user fully qualified domain name (UFQDN). 130.Pp 131For example, 132.Nm 133can authenticate using the pre-generated keys if the local public key, 134by default 135.Pa /etc/iked/local.pub , 136is copied to the remote gateway as 137.Pa /etc/iked/pubkeys/ipv4/local.gateway.ip.address 138and the remote gateway's public key 139is copied to the local gateway as 140.Pa /etc/iked/pubkeys/ipv4/remote.gateway.ip.address . 141Of course, new keys may also be generated 142(the user is not required to use the pre-generated keys). 143In this example, 144.Ic srcid 145and 146.Ic dstid 147would also have to be set to the specified addresses 148in 149.Xr iked.conf 5 . 150.Sh FILES 151.Bl -tag -width "/etc/iked/private/XXX" -compact 152.It Pa /etc/iked.conf 153The default 154.Nm 155configuration file. 156.It Pa /etc/iked/ca/ 157The directory where CA certificates are kept. 158.It Pa /etc/iked/certs/ 159The directory where IKE certificates are kept, both the local 160certificate(s) and those of the peers, if a choice to have them kept 161permanently has been made. 162.It Pa /etc/iked/crls/ 163The directory where CRLs are kept. 164.It Pa /etc/iked/private/ 165The directory where local private keys used for public key authentication 166are kept. 167The file 168.Pa local.key 169is used to store the local private key. 170.It Pa /etc/iked/pubkeys/ 171The directory in which trusted public keys are kept. 172The keys must be named in the fashion described above. 173.It Pa /var/run/iked.sock 174The default 175.Nm 176control socket. 177.El 178.Sh SEE ALSO 179.Xr iked.conf 5 , 180.Xr ikectl 8 , 181.Xr isakmpd 8 182.Sh STANDARDS 183.Rs 184.%A C. Kaufman 185.%A P. Hoffman 186.%A Y. Nir 187.%A P. Eronen 188.%D September 2010 189.%R RFC 5996 190.%T Internet Key Exchange Protocol Version 2 (IKEv2) 191.Re 192.Sh HISTORY 193The 194.Nm 195program first appeared in 196.Ox 4.8 . 197.Sh AUTHORS 198The 199.Nm 200program was written by 201.An Reyk Floeter Aq Mt reyk@openbsd.org . 202