Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
IKED(8)			FreeBSD	System Manager's Manual		       IKED(8)

     iked -- Internet Key Exchange protocol daemon

     iked [-46hvFV] [-f	configfile] [-l	logfile] [-p port] [-I peer-address]
	  [-S selector-index] [-d] [-D level] [-P outfile]

     iked is a key management daemon, which supports the Internet Key Exchange
     (IKE) protocol version 1 (RFC2409)	and version 2 (RFC4306).  It is	driven
     by	upcalls	from the kernel	via the	PF_KEYv2 interface or by negotiation
     requests from remote peers, and manages IPsec SAs according to

     The following options are available:

     -4	     Use IPv4 addresses	only for local sockets.

     -6	     Use IPv6 addresses	only for local sockets.

     -d	     Increase the debugging level.  This flag may occur	multiple

     -f	configfile
	     Read configurations from the specified file.

     -I	peer-address
	     Immediately initiate to the peer specified.

     -S	selector_index
	     Immediately initiate using	the selector specified.

     -h	     Show simple help messages.

     -l	logfile
	     Output log	to logfile instead of syslog.

     -p	portnum
	     Specify default port number for IKE sockets.

     -v	     Output log	to stdout in addition to syslog.

     -D	num  Set debug flag.

     -F	     Run in the	foreground.  iked does not detach itself from the ter-
	     minal and does not	become a daemon.  Logs are output to the

     -P	outfile
	     Record unencrypted	IKE communication packets to the file.	This
	     option is available only if iked was compiled with	--enable-pcap
	     configuration option.

     -V	     Show the version.

     Upon receiving SIGINT or SIGTERM, iked shuts down IKEv2 IKE_SAs with peer
     nodes by sending Informational exchange with Delete payload, deletes rel-
     evant IPsec SAs, and then exits.  Upon receiving SIGHUP, iked similarly
     shuts down	IKEv2 IKE_SAs and deletes relevant IPsec SAs, then reloads the
     configuration file.

     IPsec policies are	managed	by spmd(8), thus it must be started before
     iked.  When spmd(8) restarts, iked	needs to be reloaded to	reconnect with

			The default configuration file for racoon2.
     /var/run/	The PID	file of	the current instance of	the daemon.

     racoon2(7), racoon2.conf(5), spmd(8), kinkd(8), ipsec(4)

     The Internet Key Exchange (IKE), RFC2409, November	1998.

     Internet Key Exchange (IKEv2) Protocol, RFC4306, December 2005.

     The iked command was developed for	racoon2	in 2004-2005.

     iked was written and is maintained	by WIDE/racoon2	project

     Part of the codes are derived from	ipsec-tools racoon daemon, which was
     derived from KAME racoon daemon.

     "default" clause of configuration file is used for	two purposes: to pro-
     vide default values for individual	field for other	sections of configura-
     tion, and to specify default kmp configuration when the responder re-
     ceived a message from unknown peer.  In latter case, when "default"
     clause lacks some necessary fields, error message may be cryptic, since
     it	is not checked by configuration	check routine of iked. (Probably it
     will result in "no	proposal chosen".)

     On	FreeBSD/NetBSD,	when IPsec SA expires by IPsec SA lifetime, kernel
     does not notify iked about	the sa expiration.  To remedy this, iked main-
     tains its own expiration timer for	each IPsec SA.	Since the iked can't
     know how much bytes used for the SA, lifetime_bytes in the	configuration
     are ignored for now.

     SA	bundles	(e.g. AH+ESP) does not conform to protocol spec.

     After rekeying IKE_SA, iked may spit some warning messages, if the	rekey
     negotiation or delete request was started from both ends at once.

RACOON2				August 18, 2006			       RACOON2


Want to link to this manual page? Use this URL:

home | help