ipsec - invoke IPsec utilities
ipsec |
command [arguments] [options] |
The ipsec utility invokes any of several utilities involved in
controlling and monitoring the IPsec encryption/authentication system, running
the specified command with the specified arguments and
options as if it had been invoked directly. This largely eliminates
possible name collisions with other software, and also permits some
centralized services.
All the commands described in this manual page are built-in and
are used to control and monitor IPsec connections as well as the IKE
daemon.
For other commands ipsec supplies the invoked
command with a suitable PATH environment variable, and also provides
the environment variables listed under ENVIRONMENT.
- start [starter options]
- calls starter which in turn parses ipsec.conf and starts the
IKE daemon charon.
- update
- sends a HUP signal to starter which in turn determines any
changes in ipsec.conf and updates the configuration on the running
IKE daemon charon.
- reload
- sends a USR1 signal to starter which in turn reloads the
whole configuration of the running IKE daemon charon based on the
actual ipsec.conf.
- restart
- is equivalent to stop followed by start after a guard of 2
seconds.
- stop
- terminates all IPsec connections and stops the IKE daemon charon by
sending a TERM signal to starter.
- up name
- tells the IKE daemon to start up connection name.
- down name
- tells the IKE daemon to terminate connection name.
- down name{n}
- terminates IKEv1 Quick Mode and IKEv2 CHILD SA instance n of
connection name.
- down name{*}
- terminates all IKEv1 Quick Mode and IKEv2 CHILD SA instances of connection
name.
- down name[n]
- terminates IKE SA instance n of connection name.
- down name[*]
- terminates all IKE SA instances of connection name.
- down-srcip <start>
[<end>]
- terminates all IKE SA instances with clients having virtual IPs in the
range start-end.
- route name
- tells the IKE daemon to insert an IPsec policy in the kernel for
connection name. The first payload packet matching the IPsec policy
will automatically trigger an IKE connection setup.
- unroute name
- remove the IPsec policy in the kernel for connection name.
- status [name]
- returns concise status information either on connection name or if
the argument is lacking, on all connections.
- statusall [name]
- returns detailed status information either on connection name or if
the argument is lacking, on all connections.
- leases [<poolname>
[<address>]]
- returns the status of all or the selected IP address pool (or even a
single virtual IP address).
- listalgs
- returns a list supported cryptographic algorithms usable for IKE, and
their corresponding plugin.
- listpubkeys [--utc]
- returns a list of RSA public keys that were either loaded in raw key
format or extracted from X.509 and|or OpenPGP certificates.
- listcerts [--utc]
- returns a list of X.509 and|or OpenPGP certificates that were either
loaded locally by the IKE daemon or received via the IKE protocol.
- listcacerts [--utc]
- returns a list of X.509 Certification Authority (CA) certificates that
were loaded locally by the IKE daemon from the
/etc/ipsec.d/cacerts/ directory or received via the IKE
protocol.
- listaacerts [--utc]
- returns a list of X.509 Authorization Authority (AA) certificates that
were loaded locally by the IKE daemon from the
/etc/ipsec.d/aacerts/ directory.
- listocspcerts [--utc]
- returns a list of X.509 OCSP Signer certificates that were either loaded
locally by the IKE daemon from the /etc/ipsec.d/ocspcerts/
directory or were sent by an OCSP server.
- listacerts [--utc]
- returns a list of X.509 Attribute certificates that were loaded locally by
the IKE daemon from the /etc/ipsec.d/acerts/ directory.
- listgroups [--utc]
- returns a list of groups that are used to define user authorization
profiles.
- listcainfos [--utc]
- returns certification authority information (CRL distribution points, OCSP
URIs, LDAP servers) that were defined by ca sections in
ipsec.conf.
- listcrls [--utc]
- returns a list of Certificate Revocation Lists (CRLs) that were either
loaded by the IKE daemon from the /etc/ipsec.d/crls directory or
fetched from an HTTP- or LDAP-based CRL distribution point.
- listocsp [--utc]
- returns revocation information fetched from OCSP servers.
- listplugins
- returns a list of all loaded plugin features.
- listcounters [name]
- returns a list of global or connection specific IKE counter values
collected since daemon startup.
- listall [--utc]
- returns all information generated by the list commands above. Each list
command can be called with the --utc option which displays all
dates in UTC instead of local time.
- rereadsecrets
- flushes and rereads all secrets defined in ipsec.secrets.
- rereadcacerts
- removes previously loaded CA certificates, reads all certificate files
contained in the /etc/ipsec.d/cacerts directory and adds them to
the list of Certification Authority (CA) certificates. This does not
affect certificates explicitly defined in a ipsec.conf(5) ca
section, which may be separately updated using the update
command.
- rereadaacerts
- removes previously loaded AA certificates, reads all certificate files
contained in the /etc/ipsec.d/aacerts directory and adds them to
the list of Authorization Authority (AA) certificates.
- rereadocspcerts
- reads all certificate files contained in the
/etc/ipsec.d/ocspcerts/ directory and adds them to the list of OCSP
signer certificates.
- rereadacerts
- reads all certificate files contained in the /etc/ipsec.d/acerts/
directory and adds them to the list of attribute certificates.
- rereadcrls
- reads all Certificate Revocation Lists (CRLs) contained in the
/etc/ipsec.d/crls/ directory and adds them to the list of
CRLs.
- rereadall
- executes all reread commands listed above.
- resetcounters [name]
- resets global or connection specific counters.
- purgecerts
- purges all cached certificates.
- purgecrls
- purges all cached CRLs.
- purgeike
- purges IKE SAs that don't have a Quick Mode or CHILD SA.
- purgeocsp
- purges all cached OCSP information records.
- --help
- returns the usage information for the ipsec command.
- --version
- returns the version in the form of Linux strongSwan U<strongSwan
userland version>/K<Linux kernel version> if strongSwan uses
the native NETKEY IPsec stack of the Linux kernel it is running on.
- --versioncode
- returns the version number in the form of U<strongSwan userland
version>/K<Linux kernel version> if strongSwan uses the
native NETKEY IPsec stack of the Linux kernel it is running on.
- --copyright
- returns the copyright information.
- --directory
- returns the LIBEXECDIR directory as defined by the configure
options.
- --confdir
- returns the SYSCONFDIR directory as defined by the configure
options.
- --piddir
- returns the PIDDIR directory as defined by the configure
options.
/usr/libexec/ipsec utilities directory
When calling other commands the ipsec command supplies the following
environment variables.
IPSEC_DIR directory containing ipsec programs and utilities
IPSEC_BINDIR directory containing pki command
IPSEC_SBINDIR directory containing ipsec command
IPSEC_CONFDIR directory containing configuration files
IPSEC_PIDDIR directory containing PID/socket files
IPSEC_SCRIPT name of the ipsec script
IPSEC_NAME name of ipsec distribution
IPSEC_VERSION version number of ipsec userland and kernel
IPSEC_STARTER_PID PID file for ipsec starter
IPSEC_CHARON_PID PID file for IKE keying daemon
ipsec.conf(5), ipsec.secrets(5)
Originally written for the FreeS/WAN project by Henry Spencer. Updated and
extended for the strongSwan project <http://www.strongswan.org> by
Tobias Brunner and Andreas Steffen.