NAME
ikectl
—
control the IKEv2 daemon
SYNOPSIS
ikectl |
[-q ] [-s
socket] command
[arg ...] |
DESCRIPTION
The ikectl
program controls the
iked(8) daemon
and provides commands to maintain a simple X.509 certificate authority (CA)
for IKEv2 peers.
The options are as follows:
-q
- Don't ask for confirmation of any default options.
-s
socket- Use socket instead of the default /var/run/iked.sock to communicate with iked(8).
IKED CONTROL COMMANDS
The following commands are available to control iked(8):
active
- Set iked(8) to active mode.
passive
- Set iked(8) to passive mode. In passive mode no packets are sent to peers and no connections are initiated by iked(8).
couple
- Load the negotiated security associations (SAs) and flows into the kernel.
decouple
- Unload the negotiated SAs and flows from the kernel. This mode is only useful for testing and debugging.
load
filename- Reload the configuration from the specified file.
log brief
- Disable verbose logging.
log verbose
- Enable verbose logging.
monitor
- Monitor internal messages of the iked(8) subsystems.
reload
- Reload the configuration from the default configuration file.
reset all
- Reset the running state.
reset ca
- Reset the X.509 CA and certificate state.
reset policy
- Flush the configured policies.
reset sa
- Flush the running SAs.
reset user
- Flush the local user database.
reset id
ikeid- Delete all IKE SAs with matching ID.
show sa
- Show internal state of active IKE SAs, Child SAs and IPsec flows.
PKI AND CERTIFICATE AUTHORITY COMMANDS
In order to use public key based authentication with IKEv2, a
public key infrastructure (PKI) has to be set up to create and sign the peer
certificates. ikectl
includes commands to simplify
maintenance of the PKI and to set up a simple certificate authority (CA) for
iked(8) and
its peers.
The following commands are available to control the CA:
ca
namecreate
[password
password]- Create a new certificate authority with the specified name. The command will prompt for a CA password unless it is specified with the optional password argument. The password will be saved in a protected file ikeca.passwd in the CA directory and used for subsequent commands.
ca
namedelete
- Delete the certificate authority with the specified name.
ca
nameexport
[peer
peer] [password
password]- Export the certificate authority with the specified name into the current directory for transport to other systems. This command will create a compressed tarball called ca.tgz in the local directory and optionally ca.zip if the ‘zip’ tool is installed. The optional peer argument can be used to specify the address or FQDN of the local gateway which will be written into a text file peer.txt and included in the archives.
ca
nameinstall
[path]- Install the certificate and Certificate Revocation List (CRL) for CA name as the currently active CA or into the specified path.
ca
namecertificate
hostcreate
[server
|client
|ocsp
]- Create a private key and certificate for host and
sign then with the key of certificate authority with the specified
name.
The certificate will be valid for client and server authentication by default by setting both flags as the extended key usage in the certificate; this can be restricted using the optional
server
orclient
argument. If theocsp
argument is specified, the extended key usage will be set for OCSP signing. ca
namecertificate
hostdelete
- Deletes the private key and certificates associated with host.
ca
namecertificate
hostexport
[peer
peer] [password
password]- Export key files for host of the certificate authority with the specified name into the current directory for transport to other systems. This command will create a compressed tarball host.tgz in the local directory and optionally host.zip if the ‘zip’ tool is installed. The optional peer argument can be used to specify the address or FQDN of the local gateway which will be written into a text file peer.txt and included in the archives.
ca
namecertificate
hostinstall
[path]- Install the private and public key for host into the active configuration or specified path.
ca
namecertificate
hostrevoke
- Revoke the certificate specified by host and generate a new Certificate Revocation List (CRL).
show
ca
namecertificates
[host]- Display a listing of certificates associated with CA name or display certificate details if host is specified.
ca
namekey
hostcreate
- Create a private key for host if one does not already exist.
ca
namekey
hostinstall
[path]- Install the private and public keys for host into the active configuration or specified path.
ca
namekey
hostdelete
- Delete the private key for host.
ca
namekey
hostimport
file- Source the private key for host from the named file.
FILES
- /etc/iked/
- Active configuration.
- /etc/ssl/
- Directory to store the CA files.
- /usr/share/iked/
- If this optional directory exists,
ikectl
will include the contents with theca export
commands. - /var/run/iked.sock
- Default UNIX-domain socket used for communication with iked(8).
EXAMPLES
First create a new certificate authority:
# ikectl ca vpn create
Now create the certificates for the VPN peers. The specified hostname, either IP address or FQDN, will be saved in the signed certificate and has to match the IKEv2 identity, or srcid, of the peers:
# ikectl ca vpn certificate 10.1.2.3 create # ikectl ca vpn certificate 10.2.3.4 create # ikectl ca vpn certificate 10.3.4.5 create
It is possible that the host that was used to create the CA is also one of the VPN peers. In this case you can install the peer and CA certificates locally:
# ikectl ca vpn install # ikectl ca vpn certificate 10.1.2.3 install
Now export the individual host key, the certificate and the CA
certificate to each other peer. First run the export
command to create tarballs that include the required files:
# ikectl ca vpn certificate 10.2.3.4 export # ikectl ca vpn certificate 10.3.4.5 export
These commands will produce two tarballs 10.2.3.4.tgz and 10.3.4.5.tgz. Copy these tarballs over to the appropriate peers and extract them to the /etc/iked/ directory:
10.2.3.4# tar -C /etc/iked -xzpf 10.2.3.4.tgz 10.3.4.5# tar -C /etc/iked -xzpf 10.3.4.5.tgz
ikectl
will also create
‘zip’ archives 10.2.3.4.zip and 10.3.4.5.zip in addition to
the tarballs if the zip tool is found in
/usr/local/bin/zip. These archives can be exported
to peers running Windows and will include the certificates in a format that
is supported by the OS. The zip tool can be installed from the
OpenBSD packages or ports collection before running
the export
commands, see
packages(7) for more information. For example:
# pkg_add zip
SEE ALSO
HISTORY
The ikectl
program first appeared in
OpenBSD 4.8.
AUTHORS
The ikectl
program was written by
Reyk Floeter
<[email protected]>
and
Jonathan Gray
<[email protected]>.
CAVEATS
For ease of use, the ca
commands maintain
all peers' private keys on the CA machine. In contrast to a
‘real’ CA, it does not support signing of public keys that
have been imported from peers that do not want to expose their private keys
to the CA.