diff options
Diffstat (limited to 'keyexchange/isakmpd-20041012/isakmpd.8')
-rw-r--r-- | keyexchange/isakmpd-20041012/isakmpd.8 | 603 |
1 files changed, 603 insertions, 0 deletions
diff --git a/keyexchange/isakmpd-20041012/isakmpd.8 b/keyexchange/isakmpd-20041012/isakmpd.8 new file mode 100644 index 0000000..e7f6987 --- /dev/null +++ b/keyexchange/isakmpd-20041012/isakmpd.8 @@ -0,0 +1,603 @@ +.\" $OpenBSD: isakmpd.8,v 1.65 2004/07/08 10:37:12 jmc Exp $ +.\" $EOM: isakmpd.8,v 1.23 2000/05/02 00:30:23 niklas Exp $ +.\" +.\" Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. +.\" All rights reserved. +.\" Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. +.\" Copyright (c) 2001, 2002 Håkan Olsson. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" This code was written under funding by Ericsson Radio Systems. +.\" +.\" Manual page, using -mandoc macros +.\" +.Dd August 07, 2002 +.Dt ISAKMPD 8 +.Os +.Sh NAME +.Nm isakmpd +.Nd ISAKMP/Oakley a.k.a. IKE key management daemon +.Sh SYNOPSIS +.Nm isakmpd +.Bk -words +.Op Fl 4 +.Op Fl 6 +.Op Fl c Ar config-file +.Op Fl a +.Op Fl d +.Op Fl D Ar class=level +.Op Fl f Ar fifo +.Op Fl i Ar pid-file +.Op Fl n +.Op Fl p Ar listen-port +.Op Fl P Ar local-port +.Op Fl K +.Op Fl L +.Op Fl l Ar packetlog-file +.Op Fl r Ar seed +.Op Fl R Ar report-file +.Op Fl v +.Ek +.Sh DESCRIPTION +The +.Nm +daemon establishes security associations for encrypted +and/or authenticated network traffic. +At this moment, and probably forever, this means +.Xr ipsec 4 +traffic. +.Pp +The way +.Nm +goes about its work is by maintaining an internal configuration +as well as a policy database which describes what kinds of SAs to negotiate, +and by listening for different events that trigger these negotiations. +The events that control +.Nm +consist of negotiation initiations from a remote party, user input via +a FIFO or by signals, upcalls from the kernel via a +.Dv PF_KEY +socket, and lastly by scheduled events triggered by timers running out. +.Pp +Most uses of +.Nm +will be to implement so called "virtual private +networks" or VPNs for short. +The +.Xr vpn 8 +manual page describes how to set up +.Nm +for a simple VPN. +For other uses, some more knowledge of IKE as a protocol is required. +One source of information are the RFCs mentioned below. +.Pp +On startup +.Nm +forks into two processes for privilege separation. +The unprivileged child jails itself with +.Xr chroot 8 +to +.Pa /var/empty . +The privileged process communicates with the child, reads configuration files +and PKI information and binds to privileged ports on its behalf. +See +.Sx CAVEATS +section below. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl 4 | Fl 6 +These options control what address family +.Pf ( Dv AF_INET +and/or +.Dv AF_INET6 ) +.Nm +will use. +The default is to use both IPv4 and IPv6. +.It Fl a +If given, +.Nm +does not set up flows automatically. +This is useful when flows are configured with +.Xr ipsecadm 4 +or by other programs like +.Xr bgpd 8 . +Thus +.Nm +only takes care of the SA establishment. +.It Fl c Ar config-file +If given, the +.Fl c +option specifies an alternate configuration file instead of +.Pa /etc/isakmpd/isakmpd.conf . +As this file may contain sensitive information, it must be readable +only by the user running the daemon. +.Nm +will reread the configuration file when sent a +.Dv SIGHUP +signal. +.It Fl d +The +.Fl d +option is used to make the daemon run in the foreground, logging to stderr. +.It Xo Fl D +.Ar class Ns = Ns Ar level +.Xc +Debugging class. +It's possible to specify this argument many times. +It takes a parameter of the form +.Ar class Ns = Ns Ar level , +where both +.Ar class +and +.Ar level +are numbers. +.Ar class +denotes a debugging class, and +.Ar level +the level you want that debugging class to +limit debug printouts at (i.e., all debug printouts above the level specified +will not output anything). +If +.Ar class +is set to +.Sq A , +then all debugging classes are set to the specified