Provided by: openiked_7.2-1_amd64 bug

NAME

     ikectl — control the IKEv2 daemon

SYNOPSIS

     ikectl [-q] [-s socket] command [arg ...]

DESCRIPTION

     The ikectl program controls the iked(8) daemon and provides commands to maintain a simple
     X.509 certificate authority (CA) for IKEv2 peers.

     The options are as follows:

     -q      Don't ask for confirmation of any default options.

     -s socket
             Use socket instead of the default /var/run/iked.sock to communicate with iked(8).

IKED CONTROL COMMANDS

     The following commands are available to control iked(8):

     active  Set iked(8) to active mode.

     passive
             Set iked(8) to passive mode.  In passive mode no packets are sent to peers and no
             connections are initiated by iked(8).

     couple  Load the negotiated security associations (SAs) and flows into the kernel.

     decouple
             Unload the negotiated SAs and flows from the kernel.  This mode is only useful for
             testing and debugging.

     load filename
             Reload the configuration from the specified file.

     log brief
             Disable verbose logging.

     log verbose
             Enable verbose logging.

     monitor
             Monitor internal messages of the iked(8) subsystems.

     reload  Reload the configuration from the default configuration file.

     reset all
             Reset the running state.

     reset ca
             Reset the X.509 CA and certificate state.

     reset policy
             Flush the configured policies.

     reset sa
             Flush the running SAs.

     reset user
             Flush the local user database.

     reset id ikeid
             Delete all IKE SAs with matching ID.

     show sa
             Show internal state of active IKE SAs, Child SAs and IPsec flows.

PKI AND CERTIFICATE AUTHORITY COMMANDS

     In order to use public key based authentication with IKEv2, a public key infrastructure
     (PKI) has to be set up to create and sign the peer certificates.  ikectl includes commands
     to simplify maintenance of the PKI and to set up a simple certificate authority (CA) for
     iked(8) and its peers.

     The following commands are available to control the CA:

     ca name create [password password]
             Create a new certificate authority with the specified name.  The command will prompt
             for a CA password unless it is specified with the optional password argument.  The
             password will be saved in a protected file ikeca.passwd in the CA directory and used
             for subsequent commands.

     ca name delete
             Delete the certificate authority with the specified name.

     ca name export [peer peer] [password password]
             Export the certificate authority with the specified name into the current directory
             for transport to other systems.  This command will create a compressed tarball
             called ca.tgz in the local directory and optionally ca.zip if the ‘zip’ tool is
             installed.  The optional peer argument can be used to specify the address or FQDN of
             the local gateway which will be written into a text file peer.txt and included in
             the archives.

     ca name install [path]
             Install the certificate and Certificate Revocation List (CRL) for CA name as the
             currently active CA or into the specified path.

     ca name certificate host create [server | client | ocsp]
             Create a private key and certificate for host and sign then with the key of
             certificate authority with the specified name.

             The certificate will be valid for client and server authentication by default by
             setting both flags as the extended key usage in the certificate; this can be
             restricted using the optional server or client argument.  If the ocsp argument is
             specified the extended key usage will be set for OCSP signing.

     ca name certificate host delete
             Deletes the private key and certificates associated with host.

     ca name certificate host export [peer peer] [password password]
             Export key files for host of the certificate authority with the specified name into
             the current directory for transport to other systems.  This command will create a
             compressed tarball host.tgz in the local directory and optionally host.zip if the
             ‘zip’ tool is installed.  The optional peer argument can be used to specify the
             address or FQDN of the local gateway which will be written into a text file peer.txt
             and included in the archives.

     ca name certificate host install [path]
             Install the private and public key for host into the active configuration or
             specified path.

     ca name certificate host revoke
             Revoke the certificate specified by host and generate a new Certificate Revocation
             List (CRL).

     show ca name certificates [host]
             Display a listing of certificates associated with CA name or display certificate
             details if host is specified.

     ca name key host create
             Create a private key for host if one does not already exist.

     ca name key host install [path]
             Install the private and public keys for host into the active configuration or
             specified path.

     ca name key host delete
             Delete the private key for host.

     ca name key host import file
             Source the private key for host from the named file.

FILES

     /etc/iked/            Active configuration.
     /etc/ssl/             Directory to store the CA files.
     /usr/share/iked/      If this optional directory exists, ikectl will include the contents
                           with the ca export commands.
     /var/run/iked.sock    Default UNIX-domain socket used for communication with iked(8).

EXAMPLES

     First create a new certificate authority:

           # ikectl ca vpn create

     Now create the certificates for the VPN peers.  The specified hostname, either IP address or
     FQDN, will be saved in the signed certificate and has to match the IKEv2 identity, or srcid,
     of the peers:

           # ikectl ca vpn certificate 10.1.2.3 create
           # ikectl ca vpn certificate 10.2.3.4 create
           # ikectl ca vpn certificate 10.3.4.5 create

     It is possible that the host that was used to create the CA is also one of the VPN peers.
     In this case you can install the peer and CA certificates locally:

           # ikectl ca vpn install
           # ikectl ca vpn certificate 10.1.2.3 install

     Now export the individual host key, the certificate and the CA certificate to each other
     peer.  First run the export command to create tarballs that include the required files:

           # ikectl ca vpn certificate 10.2.3.4 export
           # ikectl ca vpn certificate 10.3.4.5 export

     These commands will produce two tarballs 10.2.3.4.tgz and 10.3.4.5.tgz.  Copy these tarballs
     over to the appropriate peers and extract them to the /etc/iked/ directory:

           10.2.3.4# tar -C /etc/iked -xzpf 10.2.3.4.tgz
           10.3.4.5# tar -C /etc/iked -xzpf 10.3.4.5.tgz

     ikectl will also create ‘zip’ archives 10.2.3.4.zip and 10.3.4.5.zip in addition to the
     tarballs if the zip tool is found in /usr/local/bin/zip.  These archives can be exported to
     peers running Windows and will include the certificates in a format that is supported by the
     OS.  The zip tool can be installed from the OpenBSD packages or ports collection before
     running the export commands, see packages(7) for more information.  For example:

           # pkg_add zip

SEE ALSO

     packages(7), iked(8), ssl(8)

HISTORY

     The ikectl program first appeared in OpenBSD 4.8.

AUTHORS

     The ikectl program was written by Reyk Floeter <reyk@openbsd.org> and
     Jonathan Gray <jsg@openbsd.org>.

CAVEATS

     For ease of use, the ca commands maintain all peers' private keys on the CA machine.  In
     contrast to a ‘real’ CA, it does not support signing of public keys that have been imported
     from peers that do not want to expose their private keys to the CA.