summaryrefslogtreecommitdiff
path: root/usr.sbin/ikectl/ikectl.8
blob: 78a057232dab8dd821ef004395145c19c0228483 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
.\" $OpenBSD: ikectl.8,v 1.26 2020/03/18 22:12:43 tobhe Exp $
.\"
.\" Copyright (c) 2007-2013 Reyk Floeter <reyk@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: March 18 2020 $
.Dt IKECTL 8
.Os
.Sh NAME
.Nm ikectl
.Nd control the IKEv2 daemon
.Sh SYNOPSIS
.Nm
.Op Fl q
.Op Fl s Ar socket
.Ar command
.Op Ar arg ...
.Sh DESCRIPTION
The
.Nm
program controls the
.Xr iked 8
daemon and provides commands to maintain a simple X.509 certificate
authority (CA) for IKEv2 peers.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl q
Don't ask for confirmation of any default options.
.It Fl s Ar socket
Use
.Ar socket
instead of the default
.Pa /var/run/iked.sock
to communicate with
.Xr iked 8 .
.El
.Sh IKED CONTROL COMMANDS
The following commands are available to control
.Xr iked 8 :
.Bl -tag -width Ds
.It Cm active
Set
.Xr iked 8
to active mode.
.It Cm passive
Set
.Xr iked 8
to passive mode.
In passive mode no packets are sent to peers and no connections
are initiated by
.Xr iked 8 .
.It Cm couple
Load the negotiated security associations (SAs) and flows into the kernel.
.It Cm decouple
Unload the negotiated SAs and flows from the kernel.
This mode is only useful for testing and debugging.
.It Cm load Ar filename
Reload the configuration from the specified file.
.It Cm log brief
Disable verbose logging.
.It Cm log verbose
Enable verbose logging.
.It Cm monitor
Monitor internal messages of the
.Xr iked 8
subsystems.
.It Cm reload
Reload the configuration from the default configuration file.
.It Cm reset all
Reset the running state.
.It Cm reset ca
Reset the X.509 CA and certificate state.
.It Cm reset policy
Flush the configured policies.
.It Cm reset sa
Flush the running SAs.
.It Cm reset user
Flush the local user database.
.It Cm reset id Ar ikeid
Delete all IKE SAs with matching ID.
.El
.Sh PKI AND CERTIFICATE AUTHORITY COMMANDS
In order to use public key based authentication with IKEv2,
a public key infrastructure (PKI) has to be set up to create and sign
the peer certificates.
.Nm
includes commands to simplify maintenance of the PKI
and to set up a simple certificate authority (CA) for
.Xr iked 8
and its peers.
.Pp
The following commands are available to control the CA:
.Bl -tag -width Ds
.It Xo
.Cm ca Ar name Cm create
.Op Cm password Ar password
.Xc
Create a new certificate authority with the specified
.Ar name .
The command will prompt for a CA password unless it is specified with
the optional
.Ar password
argument.
The password will be saved in a protected file
.Pa ikeca.passwd
in the CA directory and used for subsequent commands.
.It Cm ca Ar name Cm delete
Delete the certificate authority with the specified
.Ar name .
.It Xo
.Cm ca Ar name Cm export
.Op Cm peer Ar peer
.Op Cm password Ar password
.Xc
Export the certificate authority with the specified
.Ar name
into the current directory for transport to other systems.
This command will create a compressed tarball called
.Pa ca.tgz
in the local directory and optionally
.Pa ca.zip
if the
.Sq zip
tool is installed.
The optional
.Ar peer
argument can be used to specify the address or FQDN of the local gateway
which will be written into a text file
.Pa peer.txt
and included in the archives.
.It Xo
.Cm ca Ar name
.Cm install Op Ar path
.Xc
Install the certificate and Certificate Revocation List (CRL) for CA
.Ar name
as the currently active CA or into the specified
.Ar path .
.It Xo
.Cm ca Ar name Cm certificate Ar host
.Cm create
.Op Ic server | client | ocsp
.Xc
Create a private key and certificate for
.Ar host
and sign then with the key of certificate authority with the specified
.Ar name .
.Pp
The certificate will be valid for client and server authentication by
default by setting both flags as the extended key usage in the certificate;
this can be restricted using the optional
.Ic server
or
.Ic client
argument.
If the
.Ic ocsp
argument is specified the extended key usage will be set for OCSP signing.
.It Xo
.Cm ca Ar name Cm certificate Ar host
.Cm delete
.Xc
Deletes the private key and certificates associated with
.Ar host .
.It Xo
.Cm ca Ar name Cm certificate Ar host
.Cm export
.Op Cm peer Ar peer
.Op Cm password Ar password
.Xc
Export key files for
.Ar host
of the certificate authority with the specified
.Ar name
into the current directory for transport to other systems.