level. +.Pp +Valid values for +.Ar class +are as follows: +.Pp +.Bl -tag -width 2n -compact -offset indent +.It 0 +Misc +.It 1 +Transport +.It 2 +Message +.It 3 +Crypto +.It 4 +Timer +.It 5 +Sysdep +.It 6 +SA +.It 7 +Exchange +.It 8 +Negotiation +.It 9 +Policy +.It 10 +FIFO user interface +.It A +All +.El +.Pp +Currently used values for +.Ar level +are 0 to 99. +.It Fl f Ar fifo +The +.Fl f +option specifies the +.Tn FIFO +(a.k.a. named pipe) where the daemon listens for +user requests. +If the path given is a dash +.Pq Sq \&- , +.Nm +will listen to stdin instead. +.It Fl i Ar pid-file +By default the PID of the daemon process will be written to +.Pa /var/run/isakmpd.pid . +This path can be overridden by specifying another one as the argument to the +.Fl i +option. +.It Fl n +When the +.Fl n +option is given, the kernel will not take part in the negotiations. +This is a non-destructive mode, so to speak, in that it won't alter any +SAs in the IPsec stack. +.It Fl p Ar listen-port +The +.Fl p +option specifies the listen port the daemon will bind to. +.It Fl P Ar local-port +On the other hand, the port specified to capital +.Fl P +will be what the daemon binds its local end to when acting as +initiator. +.It Fl K +When this option is given, +.Nm +does not read the policy configuration file and no +.Xr keynote 4 +policy check is accomplished. +This option can be used when policies for flows and SA establishment are +arranged by other programs like +.Xr ipsecadm 8 +or +.Xr bgpd 8 . +.It Fl L +Enable IKE packet capture. +When this option is given, +.Nm +will capture to file an unencrypted copy of the negotiation packets it +is sending and receiving. +This file can later be read by +.Xr tcpdump 8 +and other utilities using +.Xr pcap 3 . +.It Fl l Ar packetlog-file +As option +.Fl L +above, but capture to a specified file. +.It Fl r Ar seed +If given, a deterministic random number sequence will be used internally. +This is useful for setting up regression tests. +.It Fl R Ar report-file +When you signal +.Nm +a +.Dv SIGUSR1 , +it will report its internal state to a report file, normally +.Pa /var/run/isakmpd.report , +but this can be changed by feeding +the file name as an argument to the +.Fl R +flag. +.It Fl v +Enables verbose logging. +Normally, +.Nm +is silent and outputs only messages when a warning or an error occurs. +With verbose logging +.Nm +reports successful completion of phase 1 (Main and Aggressive) and phase 2 +(Quick) exchanges (Information and Transaction exchanges do not generate any +additional status information). +.El +.Ss Setting up an IKE public key infrastructure (a.k.a. PKI) +In order to use public key based authentication, there has to be an +infrastructure managing the key signing. +Either there is an already existing PKI +.Nm +should take part in, or there will be a need to set one up. +In the former case, what is needed to be done varies depending on the +actual Certificate Authority used, and is therefore not covered here, +other than mentioning that +.Xr openssl 1 +needs to be used to create a certificate signing request that the +CA understands. +The latter case, however, is described here: +.Bl -enum +.It +Create your own CA as root. +.Bd -literal +# openssl genrsa -out /etc/ssl/private/ca.key 1024 +# openssl req -new -key /etc/ssl/private/ca.key \e + -out /etc/ssl/private/ca.csr +.Ed +.Pp +You are then asked to enter information that will be incorporated +into your certificate request. +What you are about to enter is what is called a Distinguished Name (DN). +There are quite a few fields but you can leave some blank. +For some fields there will be a default value; if you enter +.Sq \&. , +the field will be left blank. +.Bd -literal +# openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \e + -signkey /etc/ssl/private/ca.key \e + -extfile /etc/ssl/x509v3.cnf -extensions x509v3_CA \e + -out /etc/ssl/ca.crt +.Ed +.Pp +.It +Create keys and certificates for your IKE peers. +This step as well as the next one, needs