summaryrefslogtreecommitdiff
path: root/src/charon-cmd/charon-cmd.8
diff options
context:
space:
mode:
Diffstat (limited to 'src/charon-cmd/charon-cmd.8')
-rw-r--r--src/charon-cmd/charon-cmd.8161
1 files changed, 161 insertions, 0 deletions
diff --git a/src/charon-cmd/charon-cmd.8 b/src/charon-cmd/charon-cmd.8
new file mode 100644
index 000000000..e93cbcf6f
--- /dev/null
+++ b/src/charon-cmd/charon-cmd.8
@@ -0,0 +1,161 @@
+.TH CHARON\-CMD 8 "2013-06-21" "5.1.0" "strongSwan"
+.SH "NAME"
+charon\-cmd \- Simple IKE client (IPsec VPN client)
+.SH SYNOPSIS
+.B charon\-cmd
+.B \-\-host
+.I hostname
+.B \-\-identity
+.I identity
+.B [ options ]
+.PP
+.SH "DESCRIPTION"
+.B charon\-cmd
+is a program for setting up IPsec VPN connections using the Internet Key
+Exchange protocol (IKE) in version 1 and 2. It supports a number of different
+road-warrior scenarios.
+.PP
+Like the IKE daemon
+.BR charon ,
+.B charon\-cmd
+has to be run as
+.B root
+(or more specifically as a user with
+.B CAP_NET_ADMIN
+capability).
+.PP
+Of the following options at least
+.I \-\-host
+and
+.I \-\-identity
+are required. Depending on the selected authentication
+.I profile
+credentials also have to be provided with their respective options.
+.PP
+Many of the
+.BR charon -specific
+configuration options in
+.I strongswan.conf
+also apply to
+.BR charon\-cmd .
+For instance, to configure customized logging to
+.B stdout
+the following snippet can be used:
+.PP
+.EX
+ charon-cmd {
+ filelog {
+ stdout {
+ default = 1
+ ike = 2
+ cfg = 2
+ }
+ }
+ }
+.EE
+.PP
+.SH "OPTIONS"
+.TP
+.B "\-\-help"
+Prints usage information and a short summary of the available options.
+.TP
+.B "\-\-version"
+Prints the strongSwan version.
+.TP
+.BI "\-\-debug " level
+Sets the default log level (defaults to 1).
+.I level
+is a number between -1 and 4.
+Refer to
+.I strongswan.conf
+for options that allow a more fine-grained configuration of the logging
+output.
+.TP
+.BI "\-\-host " hostname
+DNS name or IP address to connect to.
+.TP
+.BI "\-\-identity " identity
+Identity the client uses for the IKE exchange.
+.TP
+.BI "\-\-eap\-identity " identity
+Identity the client uses for EAP authentication.
+.TP
+.BI "\-\-xauth\-username " username
+Username the client uses for XAuth authentication.
+.TP
+.BI "\-\-remote\-identity " identity
+Server identity to expect, defaults to
+.IR hostname .
+.TP
+.BI "\-\-cert " path
+Trusted certificate, either for authentication or trust chain validation.
+To provide more than one certificate multiple
+.B \-\-cert
+options can be used.
+.TP
+.BI "\-\-rsa " path
+RSA private key to use for authentication (if a password is required, it will
+be requested on demand).
+.TP
+.BI "\-\-p12 " path
+PKCS#12 file with private key and certificates to use for authentication and
+trust chain validation (if a password is required it will be requested on
+demand).
+.TP
+.RI "\fB\-\-agent\fR[=" socket ]
+Use SSH agent for authentication. If
+.I socket
+is not specified it is read from the
+.B SSH_AUTH_SOCK
+environment variable.
+.TP
+.BI "\-\-local\-ts " subnet
+Additional traffic selector to propose for our side, the requested virtual IP
+address will always be proposed.
+.TP
+.BI "\-\-remote\-ts " subnet
+Traffic selector to propose for remote side, defaults to 0.0.0.0/0.
+.TP
+.BI "\-\-profile " name
+Authentication profile to use, the list of supported profiles can be found
+in the
+.B Authentication Profiles
+sections below. Defaults to
+.B ikev2\-pub
+if a private key was supplied, and to
+.B ikev2\-eap
+otherwise.
+.PP
+.SS "IKEv2 Authentication Profiles"
+.TP
+.B "ikev2\-pub"
+IKEv2 with public key client and server authentication
+.TP
+.B "ikev2\-eap"
+IKEv2 with EAP client authentication and public key server authentication
+.TP
+.B "ikev2\-pub\-eap"
+IKEv2 with public key and EAP client authentication (RFC 4739) and public key
+server authentication
+.PP
+.SS "IKEv1 Authentication Profiles"
+The following authentication profiles use either Main Mode or Aggressive Mode,
+the latter is denoted with a \fB\-am\fR suffix.
+.TP
+.BR "ikev1\-pub" ", " "ikev1\-pub\-am"
+IKEv1 with public key client and server authentication
+.TP
+.BR "ikev1\-xauth" ", " "ikev1\-xauth\-am"
+IKEv1 with public key client and server authentication, followed by client XAuth
+authentication
+.TP
+.BR "ikev1\-xauth\-psk" ", " "ikev1\-xauth\-psk\-am"
+IKEv1 with pre-shared key (PSK) client and server authentication, followed by
+client XAuth authentication (INSECURE!)
+.TP
+.BR "ikev1\-hybrid" ", " "ikev1\-hybrid\-am"
+IKEv1 with public key server authentication only, followed by client XAuth
+authentication
+.PP
+.SH "SEE ALSO"
+\fBstrongswan.conf\fR(5), \fBipsec\fR(8)