GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  IKED (8)

NAME

iked - Internet Key Exchange protocol daemon

CONTENTS

Synopsis
Description
Files
See Also
History
Authors
Acknowledgements
Bugs

SYNOPSIS

iked [-46hvFV] [-f configfile] [-l logfile] [-p port] [-I peer-address] [-S selector-index] [-d] [-D level] [-P outfile]

DESCRIPTION

iked is a key management daemon, which supports the Internet Key Exchange (IKE) protocol version 1 (RFC2409) and version 2 (RFC4306). It is driven by upcalls from the kernel via the PF_KEYv2 interface or by negotiation requests from remote peers, and manages IPsec SAs according to racoon2.conf.

The following options are available:
-4 Use IPv4 addresses only for local sockets.
-6 Use IPv6 addresses only for local sockets.
-d Increase the debugging level. This flag may occur multiple times.
-f configfile
  Read configurations from the specified file.
-I peer-address
  Immediately initiate to the peer specified.
-S selector_index
  Immediately initiate using the selector specified.
-h Show simple help messages.
-l logfile
  Output log to logfile instead of syslog.
-p portnum
  Specify default port number for IKE sockets.
-v Output log to stdout in addition to syslog.
-D num Set debug flag.
-F Run in the foreground. iked does not detach itself from the terminal and does not become a daemon. Logs are output to the stderr.
-P outfile
  Record unencrypted IKE communication packets to the file. This option is available only if iked was compiled with --enable-pcap configuration option.
-V Show the version.

Upon receiving SIGINT or SIGTERM, iked shuts down IKEv2 IKE_SAs with peer nodes by sending Informational exchange with Delete payload, deletes relevant IPsec SAs, and then exits. Upon receiving SIGHUP, iked similarly shuts down IKEv2 IKE_SAs and deletes relevant IPsec SAs, then reloads the configuration file.

IPsec policies are managed by spmd(8), thus it must be started before iked. When spmd(8) restarts, iked needs to be reloaded to reconnect with it.

FILES

/usr/local/etc/racoon2/racoon2.conf
  The default configuration file for racoon2.
/var/run/iked.pid
  The PID file of the current instance of the daemon.

SEE ALSO

racoon2(7), racoon2.conf(5), spmd(8), kinkd(8), ipsec(4)
.Rs The Internet Key Exchange (IKE)
.Re
.Rs Internet Key Exchange (IKEv2) Protocol
.Re

HISTORY

The iked command was developed for racoon2 in 2004-2005.

AUTHORS

iked was written and is maintained by
.An WIDE/racoon2 project <http://www.racoon2.wide.ad.jp/>

ACKNOWLEDGEMENTS

Part of the codes are derived from ipsec-tools racoon daemon, which was derived from KAME racoon daemon.

BUGS

"default" clause of configuration file is used for two purposes: to provide default values for individual field for other sections of configuration, and to specify default kmp configuration when the responder received a message from unknown peer. In latter case, when "default" clause lacks some necessary fields, error message may be cryptic, since it is not checked by configuration check routine of iked. (Probably it will result in "no proposal chosen".)

On FreeBSD/NetBSD, when IPsec SA expires by IPsec SA lifetime, kernel does not notify iked about the sa expiration. To remedy this, iked maintains its own expiration timer for each IPsec SA. Since the iked can’t know how much bytes used for the SA, lifetime_bytes in the configuration are ignored for now.

SA bundles (e.g. AH+ESP) does not conform to protocol spec.

After rekeying IKE_SA, iked may spit some warning messages, if the rekey negotiation or delete request was started from both ends at once.

Search for    or go to Top of page |  Section 8 |  Main Index


Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.