to be done for every peer. +Furthermore the last step will need to be done once for each ID you +want the peer to have. +The 10.0.0.1 below symbolizes that ID, in this case an IPv4 ID, +and should be changed for each invocation. +You will be asked for a DN for each run. +Encoding the ID in the common name is recommended, as it should be unique. +.Bd -literal +# openssl genrsa -out /etc/isakmpd/private/local.key 1024 +# openssl req -new -key /etc/isakmpd/private/local.key \e + -out /etc/isakmpd/private/10.0.0.1.csr +.Ed +.Pp +Now take these certificate signing requests to your CA and process +them like below. +You have to add a subjectAltName extension field +to the certificate in order to make it usable by +.Nm isakmpd . +There are two possible ways to add the extensions to the certificate. +Either you have to run +.Xr certpatch 8 +or you have to make use of an OpenSSL configuration file, for example +.Pa /etc/ssl/x509v3.cnf . +Replace 10.0.0.1 with the IP-address which +.Nm +will use as the certificate identity. +.Pp +To use +.Xr certpatch 8 , +do the following +.Bd -literal +# openssl x509 -req -days 365 -in 10.0.0.1.csr -CA /etc/ssl/ca.crt \e + -CAkey /etc/ssl/private/ca.key -CAcreateserial \e + -out 10.0.0.1.crt +# certpatch -i 10.0.0.1 -k /etc/ssl/private/ca.key \e + 10.0.0.1.crt 10.0.0.1.crt +.Ed +.Pp +Otherwise do +.Bd -literal +# setenv CERTIP 10.0.0.1 +# openssl x509 -req -days 365 -in 10.0.0.1.csr -CA /etc/ssl/ca.crt \e + -CAkey /etc/ssl/private/ca.key -CAcreateserial \e + -extfile /etc/ssl/x509v3.cnf -extensions x509v3_IPAddr \e + -out 10.0.0.1.crt +.Ed +.Pp +For a FQDN certificate, do +.Bd -literal +# setenv CERTFQDN somehost.somedomain +# openssl x509 -req -days 365 -in somehost.somedomain.csr \e + -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \e + -CAcreateserial \e + -extfile /etc/ssl/x509v3.cnf -extensions x509v3_FQDN \e + -out somehost.somedomain.crt +.Ed +.Pp +or with +.Xr certpatch 8 +.Bd -literal +# certpatch -t fqdn -i somehost.somedomain \e + -k /etc/ssl/private/ca.key \e + somehost.somedomain.crt somehost.somedomain.crt +.Ed +.Pp +(This assumes the previous steps were used to create a request for +somehost.somedomain instead of 10.0.0.1) +.Pp +Put the certificate (the file ending in .crt) in +.Pa /etc/isakmpd/certs/ +on your local system. +Also carry over the CA cert +.Pa /etc/ssl/ca.crt +and put it in +.Pa /etc/isakmpd/ca/ . +.El +.Pp +To revoke certificates, create a Certificate Revocation List (CRL) file +and install it in the +.Pa /etc/isakmpd/crls/ +directory. +See +.Xr openssl 1 +and the +.Sq crl +subcommand for more info. +.Pp +It is also possible to store trusted public keys to make them directly +usable by +.Nm isakmpd . +The keys should be saved in PEM format (see +.Xr openssl 1 ) +and named and stored after this easy formula: +.Bl -tag -width for_ufqdn_identities +.It For IPv4 identities +/etc/isakmpd/pubkeys/ipv4/A.B.C.D +.It For IPv6 identities +/etc/isakmpd/pubkeys/ipv6/abcd:abcd::ab:bc +.It For FQDN identities +/etc/isakmpd/pubkeys/fqdn/foo.bar.org +.It For UFQDN identities +/etc/isakmpd/pubkeys/ufqdn/user@foo.bar.org +.El +.Ss The FIFO user interface +When +.Nm +starts, it creates a FIFO (named pipe) where it listens for user +requests. +All commands start with a single letter, followed by command-specific options. +Available commands are: +.Bl -tag -width Ds -compact +.Pp +.It Ic "c <name>" +Start the named connection, if stopped or inactive. +.Pp +.It Ic "C set [section]:tag=value" +.It Ic "C set [section]:tag=value force" +.It Ic "C add [section]:tag=value" +.It Ic "C rm [section]:tag" +.It Ic "C rms [section]" +Update the running +.Nm +configuration atomically. +.Sq set +sets a configuration value consisting of a section, tag and value triplet. +.Sq set +will fail if the configuration already contains a section with the named tag; +use the +.Sq force +option to change this behaviour. +.Sq add +appends a configuration value to the named configuration list tag. +.Sq rm +removes a tag in