Provided by: openiked_7.2-1_amd64 bug

NAME

     iked — Internet Key Exchange version 2 (IKEv2) daemon

SYNOPSIS

     iked [-dnSTtVv] [-D macro=value] [-f file] [-p udpencap_port] [-s socket]

DESCRIPTION

     iked is an Internet Key Exchange (IKEv2) daemon which performs mutual authentication and
     which establishes and maintains IPsec flows and security associations (SAs) between the two
     peers.

     The IKEv2 protocol is defined in RFC 7296, which combines and updates the previous
     standards: ISAKMP/Oakley (RFC 2408), IKE (RFC 2409), and the Internet DOI (RFC 2407).  iked
     only supports the IKEv2 protocol; support for ISAKMP/Oakley and IKEv1 is provided by
     isakmpd(8).

     iked supports mutual authentication using RSA or ECDSA public keys and X.509 certificates.
     See the PUBLIC KEY AUTHENTICATION section below and PKI AND CERTIFICATE AUTHORITY COMMANDS
     in ikectl(8) for more information about creating and maintaining the public key
     infrastructure.

     The options are as follows:

     -D macro=value
             Define macro to be set to value on the command line.  Overrides the definition of
             macro in the configuration file.

     -d      Do not daemonize and log to stderr.

     -f file
             Use file as the configuration file, instead of the default /etc/iked.conf.

     -n      Configtest mode.  Only check the configuration file for validity.

     -p udpencap_port
             Specify the listen port for encapsulated UDP that the daemon will bind to as well as
             the UDP encapsulation port set in resulting IPsec SAs.  In order to receive UDP
             encapsulated IPsec packets on ports other than 4500, the net.inet.esp.udpencap_port
             sysctl(2) variable has to be set accordingly.  Implies -t.

     -S      Start iked in passive mode.  See the set passive option in iked.conf(5) for more
             information.

     -s socket
             Use socket as the control socket, instead of the default /var/run/iked.sock.

     -T      Disable NAT-Traversal and do not propose NAT-Traversal support to the peers.

     -t      Enforce NAT-Traversal and only listen to NAT-Traversal messages.  This option is
             only recommended for testing; the default is to negotiate NAT-Traversal with the
             peers.

     -V      Show the version and exit.

     -v      Produce more verbose output.

PUBLIC KEY AUTHENTICATION

     It is possible to store trusted public keys to make them directly usable by iked, bypassing
     the need to use certificates.  The keys should be saved in PEM format (see openssl(1)) and
     named and stored as follows:

        For IPv4 identities:    /etc/iked/pubkeys/ipv4/A.B.C.D
        For IPv6 identities:    /etc/iked/pubkeys/ipv6/abcd:abcd::ab:bc
        For FQDN identities:    /etc/iked/pubkeys/fqdn/foo.bar.org
        For UFQDN identities:   /etc/iked/pubkeys/ufqdn/user@foo.bar.org

     Depending on the srcid and dstid specifications in iked.conf(5), keys may be named after
     their IPv4 address, IPv6 address, fully qualified domain name (FQDN) or user fully qualified
     domain name (UFQDN).

     For example, iked can authenticate using the pre-generated keys if the local public key, by
     default /etc/iked/local.pub, is copied to the remote gateway as
     /etc/iked/pubkeys/ipv4/local.gateway.ip.address and the remote gateway's public key is
     copied to the local gateway as /etc/iked/pubkeys/ipv4/remote.gateway.ip.address.  Of course,
     new keys may also be generated (the user is not required to use the pre-generated keys).  In
     this example, srcid and dstid would also have to be set to the specified addresses in
     iked.conf(5).

FILES

     /etc/iked.conf         The default iked configuration file.
     /etc/iked/ca/          The directory where CA certificates are kept.
     /etc/iked/certs/       The directory where IKE certificates are kept, both the local
                            certificate(s) and those of the peers, if a choice to have them kept
                            permanently has been made.
     /etc/iked/crls/        The directory where CRLs are kept.
     /etc/iked/private/     The directory where local private keys used for public key
                            authentication are kept.  The file local.key is used to store the
                            local private key.
     /etc/iked/pubkeys/     The directory in which trusted public keys are kept.  The keys must
                            be named in the fashion described above.
     /var/run/iked.sock     The default iked control socket.

SEE ALSO

     iked.conf(5), ikectl(8), isakmpd(8)

STANDARDS

     C. Kaufman, P. Hoffman, Y. Nir, P. Eronen, and T. Kivinen, Internet Key Exchange Protocol
     Version 2 (IKEv2), RFC 7296, October 2014.

HISTORY

     The iked program first appeared in OpenBSD 4.8.

AUTHORS

     The iked program was written by Reyk Floeter <reyk@openbsd.org>.