Provided by: openiked_7.3-1build3_amd64 bug

NAME
       iked — Internet Key Exchange version 2 (IKEv2) daemon


SYNOPSIS
       iked [-dnSTtVv] [-D macro=value] [-f file] [-p udpencap_port] [-s socket]


DESCRIPTION
       iked  is  an  Internet  Key  Exchange  (IKEv2)  daemon  which  performs  mutual  authentication and which
       establishes and maintains IPsec flows and security associations (SAs) between the two peers.

       The IKEv2 protocol  is  defined  in  RFC  7296,  which  combines  and  updates  the  previous  standards:
       ISAKMP/Oakley  (RFC 2408), IKE (RFC 2409), and the Internet DOI (RFC 2407).  iked only supports the IKEv2
       protocol; support for ISAKMP/Oakley and IKEv1 is provided by isakmpd(8).

       iked supports mutual authentication using RSA or ECDSA public  keys  and  X.509  certificates.   See  the
       “PUBLIC  KEY  AUTHENTICATION”  section  below and PKI AND CERTIFICATE AUTHORITY COMMANDS in ikectl(8) for
       more information about creating and maintaining the public key infrastructure.

       The options are as follows:

       -D macro=value
               Define macro to be set to value on the command line.  Overrides the definition of  macro  in  the
               configuration file.

       -d      Do not daemonize and log to stderr.

       -f file
               Use file as the configuration file, instead of the default /etc/iked.conf.

       -n      Configtest mode.  Only check the configuration file for validity.

       -p udpencap_port
               Specify  the  listen  port  for  encapsulated UDP that the daemon will bind to as well as the UDP
               encapsulation port set in resulting IPsec SAs.   In  order  to  receive  UDP  encapsulated  IPsec
               packets on ports other than 4500, the net.inet.esp.udpencap_port sysctl(2) variable has to be set
               accordingly.  Implies -t.

       -S      Start iked in passive mode.  See the set passive option in iked.conf(5) for more information.

       -s socket
               Use socket as the control socket, instead of the default /var/run/iked.sock.

       -T      Disable NAT-Traversal and do not propose NAT-Traversal support to the peers.

       -t      Enforce NAT-Traversal and only listen to NAT-Traversal messages.  This option is only recommended
               for testing; the default is to negotiate NAT-Traversal with the peers.

       -V      Show the version and exit.

       -v      Produce more verbose output.


PUBLIC KEY AUTHENTICATION
       It  is  possible to store trusted public keys to make them directly usable by iked, bypassing the need to
       use certificates.  The keys should be saved in PEM format  (see  openssl(1))  and  named  and  stored  as
       follows:

          For IPv4 identities:    /etc/iked/pubkeys/ipv4/A.B.C.D
          For IPv6 identities:    /etc/iked/pubkeys/ipv6/abcd:abcd::ab:bc
          For FQDN identities:    /etc/iked/pubkeys/fqdn/foo.bar.org
          For UFQDN identities:   /etc/iked/pubkeys/ufqdn/user@foo.bar.org

       Depending  on  the  srcid  and  dstid  specifications in iked.conf(5), keys may be named after their IPv4
       address, IPv6 address, fully qualified domain name (FQDN) or user fully qualified domain name (UFQDN).

       For example, iked can authenticate using the pre-generated keys if  the  local  public  key,  by  default
       /etc/iked/local.pub,  is  copied to the remote gateway as /etc/iked/pubkeys/ipv4/local.gateway.ip.address
       and    the    remote    gateway's    public    key    is    copied    to    the    local    gateway    as
       /etc/iked/pubkeys/ipv4/remote.gateway.ip.address.  Of course, new keys may also be generated (the user is
       not  required to use the pre-generated keys).  In this example, srcid and dstid would also have to be set
       to the specified addresses in iked.conf(5).


FILES
       /etc/iked.conf         The default iked configuration file.
       /etc/iked/ca/          The directory where CA certificates are kept.
       /etc/iked/certs/       The directory where IKE certificates are kept, both the local  certificate(s)  and
                              those of the peers, if a choice to have them kept permanently has been made.
       /etc/iked/crls/        The directory where CRLs are kept.
       /etc/iked/private/     The  directory  where  local  private  keys used for public key authentication are
                              kept.  The file local.key is used to store the local private key.
       /etc/iked/pubkeys/     The directory in which trusted public keys are kept.  The keys must  be  named  in
                              the fashion described above.
       /var/run/iked.sock     The default iked control socket.


SEE ALSO
       iked.conf(5), ikectl(8), isakmpd(8)


STANDARDS
       C.  Kaufman,  P.  Hoffman,  Y.  Nir,  P. Eronen, and T. Kivinen, Internet Key Exchange Protocol Version 2
       (IKEv2), RFC 7296, October 2014.


HISTORY
       The iked program first appeared in OpenBSD 4.8.


AUTHORS
       The iked program was written by Reyk Floeter <reyk@openbsd.org>.

Debian                                          November 29, 2021                                        IKED(8)