Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
IKECTL(8)		  BSD System Manager's Manual		     IKECTL(8)

NAME
     ikectl -- control the IKEv2 daemon

SYNOPSIS
     ikectl [-q] [-s socket] command [arg ...]

DESCRIPTION
     The ikectl	program	controls the iked(8) daemon and	provides commands to
     maintain a	simple X.509 certificate authority (CA)	for IKEv2 peers.

     The options are as	follows:

     -q	     Don't ask for confirmation	of any default options.

     -s	socket
	     Use socket	instead	of the default /var/run/iked.sock to communi-
	     cate with iked(8).

IKED CONTROL COMMANDS
     The following commands are	available to control iked(8):

     active  Set iked(8) to active mode.

     passive
	     Set iked(8) to passive mode.  In passive mode no packets are sent
	     to	peers and no connections are initiated by iked(8).

     couple  Load the negotiated security associations (SAs) and flows into
	     the kernel.

     decouple
	     Unload the	negotiated SAs and flows from the kernel.  This	mode
	     is	only useful for	testing	and debugging.

     load filename
	     Reload the	configuration from the specified file.

     log brief
	     Disable verbose logging.

     log verbose
	     Enable verbose logging.

     monitor
	     Monitor internal messages of the iked(8) subsystems.

     reload  Reload the	configuration from the default configuration file.

     reset all
	     Reset the running state.

     reset ca
	     Reset the X.509 CA	and certificate	state.

     reset policy
	     Flush the configured policies.

     reset sa
	     Flush the running SAs.

     reset user
	     Flush the local user database.

     reset id ikeid
	     Delete all	IKE SAs	with matching ID.

     show sa
	     Show internal state of active IKE SAs, Child SAs and IPsec	flows.

PKI AND	CERTIFICATE AUTHORITY COMMANDS
     In	order to use public key	based authentication with IKEv2, a public key
     infrastructure (PKI) has to be set	up to create and sign the peer cer-
     tificates.	 ikectl	includes commands to simplify maintenance of the PKI
     and to set	up a simple certificate	authority (CA) for iked(8) and its
     peers.

     The following commands are	available to control the CA:

     ca	name create [password password]
	     Create a new certificate authority	with the specified name.  The
	     command will prompt for a CA password unless it is	specified with
	     the optional password argument.  The password will	be saved in a
	     protected file ikeca.passwd in the	CA directory and used for sub-
	     sequent commands.

     ca	name delete
	     Delete the	certificate authority with the specified name.

     ca	name export [peer peer]	[password password]
	     Export the	certificate authority with the specified name into the
	     current directory for transport to	other systems.	This command
	     will create a compressed tarball called ca.tgz in the local di-
	     rectory and optionally ca.zip if the `zip'	tool is	installed.
	     The optional peer argument	can be used to specify the address or
	     FQDN of the local gateway which will be written into a text file
	     peer.txt and included in the archives.

     ca	name install [path]
	     Install the certificate and Certificate Revocation	List (CRL) for
	     CA	name as	the currently active CA	or into	the specified path.

     ca	name certificate host create [server | client |	ocsp]
	     Create a private key and certificate for host and sign then with
	     the key of	certificate authority with the specified name.

	     The certificate will be valid for client and server authentica-
	     tion by default by	setting	both flags as the extended key usage
	     in	the certificate; this can be restricted	using the optional
	     server or client argument.	 If the	ocsp argument is specified the
	     extended key usage	will be	set for	OCSP signing.

     ca	name certificate host delete
	     Deletes the private key and certificates associated with host.

     ca	name certificate host export [peer peer] [password password]
	     Export key	files for host of the certificate authority with the
	     specified name into the current directory for transport to	other
	     systems.  This command will create	a compressed tarball host.tgz
	     in	the local directory and	optionally host.zip if the `zip' tool
	     is	installed.  The	optional peer argument can be used to specify
	     the address or FQDN of the	local gateway which will be written
	     into a text file peer.txt and included in the archives.

     ca	name certificate host install [path]
	     Install the private and public key	for host into the active con-
	     figuration	or specified path.

     ca	name certificate host revoke
	     Revoke the	certificate specified by host and generate a new Cer-
	     tificate Revocation List (CRL).

     show ca name certificates [host]
	     Display a listing of certificates associated with CA name or dis-
	     play certificate details if host is specified.

     ca	name key host create
	     Create a private key for host if one does not already exist.

     ca	name key host install [path]
	     Install the private and public keys for host into the active con-
	     figuration	or specified path.

     ca	name key host delete
	     Delete the	private	key for	host.

     ca	name key host import file
	     Source the	private	key for	host from the named file.

FILES
     /etc/iked/		   Active configuration.
     /etc/ssl/		   Directory to	store the CA files.
     /usr/share/iked/	   If this optional directory exists, ikectl will in-
			   clude the contents with the ca export commands.
     /var/run/iked.sock	   Default UNIX-domain socket used for communication
			   with	iked(8).

EXAMPLES
     First create a new	certificate authority:

	   # ikectl ca vpn create

     Now create	the certificates for the VPN peers.  The specified hostname,
     either IP address or FQDN,	will be	saved in the signed certificate	and
     has to match the IKEv2 identity, or srcid,	of the peers:

	   # ikectl ca vpn certificate 10.1.2.3	create
	   # ikectl ca vpn certificate 10.2.3.4	create
	   # ikectl ca vpn certificate 10.3.4.5	create

     It	is possible that the host that was used	to create the CA is also one
     of	the VPN	peers.	In this	case you can install the peer and CA certifi-
     cates locally:

	   # ikectl ca vpn install
	   # ikectl ca vpn certificate 10.1.2.3	install

     Now export	the individual host key, the certificate and the CA certifi-
     cate to each other	peer.  First run the export command to create tarballs
     that include the required files:

	   # ikectl ca vpn certificate 10.2.3.4	export
	   # ikectl ca vpn certificate 10.3.4.5	export

     These commands will produce two tarballs 10.2.3.4.tgz and 10.3.4.5.tgz.
     Copy these	tarballs over to the appropriate peers and extract them	to the
     /etc/iked/	directory:

	   10.2.3.4# tar -C /etc/iked -xzpf 10.2.3.4.tgz
	   10.3.4.5# tar -C /etc/iked -xzpf 10.3.4.5.tgz

     ikectl will also create `zip' archives 10.2.3.4.zip and 10.3.4.5.zip in
     addition to the tarballs if the zip tool is found in /usr/local/bin/zip.
     These archives can	be exported to peers running Windows and will include
     the certificates in a format that is supported by the OS.	The zip	tool
     can be installed from the OpenBSD packages	or ports collection before
     running the export	commands, see packages(7) for more information.	 For
     example:

	   # pkg_add zip

SEE ALSO
     packages(7), iked(8), ssl(8)

HISTORY
     The ikectl	program	first appeared in OpenBSD 4.8.

AUTHORS
     The ikectl	program	was written by Reyk Floeter <reyk@openbsd.org> and
     Jonathan Gray <jsg@openbsd.org>.

CAVEATS
     For ease of use, the ca commands maintain all peers' private keys on the
     CA	machine.  In contrast to a `real' CA, it does not support signing of
     public keys that have been	imported from peers that do not	want to	expose
     their private keys	to the CA.

BSD				April 25, 2020				   BSD

NAME | SYNOPSIS | DESCRIPTION | IKED CONTROL COMMANDS | PKI AND CERTIFICATE AUTHORITY COMMANDS | FILES | EXAMPLES | SEE ALSO | HISTORY | AUTHORS | CAVEATS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=ikectl&sektion=8&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help