FreeBSD Manual Pages
IKED(8) System Manager's Manual IKED(8) NAME iked -- Internet Key Exchange protocol daemon SYNOPSIS iked [-46hvFV] [-f configfile] [-l logfile] [-p port] [-I peer-address] [-S selector-index] [-d] [-D level] [-P outfile] DESCRIPTION iked is a key management daemon, which supports the Internet Key Ex- change (IKE) protocol version 1 (RFC2409) and version 2 (RFC4306). It is driven by upcalls from the kernel via the PF_KEYv2 interface or by negotiation requests from remote peers, and manages IPsec SAs according to racoon2.conf. The following options are available: -4 Use IPv4 addresses only for local sockets. -6 Use IPv6 addresses only for local sockets. -d Increase the debugging level. This flag may occur multiple times. -f configfile Read configurations from the specified file. -I peer-address Immediately initiate to the peer specified. -S selector_index Immediately initiate using the selector specified. -h Show simple help messages. -l logfile Output log to logfile instead of syslog. -p portnum Specify default port number for IKE sockets. -v Output log to stdout in addition to syslog. -D num Set debug flag. -F Run in the foreground. iked does not detach itself from the terminal and does not become a daemon. Logs are output to the stderr. -P outfile Record unencrypted IKE communication packets to the file. This option is available only if iked was compiled with --enable- pcap configuration option. -V Show the version. Upon receiving SIGINT or SIGTERM, iked shuts down IKEv2 IKE_SAs with peer nodes by sending Informational exchange with Delete payload, deletes relevant IPsec SAs, and then exits. Upon receiving SIGHUP, iked similarly shuts down IKEv2 IKE_SAs and deletes relevant IPsec SAs, then reloads the configuration file. IPsec policies are managed by spmd(8), thus it must be started before iked. When spmd(8) restarts, iked needs to be reloaded to reconnect with it. FILES ${prefix}/etc/racoon2/racoon2.conf The default configuration file for racoon2. /var/run/iked.pid The PID file of the current instance of the daemon. SEE ALSO racoon2(7), racoon2.conf(5), spmd(8), kinkd(8), ipsec(4) The Internet Key Exchange (IKE), RFC2409, November 1998. Internet Key Exchange (IKEv2) Protocol, RFC4306, December 2005. HISTORY The iked command was developed for racoon2 in 2004-2005. AUTHORS iked was written and is maintained by WIDE/racoon2 project <http://www.racoon2.wide.ad.jp/> ACKNOWLEDGEMENTS Part of the codes are derived from ipsec-tools racoon daemon, which was derived from KAME racoon daemon. BUGS "default" clause of configuration file is used for two purposes: to provide default values for individual field for other sections of con- figuration, and to specify default kmp configuration when the responder received a message from unknown peer. In latter case, when "default" clause lacks some necessary fields, error message may be cryptic, since it is not checked by configuration check routine of iked. (Probably it will result in "no proposal chosen".) On FreeBSD/NetBSD, when IPsec SA expires by IPsec SA lifetime, kernel does not notify iked about the sa expiration. To remedy this, iked maintains its own expiration timer for each IPsec SA. Since the iked can't know how much bytes used for the SA, lifetime_bytes in the con- figuration are ignored for now. SA bundles (e.g. AH+ESP) does not conform to protocol spec. After rekeying IKE_SA, iked may spit some warning messages, if the rekey negotiation or delete request was started from both ends at once. RACOON2 August 18, 2006 IKED(8)
NAME | SYNOPSIS | DESCRIPTION | FILES | SEE ALSO | HISTORY | AUTHORS | ACKNOWLEDGEMENTS | BUGS
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=iked&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>