Scroll to navigation

IKECTL(8) System Manager's Manual IKECTL(8)

NAME

ikectlcontrol the IKEv2 daemon

SYNOPSIS

ikectl [-q][-ssocket]command[arg...]

DESCRIPTION

Theikectlprogram controls theiked(8)daemon and provides commands to maintain a simple X.509 certificateauthority (CA) for IKEv2 peers.

The options are as follows:

Don't ask for confirmation of any default options.
socket
Usesocketinstead of the default/var/run/iked.sockto communicate withiked(8).

IKED CONTROL COMMANDS

The following commands are available to controliked(8):

Setiked(8)to active mode.
Setiked(8)to passive mode.In passive mode no packets are sent to peers and no connectionsare initiated byiked(8).
Load the negotiated security associations (SAs) and flows into the kernel.
Unload the negotiated SAs and flows from the kernel.This mode is only useful for testing and debugging.
filename
Reload the configuration from the specified file.
Disable verbose logging.
Enable verbose logging.
Monitor internal messages of theiked(8)subsystems.
Reload the configuration from the default configuration file.
Reset the running state.
Reset the X.509 CA and certificate state.
Flush the configured policies.
Flush the running SAs.
Flush the local user database.
ikeid
Delete all IKE SAs with matching ID.
Show internal state of active IKE SAs, Child SAs and IPsec flows.

PKI AND CERTIFICATE AUTHORITY COMMANDS

In order to use public key based authentication with IKEv2,a public key infrastructure (PKI) has to be set up to create and signthe peer certificates.ikectlincludes commands to simplify maintenance of the PKIand to set up a simple certificate authority (CA) foriked(8)and its peers.

The following commands are available to control the CA:

namecreate[passwordpassword]
Create a new certificate authority with the specifiedname.The command will prompt for a CA password unless it is specified withthe optionalpasswordargument.The password will be saved in a protected fileikeca.passwdin the CA directory and used for subsequent commands.
namedelete
Delete the certificate authority with the specifiedname.
nameexport[peerpeer][passwordpassword]
Export the certificate authority with the specifiednameinto the current directory for transport to other systems.This command will create a compressed tarball calledca.tgzin the local directory and optionallyca.zipif the‘zip’tool is installed.The optionalpeerargument can be used to specify the address or FQDN of the local gatewaywhich will be written into a text filepeer.txtand included in the archives.
nameinstall[path]
Install the certificate and Certificate Revocation List (CRL) for CAnameas the currently active CA or into the specifiedpath.
namecertificatehostcreate[server|client|ocsp]
Create a private key and certificate forhostand sign then with the key of certificate authority with the specifiedname.

The certificate will be valid for client and server authentication bydefault by setting both flags as the extended key usage in the certificate;this can be restricted using the optionalserverorclientargument.If theocspargument is specified the extended key usage will be set for OCSP signing.

namecertificatehostdelete
Deletes the private key and certificates associated withhost.
namecertificatehostexport[peerpeer][passwordpassword]
Export key files forhostof the certificate authority with the specifiednameinto the current directory for transport to other systems.This command will create a compressed tarballhost.tgzin the local directory and optionallyhost.zipif the‘zip’tool is installed.The optionalpeerargument can be used to specify the address or FQDN of the local gatewaywhich will be written into a text filepeer.txtand included in the archives.
namecertificatehostinstall[path]
Install the private and public key forhostinto the active configuration or specifiedpath.
namecertificatehostrevoke
Revoke the certificate specified byhostand generate a new Certificate Revocation List (CRL).
canamecertificates[host]
Display a listing of certificates associated with CAnameor display certificate details ifhostis specified.
namekeyhostcreate
Create a private key forhostif one does not already exist.
namekeyhostinstall[path]
Install the private and public keys forhostinto the active configuration or specifiedpath.
namekeyhostdelete
Delete the private key forhost.
namekeyhostimportfile
Source the private key forhostfrom the namedfile.

FILES

/etc/iked/
Active configuration.
/etc/ssl/
Directory to store the CA files.
/usr/share/iked/
If this optional directory exists,ikectlwill include the contents with thecaexportcommands.
/var/run/iked.sock
DefaultUNIX-domainsocket used for communication withiked(8).

EXAMPLES

First create a new certificate authority:

# ikectl ca vpn create

Now create the certificates for the VPN peers.The specified hostname, either IP address or FQDN, will be saved inthe signed certificate and has to match the IKEv2 identity, orsrcid,of the peers:

# ikectl ca vpn certificate 10.1.2.3 create
# ikectl ca vpn certificate 10.2.3.4 create
# ikectl ca vpn certificate 10.3.4.5 create

It is possible that the host that was used to create the CA is alsoone of the VPN peers.In this case you can install the peer and CA certificates locally:

# ikectl ca vpn install
# ikectl ca vpn certificate 10.1.2.3 install

Now export the individual host key, the certificate and the CAcertificate to each other peer.First run theexportcommand to create tarballs that include the required files:

# ikectl ca vpn certificate 10.2.3.4 export
# ikectl ca vpn certificate 10.3.4.5 export

These commands will produce two tarballsand.Copy these tarballs over to the appropriate peers and extract themto the/etc/iked/directory:

10.2.3.4# tar -C /etc/iked -xzpf 10.2.3.4.tgz
10.3.4.5# tar -C /etc/iked -xzpf 10.3.4.5.tgz

ikectlwill also create‘zip’archives 10.2.3.4.zip and 10.3.4.5.zipin addition to the tarballs if the zip tool is found in/usr/local/bin/zip.These archives can be exported to peers running Windows and willinclude the certificates in a format that is supported by the OS.The zip tool can be installed from theOpenBSDpackages or ports collection before running theexportcommands, seepackages(7)for more information.For example:

# pkg_add zip

SEE ALSO

packages(7),iked(8),ssl(8)

HISTORY

Theikectlprogram first appeared inOpenBSD4.8.

AUTHORS

Theikectlprogram was written byReyk Floeter<reyk@openbsd.org>and
Jonathan Gray<jsg@openbsd.org>.

CAVEATS

For ease of use, thecacommands maintain all peers' private keys on the CA machine.In contrast to a‘real’CA, it does not support signing of public keys that have been importedfrom peers that do not want to expose their private keys to the CA.

April 25, 2020 Debian