From c1343b3278cdf99533b7902744d15969f9d6fdc1 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Wed, 2 Jan 2013 14:18:20 +0100 Subject: Imported Upstream version 5.0.1 --- src/ipsec/Makefile.am | 25 +++- src/ipsec/Makefile.in | 66 +++++--- src/ipsec/_ipsec.8 | 291 +++++++++++++++++++++++++++++++++++ src/ipsec/_ipsec.8.in | 291 +++++++++++++++++++++++++++++++++++ src/ipsec/_ipsec.in | 335 +++++++++++++++++++++++++++++++++++++++++ src/ipsec/ipsec.8 | 302 ------------------------------------- src/ipsec/ipsec.8.in | 302 ------------------------------------- src/ipsec/ipsec.in | 408 -------------------------------------------------- 8 files changed, 981 insertions(+), 1039 deletions(-) create mode 100644 src/ipsec/_ipsec.8 create mode 100644 src/ipsec/_ipsec.8.in create mode 100644 src/ipsec/_ipsec.in delete mode 100644 src/ipsec/ipsec.8 delete mode 100644 src/ipsec/ipsec.8.in delete mode 100755 src/ipsec/ipsec.in (limited to 'src/ipsec') diff --git a/src/ipsec/Makefile.am b/src/ipsec/Makefile.am index bbf009721..8be28eff8 100644 --- a/src/ipsec/Makefile.am +++ b/src/ipsec/Makefile.am @@ -1,22 +1,35 @@ -sbin_SCRIPTS = ipsec -CLEANFILES = ipsec ipsec.8 -dist_man8_MANS = ipsec.8 -EXTRA_DIST = ipsec.in ipsec.8.in Android.mk +sbin_SCRIPTS = _ipsec +CLEANFILES = _ipsec _ipsec.8 +dist_man8_MANS = _ipsec.8 +EXTRA_DIST = _ipsec.in _ipsec.8.in Android.mk -ipsec.8 : ipsec.8.in +_ipsec.8 : _ipsec.8.in sed \ -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ + -e "s:@IPSEC_SCRIPT@:$(ipsec_script):g" \ + -e "s:@IPSEC_SCRIPT_UPPER@:$(ipsec_script_upper):g" \ $(srcdir)/$@.in > $@ -ipsec : ipsec.in +_ipsec : _ipsec.in sed \ -e "s:@IPSEC_SHELL@:/bin/sh:" \ -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ -e "s:@IPSEC_NAME@:$(PACKAGE_NAME):" \ -e "s:@IPSEC_DISTRO@::" \ -e "s:@IPSEC_DIR@:$(ipsecdir):" \ + -e "s:@IPSEC_SCRIPT@:$(ipsec_script):" \ -e "s:@IPSEC_SBINDIR@:$(sbindir):" \ -e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \ -e "s:@IPSEC_PIDDIR@:$(piddir):" \ $(srcdir)/$@.in > $@ chmod +x $@ + +install-exec-hook: + mv $(DESTDIR)$(sbindir)/_ipsec $(DESTDIR)$(sbindir)/$(ipsec_script) + +install-data-hook: + mv $(DESTDIR)$(man8dir)/_ipsec.8 $(DESTDIR)$(man8dir)/$(ipsec_script).8 + +uninstall-hook: + rm -f $(DESTDIR)$(sbindir)/$(ipsec_script) + rm -f $(DESTDIR)$(man8dir)/$(ipsec_script).8 diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in index b0474159d..dbb163f42 100644 --- a/src/ipsec/Makefile.in +++ b/src/ipsec/Makefile.in @@ -50,6 +50,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; @@ -89,6 +90,7 @@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BFDLIB = @BFDLIB@ BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ @@ -183,11 +185,14 @@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ clearsilver_LIBS = @clearsilver_LIBS@ datadir = @datadir@ datarootdir = @datarootdir@ dbusservicedir = @dbusservicedir@ -default_pkcs11 = @default_pkcs11@ +dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ @@ -204,11 +209,12 @@ imcvdir = @imcvdir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ ipsecdir = @ipsecdir@ ipsecgroup = @ipsecgroup@ ipseclibdir = @ipseclibdir@ ipsecuser = @ipsecuser@ -libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ linux_headers = @linux_headers@ @@ -224,6 +230,7 @@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ p_plugins = @p_plugins@ @@ -233,7 +240,6 @@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ plugindir = @plugindir@ -pluto_plugins = @pluto_plugins@ pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ @@ -261,10 +267,10 @@ top_srcdir = @top_srcdir@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -sbin_SCRIPTS = ipsec -CLEANFILES = ipsec ipsec.8 -dist_man8_MANS = ipsec.8 -EXTRA_DIST = ipsec.in ipsec.8.in Android.mk +sbin_SCRIPTS = _ipsec +CLEANFILES = _ipsec _ipsec.8 +dist_man8_MANS = _ipsec.8 +EXTRA_DIST = _ipsec.in _ipsec.8.in Android.mk all: all-am .SUFFIXES: @@ -476,13 +482,15 @@ info: info-am info-am: install-data-am: install-man - + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) install-data-hook install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-sbinSCRIPTS - + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) install-exec-hook install-html: install-html-am install-html-am: @@ -520,43 +528,59 @@ ps: ps-am ps-am: uninstall-am: uninstall-man uninstall-sbinSCRIPTS - + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) uninstall-hook uninstall-man: uninstall-man8 -.MAKE: install-am install-strip +.MAKE: install-am install-data-am install-exec-am install-strip \ + uninstall-am .PHONY: all all-am check check-am clean clean-generic clean-libtool \ distclean distclean-generic distclean-libtool distdir dvi \ dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ - install-sbinSCRIPTS install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ - ps ps-am uninstall uninstall-am uninstall-man uninstall-man8 \ + install-data install-data-am install-data-hook install-dvi \ + install-dvi-am install-exec install-exec-am install-exec-hook \ + install-html install-html-am install-info install-info-am \ + install-man install-man8 install-pdf install-pdf-am install-ps \ + install-ps-am install-sbinSCRIPTS install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am \ + uninstall-hook uninstall-man uninstall-man8 \ uninstall-sbinSCRIPTS -ipsec.8 : ipsec.8.in +_ipsec.8 : _ipsec.8.in sed \ -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ + -e "s:@IPSEC_SCRIPT@:$(ipsec_script):g" \ + -e "s:@IPSEC_SCRIPT_UPPER@:$(ipsec_script_upper):g" \ $(srcdir)/$@.in > $@ -ipsec : ipsec.in +_ipsec : _ipsec.in sed \ -e "s:@IPSEC_SHELL@:/bin/sh:" \ -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ -e "s:@IPSEC_NAME@:$(PACKAGE_NAME):" \ -e "s:@IPSEC_DISTRO@::" \ -e "s:@IPSEC_DIR@:$(ipsecdir):" \ + -e "s:@IPSEC_SCRIPT@:$(ipsec_script):" \ -e "s:@IPSEC_SBINDIR@:$(sbindir):" \ -e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \ -e "s:@IPSEC_PIDDIR@:$(piddir):" \ $(srcdir)/$@.in > $@ chmod +x $@ +install-exec-hook: + mv $(DESTDIR)$(sbindir)/_ipsec $(DESTDIR)$(sbindir)/$(ipsec_script) + +install-data-hook: + mv $(DESTDIR)$(man8dir)/_ipsec.8 $(DESTDIR)$(man8dir)/$(ipsec_script).8 + +uninstall-hook: + rm -f $(DESTDIR)$(sbindir)/$(ipsec_script) + rm -f $(DESTDIR)$(man8dir)/$(ipsec_script).8 + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8 new file mode 100644 index 000000000..7802fc48f --- /dev/null +++ b/src/ipsec/_ipsec.8 @@ -0,0 +1,291 @@ +.TH IPSEC 8 "2012-06-19" "5.0.1dr3" "strongSwan" +.SH NAME +ipsec \- invoke IPsec utilities +.SH SYNOPSIS +.B ipsec +\fIcommand\fP [ \fIarguments\fP ] [ \fIoptions\fP ] +.PP +.SH DESCRIPTION +The +.B ipsec +utility invokes any of several utilities involved in controlling and monitoring +the IPsec encryption/authentication system, running the specified \fIcommand\fP +with the specified \fIarguments\fP and \fIoptions\fP as if it had been invoked +directly. This largely eliminates possible name collisions with other software, +and also permits some centralized services. +.PP +All the commands described in this manual page are built-in and are used to +control and monitor IPsec connections as well as the IKE daemons. +.PP +For other commands +.I ipsec +supplies the invoked +.I command +with a suitable PATH environment variable, +and also provides IPSEC_DIR, +IPSEC_CONFS, and IPSEC_VERSION environment variables, +containing respectively +the full pathname of the directory where the IPsec utilities are stored, +the full pathname of the directory where the configuration files live, +and the IPsec version number. +.PP +.SS CONTROL COMMANDS +.TP +.B "start [ starter options ]" +calls +.BR "starter" +which in turn parses \fIipsec.conf\fR and starts the IKEv1/IKEv2 daemon +\fIcharon\fR. +.PP +.TP +.B "update" +sends a \fIHUP\fR signal to +.BR "starter" +which in turn determines any changes in \fIipsec.conf\fR +and updates the configuration on the running IKE daemon \fIcharon\fR. +.PP +.TP +.B "reload" +sends a \fIUSR1\fR signal to +.BR "starter" +which in turn reloads the whole configuration on the running IKE daemon +\fIcharon\fR based on the actual \fIipsec.conf\fR. +.PP +.TP +.B "restart" +is equivalent to +.B "stop" +followed by +.B "start" +after a guard of 2 seconds. +.PP +.TP +.B "stop" +terminates all IPsec connections and stops the IKE daemon \fIcharon\fR +by sending a \fITERM\fR signal to +.BR "starter". +.PP +.TP +.B "up \fIname\fP" +tells the IKE daemon to start up connection \fIname\fP. +.PP +.TP +.B "down \fIname\fP" +tells the IKE daemon to terminate connection \fIname\fP. +.PP +.TP +.B "down \fIname{n}\fP" +terminates IKEv1 Quick Mode and IKEv2 CHILD SA instance \fIn\fP of +connection \fIname\fP. +.PP +.TP +.B "down \fIname{*}\fP" +terminates all IKEv1 Quick Mode and IKEv2 CHILD SA instances of connection +\fIname\fP. +.PP +.TP +.B "down \fIname[n]\fP" +terminates IKE SA instance \fIn\fP of connection \fIname\fP. +.PP +.TP +.B "down \fIname[*]\fP" +terminates all IKE SA instances of connection \fIname\fP. +.PP +.TP +.B "route \fIname\fP" +tells the IKE daemon to insert an IPsec policy in the kernel +for connection \fIname\fP. The first payload packet matching the IPsec policy +will automatically trigger an IKE connection setup. +.PP +.TP +.B "unroute \fIname\fP" +remove the IPsec policy in the kernel for connection \fIname\fP. +.PP +.TP +.B "status [ \fIname\fP ]" +returns concise status information either on connection +\fIname\fP or if the argument is lacking, on all connections. +.PP +.TP +.B "statusall [ \fIname\fP ]" +returns detailed status information either on connection +\fIname\fP or if the argument is lacking, on all connections. +.PP +.SS LIST COMMANDS +.TP +.B "listalgs" +returns a list supported cryptographic algorithms usable for IKE, and their +corresponding plugin. +.PP +.TP +.B "listpubkeys [ --utc ]" +returns a list of RSA public keys that were either loaded in raw key format +or extracted from X.509 and|or OpenPGP certificates. +.PP +.TP +.B "listcerts [ --utc ]" +returns a list of X.509 and|or OpenPGP certificates that were either loaded +locally by the IKE daemon or received via the IKE protocol. +.PP +.TP +.B "listcacerts [ --utc ]" +returns a list of X.509 Certification Authority (CA) certificates that were +loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP +directory or received via the IKE protocol. +.PP +.TP +.B "listaacerts [ --utc ]" +returns a list of X.509 Authorization Authority (AA) certificates that were +loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP +directory. +.PP +.TP +.B "listocspcerts [ --utc ]" +returns a list of X.509 OCSP Signer certificates that were either loaded +locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP +directory or were sent by an OCSP server. +.PP +.TP +.B "listacerts [ --utc ]" +returns a list of X.509 Attribute