a section. +.Sq rms +removes an entire section. +.Pp +NOTE: Sending isakmpd a SIGHUP or an "R" through the FIFO will +void any updates done to the configuration. +.Pp +.It Ic "C get [section]:tag" +Get the configuration value of the specified section and tag. +The result is stored in +.Pa /var/run/isakmpd.result . +.Pp +.It Ic "d <cookies> <msgid>" +Delete the specified SA from the system. +Specify <msgid> as "-" to match a Phase 1 SA. +.Pp +.It Ic "D <class> <level>" +.It Ic "D A <level>" +.It Ic "D T" +Set debug class <class> to level <level>. +If <class> is specified as "A", the level applies to all debug classes. +"D T" toggles all debug classes to level zero. +Another "D T" command will toggle them back to the earlier levels. +.Pp +.It Ic "p on[=<path>]" +.It Ic "p off" +Enable or disable cleartext IKE packet capture. +When enabling, optionally specify which file +.Nm +should capture the packets to. +.Pp +.It Ic "Q" +Cleanly shutdown the daemon, as when sent a +.Dv SIGTERM +signal. +.Pp +.It Ic "r" +Report +.Nm +internal state to a file. +See +.Fl R +option. +Same as when sent a +.Dv SIGUSR1 +signal. +.Pp +.It Ic "R" +Reinitialize +.Nm isakmpd , +as when sent a +.Dv SIGHUP +signal. +.Pp +.It Ic "S" +Report information on all known SAs to the +.Pa /var/run/isakmpd.result +file. +.Pp +.It Ic "t <name>" +Tear down the named connection, if active. +.Pp +.It Ic "T" +Tear down all active connections. +.El +.Sh FILES +.Bl -tag -width /etc/isakmpd/private/local. +.It Pa /etc/isakmpd/ca/ +The directory where CA certificates can be found. +.It Pa /etc/isakmpd/certs/ +The directory where IKE certificates can be found, both the local +certificate(s) and those of the peers, if a choice to have them kept +permanently has been made. +.It Pa /etc/isakmpd/crls/ +The directory where CRLs can be found. +.It Pa /etc/isakmpd/isakmpd.conf +The configuration file. +As this file can contain sensitive information +it must not be readable by anyone but the user running +.Nm isakmpd . +.It Pa /etc/isakmpd/isakmpd.policy +The keynote policy configuration file. +The same mode requirements as +.Nm isakmpd.conf . +.It Pa /etc/isakmpd/private/local.key +A local private key for certificate based authentication. +There has to be a certificate for this key in the certificate directory +mentioned above. +The same mode requirements as +.Nm isakmpd.conf . +.It Pa /etc/isakmpd/pubkeys/ +Directory in which trusted public keys can be kept. +The keys must be named in the fashion described above. +.It Pa /var/run/isakmpd.pid +The PID of the current daemon. +.It Pa /var/run/isakmpd.fifo +The FIFO used to manually control +.Nm isakmpd . +.It Pa /var/run/isakmpd.pcap +The default IKE packet capture file. +.It Pa /var/run/isakmpd.report +The report file written when +.Dv SIGUSR1 +is received. +.It Pa /var/run/isakmpd.result +The report file written when the +.Sq S +or +.Sq "C get" +command is issued in the command FIFO. +.It Pa /usr/share/ipsec/isakmpd/ +A directory containing some sample +.Nm +and keynote policy configuration files. +.El +.Sh SEE ALSO +.Xr openssl 1 , +.Xr getnameinfo 3 , +.Xr pcap 3 , +.Xr ipsec 4 , +.Xr isakmpd.conf 5 , +.Xr isakmpd.policy 5 , +.Xr ssl 8 , +.Xr tcpdump 8 , +.Xr vpn 8 +.Sh HISTORY +The ISAKMP/Oakley key management protocol is described in the RFCs +.%T RFC 2407 , +.%T RFC 2408 +and +.%T RFC 2409 . +This implementation was done 1998 by Niklas Hallqvist and Niels Provos, +sponsored by Ericsson Radio Systems. +.Sh CAVEATS +When storing a trusted public key for an IPv6 identity, the +.Em most efficient +form of address representation, i.e "::" instead of ":0:0:0:", +must be used or the matching will fail. +.Nm +uses the output from +.Xr getnameinfo 3 +for the address-to-name translation. +The privileged process only allows binding to the default port 500 or +unprivileged ports (>1024). +It is not possible to change the interfaces +.Nm +listens on without a restart. +.Sh BUGS +The +.Fl P +flag does not do what we document, rather it does nothing. |