IKECTL(8) OpenBSD System Manager's Manual IKECTL(8)NAMEikectl - control the IKEv2 daemon
SYNOPSISikectl [-q] [-s socket] command [arg ...]
DESCRIPTION
The ikectl program controls the iked(8) daemon and provides commands to
maintain a simple X.509 certificate authority (CA) for IKEv2 peers.
The options are as follows:
-q Don't ask for confirmation of any default options.
-s socket
Use socket instead of the default /var/run/iked.sock to
communicate with iked(8).
IKED CONTROL COMMANDS
The following commands are available to control iked(8):
active Set iked(8) to active mode.
passive
Set iked(8) to passive mode. In passive mode no packets are sent
to peers and no connections are initiated by iked(8).
couple Load the negotiated security associations (SAs) and flows into
the kernel.
decouple
Unload the negotiated SAs and flows from the kernel. This mode
is only useful for testing and debugging.
load filename
Reload the configuration from the specified file.
log brief
Disable verbose logging.
log verbose
Enable verbose logging.
monitor
Monitor internal messages of the iked(8) subsystems.
reload Reload the configuration from the default configuration file.
reset all
Reset the running state.
reset ca
Reset the X.509 CA and certificate state.
reset policy
Flush the configured policies.
reset sa
Flush the running SAs.
reset user
Flush the local user database.
PKI AND CERTIFICATE AUTHORITY COMMANDS
In order to use public key based authentication with IKEv2, a public key
infrastructure (PKI) has to be set up to create and sign the peer
certificates. ikectl includes commands to simplify maintenance of the
PKI and to set up a simple certificate authority (CA) for iked(8) and its
peers.
The following commands are available to control the CA:
ca name create [password password]
Create a new certificate authority with the specified name. The
command will prompt for a CA password unless it is specified with
the optional password argument. The password will be saved in a
protected file ikeca.passwd in the CA directory and used for
subsequent commands.
ca name delete
Delete the certificate authority with the specified name.
ca name export [peer peer] [password password]
Export the certificate authority with the specified name into the
current directory for transport to other systems. This command
will create a compressed tarball called ca.tgz in the local
directory and optionally ca.zip if the `zip' tool is installed.
The optional peer argument can be used to specify the address or
FQDN of the local gateway which will be written into a text file
peer.txt and included in the archives.
ca name install [path]
Install the certificate and Certificate Revocation List (CRL) for
CA name as the currently active CA or into the specified path.
ca name certificate host create [server | client]
Create a private key and certificate for host and sign then with
the key of certificate authority with the specified name.
The certificate will be valid for client and server
authentication by default by setting both flags as the extended
key usage in the certificate; this can be restricted using the
optional server or client argument.
ca name certificate host delete
Deletes the private key and certificates associated with host.
ca name certificate host export [peer peer] [password password]
Export key files for host of the certificate authority with the
specified name into the current directory for transport to other
systems. This command will create a compressed tarball host.tgz
in the local directory and optionally host.zip if the `zip' tool
is installed. The optional peer argument can be used to specify
the address or FQDN of the local gateway which will be written
into a text file peer.txt and included in the archives.
ca name certificate host install [path]
Install the private and public key for host into the active
configuration or specified path.
ca name certificate host revoke
Revoke the certificate specified by host and generate a new
Certificate Revocation List (CRL).
show ca name certificates [host]
Display a listing of certificates associated with CA name or
display certificate details if host is specified.
ca name key host create
Create a private key for host if one does not already exist.
ca name key host install [path]
Install the private and public keys for host into the active
configuration or specified path.
ca name key host delete
Delete the private key for host.
ca name key host import file
Source the private key for host from the named file.
FILES
/etc/iked/ Active configuration.
/etc/ssl/ Directory to store the CA files.
/usr/share/iked If this optional directory exists, ikectl will
include the contents with the ca export commands.
/var/run/iked.sock default UNIX-domain socket used for communication
with iked(8)EXAMPLES
First create a new certificate authority:
# ikectl ca vpn create
Now create the certificates for the VPN peers. The specified hostname,
either IP address or FQDN, will be saved in the signed certificate and
has to match the IKEv2 identity, or srcid, of the peers:
# ikectl ca vpn certificate 10.1.2.3 create
# ikectl ca vpn certificate 10.2.3.4 create
# ikectl ca vpn certificate 10.3.4.5 create
It is possible that the host that was used to create the CA is also one
of the VPN peers. In this case you can install the peer and CA
certificates locally:
# ikectl ca vpn install
# ikectl ca vpn certificate 10.1.2.3 install
Now export the individual host key, the certificate and the CA
certificate to each other peer. First run the export command to create
tarballs that include the required files:
# ikectl ca vpn certificate 10.2.3.4 export
# ikectl ca vpn certificate 10.3.4.5 export
These commands will produce two tarballs 10.2.3.4.tgz and 10.3.4.5.tgz.
Copy these tarballs over to the appropriate peers and extract them to the
/etc/iked/ directory:
10.2.3.4# tar -C /etc/iked -xzpf 10.2.3.4.tgz
10.3.4.5# tar -C /etc/iked -xzpf 10.3.4.5.tgz
ikectl will also create `zip' archives 10.2.3.4.zip and 10.3.4.5.zip in
addition to the tarballs if the zip tool is found in /usr/local/bin/zip.
These archives can be exported to peers running Windows and will include
the certificates in a format that is supported by the OS. The zip tool
can be installed from the OpenBSD packages or ports collection before
running the export commands, see packages(7) for more information. For
example:
# pkg_add zip
SEE ALSOpackages(7), iked(8), ssl(8)HISTORY
The ikectl program first appeared in OpenBSD 4.8.
AUTHORS
The ikectl program was written by Reyk Floeter <reyk@vantronix.net> and
Jonathan Gray <jsg@vantronix.net>.
CAVEATS
For ease of use, the ca commands maintain all peers' private keys on the
CA machine. In contrast to a `real' CA, it does not support signing of
public keys that have been imported from peers that do not want to expose
their private keys to the CA.
OpenBSD 4.9 January 20, 2011 OpenBSD 4.9