certificates that were loaded locally by +the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory. +.PP +.TP +.B "listgroups [ --utc ]" +returns a list of groups that are used to define user authorization profiles. +.PP +.TP +.B "listcainfos [ --utc ]" +returns certification authority information (CRL distribution points, OCSP URIs, +LDAP servers) that were defined by +.BR ca +sections in \fIipsec.conf\fP. +.PP +.TP +.B "listcrls [ --utc ]" +returns a list of Certificate Revocation Lists (CRLs) that were either loaded +by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from +an HTTP- or LDAP-based CRL distribution point. +.PP +.TP +.B "listocsp [ --utc ]" +returns revocation information fetched from OCSP servers. +.PP +.TP +.B "listall [ --utc ]" +returns all information generated by the list commands above. Each list command +can be called with the +\fB\-\-utc\fP +option which displays all dates in UTC instead of local time. +.PP +.SS REREAD COMMANDS +.TP +.B "rereadsecrets" +flushes and rereads all secrets defined in \fIipsec.secrets\fP. +.PP +.TP +.B "rereadcacerts" +reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP +directory and adds them to the list of Certification Authority (CA) +certificates. +.PP +.TP +.B "rereadaacerts" +reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP +directory and adds them to the list of Authorization Authority (AA) +certificates. +.PP +.TP +.B "rereadocspcerts" +reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP +directory and adds them to the list of OCSP signer certificates. +.PP +.TP +.B "rereadacerts" +reads all certificate files contained in the \fI/etc/ipsec.d/acerts/\fP +directory and adds them to the list of attribute certificates. +.PP +.TP +.B "rereadcrls" +reads all Certificate Revocation Lists (CRLs) contained in the +\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs. +.PP +.TP +.B "rereadall" +executes all reread commands listed above. +.PP +.SS PURGE COMMANDS +.TP +.B "purgeike" +purges IKE SAs that don't have a Quick Mode or CHILD SA. +.PP +.TP +.B "purgeocsp" +purges all cached OCSP information records. +.PP +.SS INFO COMMANDS +.TP +.B "\-\-help" +returns the usage information for the +.B ipsec +command. +.PP +.TP +.B "\-\-version" +returns the version in the form of +.B Linux strongSwan U/K +if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is +running on. +.PP +.TP +.B "\-\-versioncode" +returns the version number in the form of +.B U/K +if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is +running on. +.PP +.TP +.B "\-\-copyright" +returns the copyright information. +.PP +.TP +.B "\-\-directory" +returns the \fILIBEXECDIR\fP directory as defined by the configure options. +.PP +.TP +.B "\-\-confdir" +returns the \fISYSCONFDIR\fP directory as defined by the configure options. +.SH FILES +/usr/local/lib/ipsec usual utilities directory +.SH ENVIRONMENT +.PP +The following environment variables control where strongSwan finds its +components. +The +.B ipsec +command sets them if they are not already set. +.nf +.na + +IPSEC_DIR directory containing ipsec programs and utilities +IPSEC_SBINDIR directory containing \fBipsec\fP command +IPSEC_CONFDIR directory containing configuration files +IPSEC_PIDDIR directory containing PID files +IPSEC_SCRIPT name of the ipsec script +IPSEC_NAME name of ipsec distribution +IPSEC_VERSION version numer of ipsec userland and kernel +IPSEC_STARTER_PID PID file for ipsec starter +IPSEC_CHARON_PID PID file for IKE keying daemon +.ad +.fi +.SH SEE ALSO +.hy 0 +.na +ipsec.conf(5), ipsec.secrets(5) +.ad +.hy +.PP +.SH HISTORY +Originally written for the FreeS/WAN project by Henry Spencer. +Updated and extended for the strongSwan project by +Tobias Brunner and Andreas Steffen. diff --git a/src/ipsec/_ipsec.8.in b/src/ipsec/_ipsec.8.in new file mode 100644 index 000000000..41c6ff8d2 --- /dev/null +++ b/src/ipsec/_ipsec.8.in @@ -0,0 +1,291 @@ +.TH @IPSEC_SCRIPT_UPPER@ 8 "2012-06-19" "@IPSEC_VERSION@" "strongSwan" +.SH NAME +@IPSEC_SCRIPT@ \- invoke IPsec utilities +.SH SYNOPSIS +.B @IPSEC_SCRIPT@ +\fIcommand\fP [ \fIarguments\fP ] [ \fIoptions\fP ] +.PP +.SH DESCRIPTION +The +.B @IPSEC_SCRIPT@ +utility invokes any of several utilities involved in controlling and monitoring +the IPsec encryption/authentication system, running the specified \fIcommand\fP +with the specified \fIarguments\fP and \fIoptions\fP as if it had been invoked +directly. This largely eliminates possible name collisions with other software, +and also permits some centralized services. +.PP +All the commands described in this manual page are built-in and are used to +control and monitor IPsec connections as well as the IKE daemons. +.PP +For other commands +.I @IPSEC_SCRIPT@ +supplies the invoked +.I command +with a suitable PATH environment variable, +and also provides IPSEC_DIR, +IPSEC_CONFS, and IPSEC_VERSION environment variables, +containing respectively +the full pathname of the directory where the IPsec utilities are stored, +the full pathname of the directory where the configuration files live, +and the IPsec version number. +.PP +.SS CONTROL COMMANDS +.TP +.B "start [ starter options ]" +calls +.BR "starter" +which in turn parses \fIipsec.conf\fR and starts the IKEv1/IKEv2 daemon +\fIcharon\fR. +.PP +.TP +.B "update" +sends a \fIHUP\fR signal to +.BR "starter" +which in turn determines any changes in \fIipsec.conf\fR +and