racoon2-iked man page
iked — Internet Key Exchange protocol daemon
iked is a key management daemon, which supports the Internet Key Exchange (IKE) protocol version 1 (RFC2409) and version 2 (RFC4306). It is driven by upcalls from the kernel via the PF_KEYv2 interface or by negotiation requests from remote peers, and manages IPsec SAs according to
The following options are available:
Use IPv4 addresses only for local sockets.
Use IPv6 addresses only for local sockets.
Increase the debugging level. This flag may occur multiple times.
- -f configfile
Read configurations from the specified file.
- -I peer-address
Immediately initiate to the peer specified.
- -S selector_index
Immediately initiate using the selector specified.
Show simple help messages.
- -l logfile
Output log to logfile instead of syslog.
- -p portnum
Specify default port number for IKE sockets.
Output log to stdout in addition to syslog.
- -D num
Set debug flag.
Run in the foreground. iked does not detach itself from the terminal and does not become a daemon. Logs are output to the stderr.
- -P outfile
Record unencrypted IKE communication packets to the file. This option is available only if iked was compiled with --enable-pcap configuration option.
Show the version.
Upon receiving SIGINT or SIGTERM, iked shuts down IKEv2 IKE_SAs with peer nodes by sending Informational exchange with Delete payload, deletes relevant IPsec SAs, and then exits. Upon receiving SIGHUP, iked similarly shuts down IKEv2 IKE_SAs and deletes relevant IPsec SAs, then reloads the configuration file.
IPsec policies are managed by spmd(8), thus it must be started before iked. When spmd(8) restarts, iked needs to be reloaded to reconnect with it.
The default configuration file for racoon2.
The PID file of the current instance of the daemon.
racoon2(7), racoon2.conf(5), spmd(8), kinkd(8), ipsec(4)
The Internet Key Exchange (IKE), RFC2409, November 1998.
Internet Key Exchange (IKEv2) Protocol, RFC4306, December 2005.
The iked command was developed for racoon2 in 2004-2005.
iked was written and is maintained by WIDE/racoon2 project ⟨http://www.racoon2.wide.ad.jp/⟩
Part of the codes are derived from ipsec-tools racoon daemon, which was derived from KAME racoon daemon.
"default" clause of configuration file is used for two purposes: to provide default values for individual field for other sections of configuration, and to specify default kmp configuration when the responder received a message from unknown peer. In latter case, when "default" clause lacks some necessary fields, error message may be cryptic, since it is not checked by configuration check routine of iked. (Probably it will result in "no proposal chosen".)
On FreeBSD/NetBSD, when IPsec SA expires by IPsec SA lifetime, kernel does not notify iked about the sa expiration. To remedy this, iked maintains its own expiration timer for each IPsec SA. Since the iked can't know how much bytes used for the SA, lifetime_bytes in the configuration are ignored for now.
SA bundles (e.g. AH+ESP) does not conform to protocol spec.
After rekeying IKE_SA, iked may spit some warning messages, if the rekey negotiation or delete request was started from both ends at once.