DragonFly On-Line Manual Pages
IKED(8) DragonFly System Manager's Manual IKED(8)
NAME
iked - Internet Key Exchange protocol daemon
SYNOPSIS
iked [-46hvFV] [-f configfile] [-l logfile] [-p port] [-I peer-address]
[-S selector-index] [-d] [-D level] [-P outfile]
DESCRIPTION
iked is a key management daemon, which supports the Internet Key Exchange
(IKE) protocol version 1 (RFC2409) and version 2 (RFC4306). It is driven
by upcalls from the kernel via the PF_KEYv2 interface or by negotiation
requests from remote peers, and manages IPsec SAs according to
racoon2.conf.
The following options are available:
-4 Use IPv4 addresses only for local sockets.
-6 Use IPv6 addresses only for local sockets.
-d Increase the debugging level. This flag may occur multiple
times.
-f configfile
Read configurations from the specified file.
-I peer-address
Immediately initiate to the peer specified.
-S selector_index
Immediately initiate using the selector specified.
-h Show simple help messages.
-l logfile
Output log to logfile instead of syslog.
-p portnum
Specify default port number for IKE sockets.
-v Output log to stdout in addition to syslog.
-D num Set debug flag.
-F Run in the foreground. iked does not detach itself from the
terminal and does not become a daemon. Logs are output to the
stderr.
-P outfile
Record unencrypted IKE communication packets to the file. This
option is available only if iked was compiled with --enable-pcap
configuration option.
-V Show the version.
Upon receiving SIGINT or SIGTERM, iked shuts down IKEv2 IKE_SAs with peer
nodes by sending Informational exchange with Delete payload, deletes
relevant IPsec SAs, and then exits. Upon receiving SIGHUP, iked
similarly shuts down IKEv2 IKE_SAs and deletes relevant IPsec SAs, then
reloads the configuration file.
IPsec policies are managed by spmd(8), thus it must be started before
iked. When spmd(8) restarts, iked needs to be reloaded to reconnect with
it.
FILES
/usr/local/etc/racoon2/racoon2.conf
The default configuration file for racoon2.
/var/run/iked.pid The PID file of the current instance of the daemon.
SEE ALSO
racoon2(7), racoon2.conf(5), spmd(8), kinkd(8), ipsec(4)
The Internet Key Exchange (IKE), RFC2409, November 1998.
Internet Key Exchange (IKEv2) Protocol, RFC4306, December 2005.
HISTORY
The iked command was developed for racoon2 in 2004-2005.
AUTHORS
iked was written and is maintained by WIDE/racoon2 project
<http://www.racoon2.wide.ad.jp/>
ACKNOWLEDGEMENTS
Part of the codes are derived from ipsec-tools racoon daemon, which was
derived from KAME racoon daemon.
BUGS
"default" clause of configuration file is used for two purposes: to
provide default values for individual field for other sections of
configuration, and to specify default kmp configuration when the
responder received a message from unknown peer. In latter case, when
"default" clause lacks some necessary fields, error message may be
cryptic, since it is not checked by configuration check routine of iked.
(Probably it will result in "no proposal chosen".)
On FreeBSD/NetBSD, when IPsec SA expires by IPsec SA lifetime, kernel
does not notify iked about the sa expiration. To remedy this, iked
maintains its own expiration timer for each IPsec SA. Since the iked
can't know how much bytes used for the SA, lifetime_bytes in the
configuration are ignored for now.
SA bundles (e.g. AH+ESP) does not conform to protocol spec.
After rekeying IKE_SA, iked may spit some warning messages, if the rekey
negotiation or delete request was started from both ends at once.
RACOON2 August 18, 2006 RACOON2