updates the configuration on the running IKE daemon \fIcharon\fR. +.PP +.TP +.B "reload" +sends a \fIUSR1\fR signal to +.BR "starter" +which in turn reloads the whole configuration on the running IKE daemon +\fIcharon\fR based on the actual \fIipsec.conf\fR. +.PP +.TP +.B "restart" +is equivalent to +.B "stop" +followed by +.B "start" +after a guard of 2 seconds. +.PP +.TP +.B "stop" +terminates all IPsec connections and stops the IKE daemon \fIcharon\fR +by sending a \fITERM\fR signal to +.BR "starter". +.PP +.TP +.B "up \fIname\fP" +tells the IKE daemon to start up connection \fIname\fP. +.PP +.TP +.B "down \fIname\fP" +tells the IKE daemon to terminate connection \fIname\fP. +.PP +.TP +.B "down \fIname{n}\fP" +terminates IKEv1 Quick Mode and IKEv2 CHILD SA instance \fIn\fP of +connection \fIname\fP. +.PP +.TP +.B "down \fIname{*}\fP" +terminates all IKEv1 Quick Mode and IKEv2 CHILD SA instances of connection +\fIname\fP. +.PP +.TP +.B "down \fIname[n]\fP" +terminates IKE SA instance \fIn\fP of connection \fIname\fP. +.PP +.TP +.B "down \fIname[*]\fP" +terminates all IKE SA instances of connection \fIname\fP. +.PP +.TP +.B "route \fIname\fP" +tells the IKE daemon to insert an IPsec policy in the kernel +for connection \fIname\fP. The first payload packet matching the IPsec policy +will automatically trigger an IKE connection setup. +.PP +.TP +.B "unroute \fIname\fP" +remove the IPsec policy in the kernel for connection \fIname\fP. +.PP +.TP +.B "status [ \fIname\fP ]" +returns concise status information either on connection +\fIname\fP or if the argument is lacking, on all connections. +.PP +.TP +.B "statusall [ \fIname\fP ]" +returns detailed status information either on connection +\fIname\fP or if the argument is lacking, on all connections. +.PP +.SS LIST COMMANDS +.TP +.B "listalgs" +returns a list supported cryptographic algorithms usable for IKE, and their +corresponding plugin. +.PP +.TP +.B "listpubkeys [ --utc ]" +returns a list of RSA public keys that were either loaded in raw key format +or extracted from X.509 and|or OpenPGP certificates. +.PP +.TP +.B "listcerts [ --utc ]" +returns a list of X.509 and|or OpenPGP certificates that were either loaded +locally by the IKE daemon or received via the IKE protocol. +.PP +.TP +.B "listcacerts [ --utc ]" +returns a list of X.509 Certification Authority (CA) certificates that were +loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP +directory or received via the IKE protocol. +.PP +.TP +.B "listaacerts [ --utc ]" +returns a list of X.509 Authorization Authority (AA) certificates that were +loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP +directory. +.PP +.TP +.B "listocspcerts [ --utc ]" +returns a list of X.509 OCSP Signer certificates that were either loaded +locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP +directory or were sent by an OCSP server. +.PP +.TP +.B "listacerts [ --utc ]" +returns a list of X.509 Attribute certificates that were loaded locally by +the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory. +.PP +.TP +.B "listgroups [ --utc ]" +returns a list of groups that are used to define user authorization profiles. +.PP +.TP +.B "listcainfos [ --utc ]" +returns certification authority information (CRL distribution points, OCSP URIs, +LDAP servers) that were defined by +.BR ca +sections in \fIipsec.conf\fP. +.PP +.TP +.B "listcrls [ --utc ]" +returns a list of Certificate Revocation Lists (CRLs) that were either loaded +by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from +an HTTP- or LDAP-based CRL distribution point. +.PP +.TP +.B "listocsp [ --utc ]" +returns revocation information fetched from OCSP servers. +.PP +.TP +.B "listall [ --utc ]" +returns all information generated by the list commands above. Each list command +can be called with the +\fB\-\-utc\fP +option which displays all dates in UTC instead of local time. +.PP +.SS REREAD COMMANDS +.TP +.B "rereadsecrets" +flushes and rereads all secrets defined in \fIipsec.secrets\fP. +.PP +.TP +.B "rereadcacerts" +reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP +directory and adds them to the list of Certification Authority (CA) +certificates. +.PP +.TP +.B "rereadaacerts" +reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP +directory and adds them to the list of Authorization Authority (AA) +certificates. +.PP +.TP +.B "rereadocspcerts" +reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP +directory and adds them to the list of OCSP signer certificates. +.PP +.TP +.B "rereadacerts" +reads all certificate files contained in the \fI/etc/ipsec.d/acerts/\fP +directory and adds them to the list of attribute certificates. +.PP +.TP +.B "rereadcrls" +reads all Certificate Revocation Lists (CRLs) contained in the +\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs. +.PP +.TP +.B "rereadall" +executes all reread commands listed above. +.PP +.SS PURGE COMMANDS +.TP +.B "purgeike" +purges IKE SAs that don't have a Quick Mode or CHILD SA. +.PP +.TP +.B "purgeocsp" +purges all cached OCSP information records. +.PP +.SS INFO COMMANDS +.TP +.B "\-\-help" +returns the usage information for the +.B @IPSEC_SCRIPT@ +command. +.PP +.TP +.B "\-\-version" +returns the version in the form of +.B Linux strongSwan U/K +if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is +running on. +.PP +.TP +.B "\-\-versioncode" +returns the version number in the