This command will create a compressed tarball
.Pa host.tgz
in the local directory and optionally
.Pa host.zip
if the
.Sq zip
tool is installed.
The optional
.Ar peer
argument can be used to specify the address or FQDN of the local gateway
which will be written into a text file
.Pa peer.txt
and included in the archives.
.It Xo
.Cm ca Ar name Cm certificate Ar host
.Cm install Op Ar path
.Xc
Install the private and public key for
.Ar host
into the active configuration or specified
.Ar path .
.It Xo
.Cm ca Ar name Cm certificate Ar host
.Cm revoke
.Xc
Revoke the certificate specified by
.Ar host
and generate a new Certificate Revocation List (CRL).
.It Xo
.Cm show Cm ca Ar name Cm certificates
.Op Ar host
.Xc
Display a listing of certificates associated with CA
.Ar name
or display certificate details if
.Ar host
is specified.
.It Xo
.Cm ca Ar name Cm key Ar host
.Cm create
.Xc
Create a private key for
.Ar host
if one does not already exist.
.It Xo
.Cm ca Ar name Cm key Ar host
.Cm install Op Ar path
.Xc
Install the private and public keys for
.Ar host
into the active configuration or specified
.Ar path .
.It Xo
.Cm ca Ar name Cm key Ar host
.Cm delete
.Xc
Delete the private key for
.Ar host .
.It Xo
.Cm ca Ar name Cm key Ar host
.Cm import
.Ar file
.Xc
Source the private key for
.Ar host
from the named
.Ar file .
.El
.Sh FILES
.Bl -tag -width "/var/run/iked.sockXX" -compact
.It Pa /etc/iked/
Active configuration.
.It Pa /etc/ssl/
Directory to store the CA files.
.It Pa /usr/share/iked/
If this optional directory exists,
.Nm
will include the contents with the
.Cm ca export
commands.
.It Pa /var/run/iked.sock
Default
.Ux Ns -domain
socket used for communication with
.Xr iked 8 .
.El
.Sh EXAMPLES
First create a new certificate authority:
.Bd -literal -offset indent
# ikectl ca vpn create
.Ed
.Pp
Now create the certificates for the VPN peers.
The specified hostname, either IP address or FQDN, will be saved in
the signed certificate and has to match the IKEv2 identity, or
.Ar srcid ,
of the peers:
.Bd -literal -offset indent
# ikectl ca vpn certificate 10.1.2.3 create
# ikectl ca vpn certificate 10.2.3.4 create
# ikectl ca vpn certificate 10.3.4.5 create
.Ed
.Pp
It is possible that the host that was used to create the CA is also
one of the VPN peers.
In this case you can install the peer and CA certificates locally:
.Bd -literal -offset indent
# ikectl ca vpn install
# ikectl ca vpn certificate 10.1.2.3 install
.Ed
.Pp
Now export the individual host key, the certificate and the CA
certificate to each other peer.
First run the
.Ic export
command to create tarballs that include the required files:
.Bd -literal -offset indent
# ikectl ca vpn certificate 10.2.3.4 export
# ikectl ca vpn certificate 10.3.4.5 export
.Ed
.Pp
These commands will produce two tarballs
.Em 10.2.3.4.tgz
and
.Em 10.3.4.5.tgz .
Copy these tarballs over to the appropriate peers and extract them
to the
.Pa /etc/iked/
directory:
.Bd -literal -offset indent
10.2.3.4# tar -C /etc/iked -xzpf 10.2.3.4.tgz
10.3.4.5# tar -C /etc/iked -xzpf 10.3.4.5.tgz
.Ed
.Pp
.Nm
will also create
.Sq zip
archives 10.2.3.4.zip and 10.3.4.5.zip
in addition to the tarballs if the zip tool is found in
.Pa /usr/local/bin/zip .
These archives can be exported to peers running Windows and will
include the certificates in a format that is supported by the OS.
The zip tool can be installed from the
.Ox
packages or ports collection before running the
.Ic export
commands, see
.Xr packages 7
for more information.
For example:
.Bd -literal -offset indent
# pkg_add zip
.Ed
.Sh SEE ALSO
.Xr packages 7 ,
.Xr iked 8 ,
.Xr ssl 8
.Sh HISTORY
The
.Nm
program first appeared in
.Ox 4.8 .
.Sh AUTHORS
The
.Nm
program was written by
.An Reyk Floeter Aq Mt reyk@openbsd.org
and
.An Jonathan Gray Aq Mt jsg@openbsd.org .
.Sh CAVEATS
For ease of use, the
.Ic ca
commands maintain all peers' private keys on the CA machine.
In contrast to a
.Sq real
CA, it does not support signing of public keys that have been imported
from peers that do not want to expose their private keys to the CA.