logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

ikectl — control the IKEv2 daemon

Contents

Authors

       The ikectl program was written by Reyk Floeter <reyk@openbsd.org> and
       Jonathan Gray <jsg@openbsd.org>.

Caveats

       For  ease  of  use, the ca commands maintain all peers' private keys on the CA machine.  In contrast to a
       ‘real’ CA, it does not support signing of public keys that have been imported from peers that do not want
       to expose their private keys to the CA.

Debian                                           April 25, 2020                                        IKECTL(8)

Description

       The  ikectl  program  controls  the  iked(8)  daemon  and  provides  commands  to maintain a simple X.509
       certificate authority (CA) for IKEv2 peers.

       The options are as follows:

       -q      Don't ask for confirmation of any default options.

       -ssocket
               Use socket instead of the default /var/run/iked.sock to communicate with iked(8).

Examples

       First create a new certificate authority:

             # ikectl ca vpn create

       Now create the certificates for the VPN peers.  The specified hostname, either IP address or  FQDN,  will
       be saved in the signed certificate and has to match the IKEv2 identity, or srcid, of the peers:

             # ikectl ca vpn certificate 10.1.2.3 create
             # ikectl ca vpn certificate 10.2.3.4 create
             # ikectl ca vpn certificate 10.3.4.5 create

       It  is  possible that the host that was used to create the CA is also one of the VPN peers.  In this case
       you can install the peer and CA certificates locally:

             # ikectl ca vpn install
             # ikectl ca vpn certificate 10.1.2.3 install

       Now export the individual host key, the certificate and the CA certificate to each other peer.  First run
       the export command to create tarballs that include the required files:

             # ikectl ca vpn certificate 10.2.3.4 export
             # ikectl ca vpn certificate 10.3.4.5 export

       These commands will produce two tarballs 10.2.3.4.tgz and 10.3.4.5.tgz.  Copy these tarballs over to  the
       appropriate peers and extract them to the /etc/iked/ directory:

             10.2.3.4# tar -C /etc/iked -xzpf 10.2.3.4.tgz
             10.3.4.5# tar -C /etc/iked -xzpf 10.3.4.5.tgz

       ikectl  will  also create ‘zip’ archives 10.2.3.4.zip and 10.3.4.5.zip in addition to the tarballs if the
       zip tool is found in /usr/local/bin/zip.  These archives can be exported to  peers  running  Windows  and
       will  include  the  certificates  in a format that is supported by the OS.  The zip tool can be installed
       from the OpenBSD packages or ports collection before running the export  commands,  see  packages(7)  for
       more information.  For example:

             # pkg_add zip

Files

/etc/iked/            Active configuration.
       /etc/ssl/             Directory to store the CA files.
       /usr/share/iked/      If  this  optional  directory  exists, ikectl will include the contents with the caexport commands.
       /var/run/iked.sock    Default Unix-domain socket used for communication with iked(8).

History

       The ikectl program first appeared in OpenBSD 4.8.

Iked Control Commands

       The following commands are available to control iked(8):

       active  Set iked(8) to active mode.

       passive
               Set iked(8) to passive mode.  In passive mode no packets are sent to peers and no connections are
               initiated by iked(8).

       couple  Load the negotiated security associations (SAs) and flows into the kernel.

       decouple
               Unload the negotiated SAs and flows from the kernel.  This mode is only useful  for  testing  and
               debugging.

       loadfilename
               Reload the configuration from the specified file.

       logbrief
               Disable verbose logging.

       logverbose
               Enable verbose logging.

       monitor
               Monitor internal messages of the iked(8) subsystems.

       reload  Reload the configuration from the default configuration file.

       resetall
               Reset the running state.

       resetca
               Reset the X.509 CA and certificate state.

       resetpolicy
               Flush the configured policies.

       resetsa
               Flush the running SAs.

       resetuser
               Flush the local user database.

       resetidikeid
               Delete all IKE SAs with matching ID.

       showsa
               Show internal state of active IKE SAs, Child SAs and IPsec flows.

Name

       ikectl — control the IKEv2 daemon

Pki And Certificate Authority Commands

       In  order  to use public key based authentication with IKEv2, a public key infrastructure (PKI) has to be
       set up to create and sign the peer certificates.  ikectl includes commands to simplify maintenance of the
       PKI and to set up a simple certificate authority (CA) for iked(8) and its peers.

       The following commands are available to control the CA:

       canamecreate [passwordpassword]
               Create a new certificate authority with the specified name.  The command will  prompt  for  a  CA
               password  unless it is specified with the optional password argument.  The password will be saved
               in a protected file ikeca.passwd in the CA directory and used for subsequent commands.

       canamedelete
               Delete the certificate authority with the specified name.

       canameexport [peerpeer] [passwordpassword]
               Export the certificate authority with the specified name into the current directory for transport
               to other systems.  This command will create a compressed  tarball  called  ca.tgz  in  the  local
               directory  and  optionally ca.zip if the ‘zip’ tool is installed.  The optional peer argument can
               be used to specify the address or FQDN of the local gateway which will be  written  into  a  text
               file peer.txt and included in the archives.

       canameinstall [path]
               Install the certificate and Certificate Revocation List (CRL) for CA name as the currently active
               CA or into the specified path.

       canamecertificatehostcreate [server | client | ocsp]
               Create a private key and certificate for host and sign then with the key of certificate authority
               with the specified name.

               The  certificate  will  be  valid for client and server authentication by default by setting both
               flags as the extended key usage in the certificate; this can be  restricted  using  the  optional
               server  or client argument.  If the ocsp argument is specified the extended key usage will be set
               for OCSP signing.

       canamecertificatehostdelete
               Deletes the private key and certificates associated with host.

       canamecertificatehostexport [peerpeer] [passwordpassword]
               Export key files for host of the certificate authority with the specified name into  the  current
               directory for transport to other systems.  This command will create a compressed tarball host.tgz
               in the local directory and optionally host.zip if the ‘zip’ tool is installed.  The optional peer
               argument  can  be  used to specify the address or FQDN of the local gateway which will be written
               into a text file peer.txt and included in the archives.

       canamecertificatehostinstall [path]
               Install the private and public key for host into the active configuration or specified path.

       canamecertificatehostrevoke
               Revoke the certificate specified by host and generate a new Certificate Revocation List (CRL).

       showcanamecertificates [host]
               Display a listing of certificates associated with CA name or display certificate details if  host
               is specified.

       canamekeyhostcreate
               Create a private key for host if one does not already exist.

       canamekeyhostinstall [path]
               Install the private and public keys for host into the active configuration or specified path.

       canamekeyhostdelete
               Delete the private key for host.

       canamekeyhostimportfile
               Source the private key for host from the named file.

See Also

packages(7), iked(8), ssl(8)

Synopsis

ikectl [-q] [-ssocket] command [arg...]

See Also

Certificate
Certificate PNG Icons
Man Pages
iked Man Pages
Host
Host PNG Icons
Headphones Icomoon
Headphones Icomoon SVG Icons
Man Pages
CURLOPT_PREQUOTE Man Pages
Installerpedia
peers/peerjs Installerpedia
Man Pages
authoritydbus Man Pages
Installerpedia
arc53/DocsGPT Installerpedia
← View System admin Category← Back to Security and firewalls🙏  Credits & Acknowledgments