form of +.B U/K +if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is +running on. +.PP +.TP +.B "\-\-copyright" +returns the copyright information. +.PP +.TP +.B "\-\-directory" +returns the \fILIBEXECDIR\fP directory as defined by the configure options. +.PP +.TP +.B "\-\-confdir" +returns the \fISYSCONFDIR\fP directory as defined by the configure options. +.SH FILES +/usr/local/lib/ipsec usual utilities directory +.SH ENVIRONMENT +.PP +The following environment variables control where strongSwan finds its +components. +The +.B @IPSEC_SCRIPT@ +command sets them if they are not already set. +.nf +.na + +IPSEC_DIR directory containing ipsec programs and utilities +IPSEC_SBINDIR directory containing \fBipsec\fP command +IPSEC_CONFDIR directory containing configuration files +IPSEC_PIDDIR directory containing PID files +IPSEC_SCRIPT name of the ipsec script +IPSEC_NAME name of ipsec distribution +IPSEC_VERSION version numer of ipsec userland and kernel +IPSEC_STARTER_PID PID file for ipsec starter +IPSEC_CHARON_PID PID file for IKE keying daemon +.ad +.fi +.SH SEE ALSO +.hy 0 +.na +ipsec.conf(5), ipsec.secrets(5) +.ad +.hy +.PP +.SH HISTORY +Originally written for the FreeS/WAN project by Henry Spencer. +Updated and extended for the strongSwan project by +Tobias Brunner and Andreas Steffen. diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in new file mode 100644 index 000000000..2acf5a3f6 --- /dev/null +++ b/src/ipsec/_ipsec.in @@ -0,0 +1,335 @@ +#! @IPSEC_SHELL@ +# prefix command to run stuff from our programs directory +# Copyright (C) 1998-2002 Henry Spencer. +# Copyright (C) 2006 Andreas Steffen +# Copyright (C) 2006 Martin Willi +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:@IPSEC_SBINDIR@" +export PATH + +# name and version of the ipsec implementation +OS_NAME=`uname -s` +IPSEC_NAME="@IPSEC_NAME@" +IPSEC_VERSION="U@IPSEC_VERSION@/K`uname -r`" + +# where the private directory and the config files are +IPSEC_DIR="@IPSEC_DIR@" +IPSEC_SBINDIR="@IPSEC_SBINDIR@" +IPSEC_CONFDIR="@IPSEC_CONFDIR@" +IPSEC_PIDDIR="@IPSEC_PIDDIR@" +IPSEC_SCRIPT="@IPSEC_SCRIPT@" + +IPSEC_STARTER_PID="${IPSEC_PIDDIR}/starter.pid" +IPSEC_CHARON_PID="${IPSEC_PIDDIR}/charon.pid" + +IPSEC_STROKE="${IPSEC_DIR}/stroke" +IPSEC_STARTER="${IPSEC_DIR}/starter" + +export IPSEC_DIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_SCRIPT IPSEC_VERSION IPSEC_NAME IPSEC_STARTER_PID IPSEC_CHARON_PID + +IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland" + +case "$1" in +'') + echo "Usage: $IPSEC_SCRIPT command argument ..." + echo "Use --help for list of commands, or see $IPSEC_SCRIPT(8) manual " + echo "page or the $IPSEC_NAME documentation for names of the common " + echo "ones." + echo "See for more general info." + exit 0 + ;; +--help) + echo "Usage: $IPSEC_SCRIPT command argument ..." + echo "where command is one of:" + echo " start|restart arguments..." + echo " update|reload|stop" + echo " up|down|route|unroute " + echo " status|statusall []" + echo " listalgs|listpubkeys|listcerts [--utc]" + echo " listcacerts|listaacerts|listocspcerts [--utc]" + echo " listacerts|listgroups|listcainfos [--utc]" + echo " listcrls|listocsp|listcards|listplugins|listall [--utc]" + echo " leases [ [
]]" + echo " rereadsecrets|rereadgroups" + echo " rereadcacerts|rereadaacerts|rereadocspcerts" + echo " rereadacerts|rereadcrls|rereadall" + echo " purgeocsp|purgecrls|purgecerts|purgeike" + echo " openac" + echo " scepclient" + echo " secrets" + echo " starter" + echo " version" + echo " stroke" + echo + echo "Some of these functions have their own manual pages, e.g. ipsec_scepclient(8)." + exit 0 + ;; +--versioncode) + echo "$IPSEC_VERSION" + exit 0 + ;; +--directory) + echo "$IPSEC_DIR" + exit 0 + ;; +--confdir) + echo "$IPSEC_CONFDIR" + exit 0 + ;; +copyright|--copyright) + set _copyright + # and fall through, invoking "ipsec _copyright" + ;; +down) + shift + if [ "$#" -ne 1 ] + then + echo "Usage: $IPSEC_SCRIPT down " + exit 2 + fi + rc=7 + if [ -e $IPSEC_CHARON_PID ] + then + $IPSEC_STROKE down "$1" + rc="$?" + fi + exit "$rc" + ;; +down-srcip) + shift + if [ "$#" -lt 1 ] + then + echo "Usage: $IPSEC_SCRIPT down-srcip []" + exit 2 + fi + rc=7 + if [ -e $IPSEC_CHARON_PID ] + then + $IPSEC_STROKE down-srcip $* + rc="$?" + fi + exit "$rc" + ;; +listcards|rereadgroups) + op="$1" + shift + if [ -e $IPSEC_CHARON_PID ] + then + exit 3 + else + exit 7 + fi + ;; +leases) + op="$1" + rc=7 + shift + if [ -e $IPSEC_CHARON_PID ] + then + case "$#" in + 0) $IPSEC_STROKE "$op" ;; + 1) $IPSEC_STROKE "$op" "$1" ;; + *) $IPSEC_STROKE "$op" "$1" "$2" ;; + esac + rc="$?" + fi + exit "$rc" + ;; +listalgs|listpubkeys|listplugins|\ +listcerts|listcacerts|listaacerts|\ +listacerts|listgroups|listocspcerts|\ +listcainfos|listcrls|listocsp|listall|\ +rereadsecrets|rereadcacerts|rereadaacerts|\ +rereadacerts|rereadocspcerts|rereadcrls|\ +rereadall|purgeocsp) + op="$1" + rc=7 + shift + if [ -e $IPSEC_CHARON_PID ] + then + $IPSEC_STROKE "$op" "$@" + rc="$?" + fi + exit "$rc" + ;; +purgeike|purgecrls|purgecerts) + rc=7 + if [ -e $IPSEC_CHARON_PID ] + then + $IPSEC_STROKE "$1" + rc="$?" + fi + exit "$rc" + ;; +reload) + rc=7 + if [ -e $IPSEC_STARTER_PID ] + then + echo "Reloading strongSwan IPsec configuration..." >&2 + kill -USR1 `cat $IPSEC_STARTER_PID` 2>/dev/null && rc=0 + else + echo "Reloading strongSwan IPsec failed: starter is not running" >&2 + fi + exit "$rc" + ;; +restart) + $IPSEC_SBINDIR/$IPSEC_SCRIPT stop + sleep 2 + shift + exec $IPSEC_SBINDIR/$IPSEC_SCRIPT start "$@" + ;; +route|unroute) + op="$1" + rc=7 + shift + if [ "$#" -ne 1 ] + then + echo "Usage: $IPSEC_SCRIPT $op " + exit 2 + fi + if [ -e $IPSEC_CHARON_PID ] + then + $IPSEC_STROKE "$op" "$1" + rc="$?" + fi + exit "$rc" + ;; +secrets) + rc=7 + if [ -e $IPSEC_CHARON_PID ] + then + $IPSEC_STROKE rereadsecrets + rc="$?" + fi + exit "$rc" + ;; +start) + shift + if [ -d /var/lock/subsys ]; then + touch /var/lock/subsys/ipsec + fi + exec $IPSEC_STARTER "$@" + ;; +status|statusall) + op="$1" + # Return value is slightly different for the status command: + # 0 - service up and running + # 1 - service dead, but /var/run/ pid file exists + # 2 - service dead, but /var/lock/ lock file exists + # 3 - service not running (unused) + # 4 - service status unknown :-( + # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) + shift + if [ $# -eq 0 ] + then + if [ -e $IPSEC_CHARON_PID ] + then + $IPSEC_STROKE "$op" + fi + else + if [ -e $IPSEC_CHARON_PID ] + then + $IPSEC_STROKE "$op" "$1" + fi + fi + if [ -e $IPSEC_STARTER_PID ] + then + kill -0 `cat $IPSEC_STARTER_PID` 2>/dev/null + exit $? + fi + exit 3 + ;; +stop) + # stopping a not-running service is considered as success + if [ -e $IPSEC_STARTER_PID ] + then + echo "Stopping strongSwan IPsec..." >&2 + spid=`cat $IPSEC_STARTER_PID` + if [ -n "$spid" ] + then + kill $spid 2>/dev/null + loop=11 + while [ $loop -gt 0 ] ; do + kill -0 $spid 2>/dev/null || break + sleep 1 + loop=$(($loop - 1)) + done + if [ $loop -eq 0 ] + then + kill -KILL $spid 2>/dev/null + rm -f $IPSEC_STARTER_PID + fi + fi + else + echo "Stopping strongSwan IPsec failed: starter is not running" >&2 + fi + if [ -d /var/lock/subsys ]; then + rm -f /var/lock/subsys/ipsec + fi + exit 0 + ;; +up) + shift + if [ "$#" -ne 1 ] + then + echo "Usage: $IPSEC_SCRIPT up " + exit 2 + fi + rc=7 + if [ -e $IPSEC_CHARON_PID ] + then + $IPSEC_STROKE up "$1" + rc="$?" + fi + exit "$rc" + ;; +update) + if [ -e $IPSEC_STARTER_PID ] + then + echo "Updating strongSwan IPsec configuration..." >&2 + kill -HUP `cat $IPSEC_STARTER_PID` + exit 0 + else + echo "Updating strongSwan IPsec failed: starter is not running" >&2 + exit 7 + fi + ;; +version|--version) + printf "$OS_NAME $IPSEC_NAME $IPSEC_VERSION\n" + printf "$IPSEC_DISTRO\n" + printf "See '$IPSEC_SCRIPT --copyright' for copyright information.\n" + exit 0 + ;; +--*) + echo "$0: unknown option \`$1' (perhaps command name was omitted?)" >&2 + exit 2 + ;; +esac + +cmd="$1" +shift + +path="$IPSEC_DIR/$cmd" + +if [ ! -x "$path" ] +then + path="$IPSEC_DIR/$cmd" + if [ ! -x "$path" ] + then + echo "$0: unknown IPsec command \`$cmd' (\`$IPSEC_SCRIPT --help' for list)" >&2 + exit 2 + fi +fi + +exec $path "$@" diff --git a/src/ipsec/ipsec.8 b/src/ipsec/ipsec.8 deleted file mode 100644 index 66e43b481..000000000 --- a/src/ipsec/ipsec.8 +++ /dev/null @@ -1,302 +0,0 @@ -.TH IPSEC 8 "2010-05-30" "4.5.3dr3" "strongSwan" -.SH NAME -ipsec \- invoke IPsec utilities -.SH SYNOPSIS -.B ipsec -\fIcommand\fP [ \fIarguments\fP ] [ \fIoptions\fP ] -.PP -.SH DESCRIPTION -The -.B ipsec -utility invokes any of several utilities involved in controlling and monitoring -the IPsec encryption/authentication system, running the specified \fIcommand\fP -with the specified \fIarguments\fP and \fIoptions\fP as if it had been invoked -directly. This largely eliminates possible name collisions with other software, -and also permits some centralized services. -.PP -All the commands described in this manual page are built-in and are used to -control and monitor IPsec connections as well as the IKE daemons. -.PP -For other commands -.I ipsec -supplies the invoked -.I command -with a suitable PATH environment variable, -and also provides IPSEC_DIR, -IPSEC_CONFS, and IPSEC_VERSION environment variables, -containing respectively -the full pathname of the directory where the IPsec utilities are stored, -the full pathname of the directory where the configuration files live, -and the IPsec version number. -.PP -.SS CONTROL COMMANDS -.TP -.B "ipsec start [ starter options ]" -calls -.BR "ipsec starter" -which in turn parses \fIipsec.conf\fR and starts the IKEv1 \fIpluto\fR and -IKEv2 \fIcharon\fR daemons. -.PP -.TP -.B "ipsec update" -sends a \fIHUP\fR signal to -.BR "ipsec starter" -which in turn determines any changes in \fIipsec.conf\fR -and updates the configuration on the running IKEv1 \fIpluto\fR and IKEv2 -\fIcharon\fR daemons, correspondingly. -.PP -.TP -.B "ipsec reload" -sends a \fIUSR1\fR signal to -.BR "ipsec starter" -which in turn reloads the whole configuration on the running IKEv1 \fIpluto\fR -and IKEv2 \fIcharon\fR daemons based on the actual \fIipsec.conf\fR. -.PP -.TP -.B "ipsec restart" -is equivalent to -.B "ipsec stop" -followed by -.B "ipsec start" -after a guard of 2 seconds. -.PP -.TP -.B "ipsec stop" -terminates all IPsec connections and stops the IKEv1 \fIpluto\fR and IKEv2 -\fIcharon\fR daemons by sending a \fITERM\fR signal to -.BR "ipsec starter". -.PP -.TP -.B "ipsec up \fIname\fP" -tells the responsible IKE daemon to start up connection \fIname\fP. -.PP -.TP -.B "ipsec down \fIname\fP" -tells the responsible IKE daemon to terminate connection \fIname\fP. -.PP -.TP -.B "ipsec down \fIname{n}\fP" -terminates IKEv2 CHILD SA instance \fIn\fP of connection \fIname\fP. -.PP -.TP -.B "ipsec