Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
IKED(8)			    System Manager's Manual		       IKED(8)

NAME
       iked -- Internet	Key Exchange version 2 (IKEv2) daemon

SYNOPSIS
       iked   [-dnSTtVv]   [-D	 macro=value]  [-f  file]  [-p	udpencap_port]
	    [-s	socket]

DESCRIPTION
       iked is an Internet Key Exchange	(IKEv2)	daemon which  performs	mutual
       authentication  and which establishes and maintains IPsec flows and se-
       curity associations (SAs) between the two peers.

       The IKEv2 protocol is defined in	RFC 7296, which	combines  and  updates
       the  previous  standards: ISAKMP/Oakley (RFC 2408), IKE (RFC 2409), and
       the Internet DOI	(RFC 2407).  iked only supports	 the  IKEv2  protocol;
       support for ISAKMP/Oakley and IKEv1 is provided by isakmpd(8).

       iked  supports mutual authentication using RSA or ECDSA public keys and
       X.509 certificates.  See	the "PUBLIC KEY	AUTHENTICATION"	section	 below
       and PKI AND CERTIFICATE AUTHORITY COMMANDS in ikectl(8) for more	infor-
       mation about creating and maintaining the public	key infrastructure.

       The options are as follows:

       -D macro=value
	       Define macro to be set to value on the command line.  Overrides
	       the definition of macro in the configuration file.

       -d      Do not daemonize	and log	to stderr.

       -f file
	       Use  file  as  the  configuration  file,	instead	of the default
	       /etc/iked.conf.

       -n      Configtest mode.	 Only check the	configuration file for	valid-
	       ity.

       -p udpencap_port
	       Specify	the  listen  port for encapsulated UDP that the	daemon
	       will bind to as well as the UDP encapsulation port set  in  re-
	       sulting	IPsec SAs.  In order to	receive	UDP encapsulated IPsec
	       packets	   on	  ports	    other     than	4500,	   the
	       net.inet.esp.udpencap_port sysctl(2) variable has to be set ac-
	       cordingly.  Implies -t.

       -S      Start  iked  in	passive	 mode.	 See the set passive option in
	       iked.conf(5) for	more information.

       -s socket
	       Use socket as  the  control  socket,  instead  of  the  default
	       /var/run/iked.sock.

       -T      Disable	NAT-Traversal and do not propose NAT-Traversal support
	       to the peers.

       -t      Enforce NAT-Traversal and only  listen  to  NAT-Traversal  mes-
	       sages.	This  option  is only recommended for testing; the de-
	       fault is	to negotiate NAT-Traversal with	the peers.

       -V      Show the	version	and exit.

       -v      Produce more verbose output.

PUBLIC KEY AUTHENTICATION
       It is possible to store trusted public keys to make them	 directly  us-
       able  by	iked, bypassing	the need to use	certificates.  The keys	should
       be saved	in PEM format (see openssl(1)) and named and  stored  as  fol-
       lows:

	  For IPv4 identities:	  /etc/iked/pubkeys/ipv4/A.B.C.D
	  For IPv6 identities:	  /etc/iked/pubkeys/ipv6/abcd:abcd::ab:bc
	  For FQDN identities:	  /etc/iked/pubkeys/fqdn/foo.bar.org
	  For UFQDN identities:	  /etc/iked/pubkeys/ufqdn/user@foo.bar.org

       Depending  on  the srcid	and dstid specifications in iked.conf(5), keys
       may be named after their	IPv4 address, IPv6  address,  fully  qualified
       domain name (FQDN) or user fully	qualified domain name (UFQDN).

       For  example, iked can authenticate using the pre-generated keys	if the
       local public key, by default /etc/iked/local.pub, is copied to the  re-
       mote gateway as /etc/iked/pubkeys/ipv4/local.gateway.ip.address and the
       remote  gateway's  public  key  is  copied  to  the  local  gateway  as
       /etc/iked/pubkeys/ipv4/remote.gateway.ip.address.  Of course, new  keys
       may  also  be generated (the user is not	required to use	the pre-gener-
       ated keys).  In this example, srcid and dstid would also	have to	be set
       to the specified	addresses in iked.conf(5).

FILES
       /etc/iked.conf	      The default iked configuration file.
       /etc/iked/ca/	      The directory where CA certificates are kept.
       /etc/iked/certs/	      The directory where IKE certificates  are	 kept,
			      both  the	 local certificate(s) and those	of the
			      peers, if	a choice to have them kept permanently
			      has been made.
       /etc/iked/crls/	      The directory where CRLs are kept.
       /etc/iked/private/     The directory where local	private	keys used  for
			      public  key  authentication  are kept.  The file
			      local.key	is used	to  store  the	local  private
			      key.
       /etc/iked/pubkeys/     The  directory  in which trusted public keys are
			      kept.  The keys must be named in the fashion de-
			      scribed above.
       /var/run/iked.sock     The default iked control socket.

SEE ALSO
       iked.conf(5), ikectl(8),	isakmpd(8)

STANDARDS
       C. Kaufman, P. Hoffman, Y. Nir, P. Eronen, and T. Kivinen, Internet Key
       Exchange	Protocol Version 2 (IKEv2), RFC	7296, October 2014.

HISTORY
       The iked	program	first appeared in OpenBSD 4.8.

AUTHORS
       The iked	program	was written by Reyk Floeter <reyk@openbsd.org>.

FreeBSD	ports 15.0	       November	29, 2021		       IKED(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=iked&sektion=8&manpath=FreeBSD+Ports+15.0>

home | help