|-4||Use IPv4 addresses only for local sockets.|
|-6||Use IPv6 addresses only for local sockets.|
|-d||Increase the debugging level. This flag may occur multiple times.|
|Read configurations from the specified file.|
|Immediately initiate to the peer specified.|
|Immediately initiate using the selector specified.|
|-h||Show simple help messages.|
|Output log to logfile instead of syslog.|
|Specify default port number for IKE sockets.|
|-v||Output log to stdout in addition to syslog.|
|-D num||Set debug flag.|
|-F||Run in the foreground. iked does not detach itself from the terminal and does not become a daemon. Logs are output to the stderr.|
|Record unencrypted IKE communication packets to the file. This option is available only if iked was compiled with --enable-pcap configuration option.|
|-V||Show the version.|
Upon receiving SIGINT or SIGTERM, iked shuts down IKEv2 IKE_SAs with peer nodes by sending Informational exchange with Delete payload, deletes relevant IPsec SAs, and then exits. Upon receiving SIGHUP, iked similarly shuts down IKEv2 IKE_SAs and deletes relevant IPsec SAs, then reloads the configuration file.
/usr/local/etc/racoon2/racoon2.conf The default configuration file for racoon2. /var/run/iked.pid The PID file of the current instance of the daemon.
racoon2(7), racoon2.conf(5), spmd(8), kinkd(8), ipsec(4)
.Rs The Internet Key Exchange (IKE)
.Rs Internet Key Exchange (IKEv2) Protocol
The iked command was developed for racoon2 in 2004-2005.
iked was written and is maintained by
.An WIDE/racoon2 project <http://www.racoon2.wide.ad.jp/>
Part of the codes are derived from ipsec-tools racoon daemon, which was derived from KAME racoon daemon.
"default" clause of configuration file is used for two purposes: to provide default values for individual field for other sections of configuration, and to specify default kmp configuration when the responder received a message from unknown peer. In latter case, when "default" clause lacks some necessary fields, error message may be cryptic, since it is not checked by configuration check routine of iked. (Probably it will result in "no proposal chosen".)
On FreeBSD/NetBSD, when IPsec SA expires by IPsec SA lifetime, kernel does not notify iked about the sa expiration. To remedy this, iked maintains its own expiration timer for each IPsec SA. Since the iked cant know how much bytes used for the SA, lifetime_bytes in the configuration are ignored for now.
SA bundles (e.g. AH+ESP) does not conform to protocol spec.
After rekeying IKE_SA, iked may spit some warning messages, if the rekey negotiation or delete request was started from both ends at once.