down \fIname{*}\fP" -terminates all IKEv2 CHILD SA instances of connection \fIname\fP. -.PP -.TP -.B "ipsec down \fIname[n]\fP" -terminates all IKEv2 IKE SA instance \fIn\fP of connection \fIname\fP. -.PP -.TP -.B "ipsec down \fIname[*]\fP" -terminates all IKEv2 IKE SA instances of connection \fIname\fP. -.PP -.TP -.B "ipsec route \fIname\fP" -tells the responsible IKE daemon to insert an IPsec policy in the kernel -for connection \fIname\fP. The first payload packet matching the IPsec policy -will automatically trigger an IKE connection setup. -.PP -.TP -.B "ipsec unroute \fIname\fP" -remove the IPsec policy in the kernel for connection \fIname\fP. -.PP -.TP -.B "ipsec status [ \fIname\fP ]" -returns concise status information either on connection -\fIname\fP or if the argument is lacking, on all connections. -.PP -.TP -.B "ipsec statusall [ \fIname\fP ]" -returns detailed status information either on connection -\fIname\fP or if the argument is lacking, on all connections. -.PP -.SS LIST COMMANDS -.TP -.B "ipsec listalgs" -returns a list all supported IKE encryption and hash algorithms, the available -Diffie-Hellman groups, as well as all supported ESP encryption and -authentication algorithms registered via the Linux kernel's Crypto API. -.br -Supported by the IKEv1 \fIpluto\fP daemon only. -.PP -.TP -.B "ipsec listpubkeys [ --utc ]" -returns a list of RSA public keys that were either loaded in raw key format -or extracted from X.509 and|or OpenPGP certificates. -.br -Supported by the IKEv1 \fIpluto\fP daemon only. -.PP -.TP -.B "ipsec listcerts [ --utc ]" -returns a list of X.509 and|or OpenPGP certificates that were either loaded -locally by the IKE daemon or received via the IKEv2 protocol. -.PP -.TP -.B "ipsec listcacerts [ --utc ]" -returns a list of X.509 Certification Authority (CA) certificates that were -loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP -directory or received in PKCS#7-wrapped certificate payloads via the IKE -protocol. -.PP -.TP -.B "ipsec listaacerts [ --utc ]" -returns a list of X.509 Authorization Authority (AA) certificates that were -loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP -directory. -.PP -.TP -.B "ipsec listocspcerts [ --utc ]" -returns a list of X.509 OCSP Signer certificates that were either loaded -locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP -directory or were sent by an OCSP server. -.PP -.TP -.B "ipsec listacerts [ --utc ]" -returns a list of X.509 Attribute certificates that were loaded locally by -the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory. -.PP -.TP -.B "ipsec listgroups [ --utc ]" -returns a list of groups that are used to define user authorization profiles. -.br -Supported by the IKEv1 \fIpluto\fP daemon only. -.PP -.TP -.B "ipsec listcainfos [ --utc ]" -returns certification authority information (CRL distribution points, OCSP URIs, -LDAP servers) that were defined by -.BR ca -sections in \fIipsec.conf\fP. -.PP -.TP -.B "ipsec listcrls [ --utc ]" -returns a list of Certificate Revocation Lists (CRLs) that were either loaded -by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from -an HTTP- or LDAP-based CRL distribution point. -.PP -.TP -.B "ipsec listocsp [ --utc ]" -returns revocation information fetched from OCSP servers. -.PP -.TP -.B "ipsec listcards [ --utc ]" -list all certificates found on attached smart cards. -.br -Supported by the IKEv1 \fIpluto\fP daemon only. -.PP -.TP -.B "ipsec listall [ --utc ]" -returns all information generated by the list commands above. Each list command -can be called with the -\fB\-\-utc\fP -option which displays all dates in UTC instead of local time. -.PP -.SS REREAD COMMANDS -.TP -.B "ipsec rereadsecrets" -flushes and rereads all secrets defined in \fIipsec.secrets\fP. -.PP -.TP -.B "ipsec rereadcacerts" -reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP -directory and adds them to the list of Certification Authority (CA) -certificates. -.PP -.TP -.B "ipsec rereadaacerts" -reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP -directory and adds them to the list of Authorization Authority (AA) -certificates. -.PP -.TP -.B "ipsec rereadocspcerts" -reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP -directory and adds them to the list of OCSP signer certificates. -.PP -.TP -.B "ipsec rereadacerts" -reads all certificate files contained in the \fI/etc/ipsec.d/acerts/\fP -directory and adds them to the list of attribute certificates. -.PP -.TP -.B "ipsec rereadcrls" -reads all Certificate Revocation Lists (CRLs) contained in the -\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs. -.PP -.TP -.B "ipsec rereadall" -executes all reread commands listed above. -.PP -.SS PURGE COMMANDS -.TP -.B "ipsec purgeike" -purges IKEv2 SAs that don't have a CHILD SA. -.PP -.TP -.B "ipsec purgeocsp" -purges all cached OCSP information records. -.PP -.SS INFO COMMANDS -.TP -.B "ipsec \-\-help" -returns the usage information for the ipsec command. -.PP -.TP -.B "ipsec \-\-version" -returns the version in the form of -.B Linux strongSwan U/K -if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is -running on. -.PP -.TP -.B "ipsec \-\-versioncode" -returns the version number in the form of -.B U/K -if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is -running on. -.PP -.TP -.B "ipsec \-\-copyright" -returns the copyright information. -.PP -.TP -.B "ipsec \-\-directory" -returns the \fILIBEXECDIR\fP directory as defined by the configure options. -.PP -.TP -.B "ipsec \-\-confdir" -returns the \fISYSCONFDIR\fP directory as defined by the configure options. -.SH FILES -/usr/local/lib/ipsec usual utilities directory -.SH ENVIRONMENT -.PP -The following environment variables control where strongSwan finds its -components. -The -.B ipsec -command sets them if they are not already set. -.nf -.na - -IPSEC_DIR directory containing ipsec programs and utilities -IPSEC_SBINDIR directory containing \fBipsec\fP command -IPSEC_CONFDIR directory containing configuration files -IPSEC_PIDDIR directory containing PID files -IPSEC_NAME name of ipsec distribution -IPSEC_VERSION version numer of ipsec userland and kernel -IPSEC_STARTER_PID PID file for ipsec starter -IPSEC_PLUTO_PID PID file for IKEv1 keying daemon -IPSEC_CHARON_PID PID file for IKEv2 keying daemon -.ad -.fi -.SH SEE ALSO -.hy 0 -.na -ipsec.conf(5), ipsec.secrets(5) -.ad -.hy -.PP -.SH HISTORY -Originally written for the FreeS/WAN project by Henry Spencer. -Updated and extended for the strongSwan project by -Tobias Brunner and Andreas Steffen. diff --git a/src/ipsec/ipsec.8.in b/src/ipsec/ipsec.8.in deleted file mode 100644 index 24a796392..000000000 --- a/src/ipsec/ipsec.8.in +++ /dev/null @@ -1,302 +0,0 @@ -.TH IPSEC 8 "2010-05-30" "@IPSEC_VERSION@" "strongSwan" -.SH NAME -ipsec \- invoke IPsec utilities -.SH SYNOPSIS -.B ipsec -\fIcommand\fP [ \fIarguments\fP ] [ \fIoptions\fP ] -.PP -.SH DESCRIPTION -The -.B ipsec -utility invokes any of several utilities involved in controlling and monitoring -the IPsec encryption/authentication system, running the specified \fIcommand\fP -with the specified \fIarguments\fP and \fIoptions\fP as if it had been invoked -directly. This largely eliminates possible name collisions with other software, -and also permits some centralized services. -.PP -All the commands described in this manual page are built-in and are used to -control and monitor IPsec connections as well as the IKE daemons. -.PP -For other commands -.I ipsec -supplies the invoked -.I command -with a suitable PATH environment variable, -and also provides IPSEC_DIR, -IPSEC_CONFS, and IPSEC_VERSION environment variables, -containing respectively -the full pathname of the directory where the IPsec utilities are stored, -the full pathname of the directory where the configuration files live, -and the IPsec version number. -.PP -.SS CONTROL COMMANDS -.TP -.B "ipsec start [ starter options ]" -calls -.BR "ipsec starter" -which in turn parses \fIipsec.conf\fR and starts the IKEv1 \fIpluto\fR and -IKEv2 \fIcharon\fR daemons. -.PP -.TP -.B "ipsec update" -sends a \fIHUP\fR signal to -.BR "ipsec starter" -which in turn determines any changes in \fIipsec.conf\fR -and updates the configuration on the running IKEv1 \fIpluto\fR and IKEv2 -\fIcharon\fR daemons, correspondingly. -.PP -.TP -.B "ipsec reload" -sends a \fIUSR1\fR signal to -.BR "ipsec starter" -which in turn reloads the whole configuration on the running IKEv1 \fIpluto\fR -and IKEv2 \fIcharon\fR daemons based on the actual \fIipsec.conf\fR. -.PP -.TP -.B "ipsec restart" -is equivalent to -.B "ipsec stop" -followed by -.B "ipsec start" -after a guard of 2 seconds. -.PP -.TP -.B "ipsec stop" -terminates all IPsec connections and stops the IKEv1 \fIpluto\fR and IKEv2 -\fIcharon\fR daemons by sending a \fITERM\fR signal to -.BR "ipsec starter". -.PP -.TP -.B "ipsec up \fIname\fP" -tells the responsible IKE daemon to start up connection \fIname\fP. -.PP -.TP -.B "ipsec down \fIname\fP" -tells the responsible IKE daemon to terminate connection \fIname\fP. -.PP -.TP -.B "ipsec down \fIname{n}\fP" -terminates IKEv2 CHILD SA instance \fIn\fP of connection \fIname\fP. -.PP -.TP -.B "ipsec down \fIname{*}\fP" -terminates all IKEv2 CHILD SA instances of connection \fIname\fP. -.PP -.TP -.B "ipsec down \fIname[n]\fP" -terminates all IKEv2 IKE SA instance \fIn\fP of connection \fIname\fP. -.PP -.TP -.B "ipsec down \fIname[*]\fP" -terminates all IKEv2 IKE SA instances of connection \fIname\fP. -.PP -.TP -.B "ipsec route \fIname\fP" -tells the responsible IKE daemon to insert an IPsec policy in the kernel -for connection \fIname\fP. The first payload packet matching the IPsec policy -will automatically trigger an IKE connection setup. -.PP -.TP -.B "ipsec unroute \fIname\fP" -remove the IPsec policy in the kernel for connection \fIname\fP. -.PP -.TP -.B "ipsec status [ \fIname\fP ]" -returns concise status information either on connection -\fIname\fP or if the argument is lacking, on all connections. -.PP -.TP -.B "ipsec statusall [ \fIname\fP ]" -returns detailed status information either on connection -\fIname\fP or if the argument is lacking, on all connections. -.PP -.SS LIST COMMANDS -.TP -.B "ipsec listalgs" -returns a list all supported IKE encryption and hash algorithms, the available -Diffie-Hellman groups, as well as all supported ESP encryption and -authentication algorithms registered via the Linux kernel's Crypto API. -.br -Supported by the IKEv1 \fIpluto\fP daemon only. -.PP -.TP -.B "ipsec listpubkeys [ --utc ]" -returns a list of RSA public keys that were either loaded in raw key format -or extracted from X.509 and|or OpenPGP certificates. -.br -Supported by the IKEv1 \fIpluto\fP daemon only. -.PP -.TP -.B "ipsec listcerts [ --utc ]" -returns a list of X.509 and|or OpenPGP certificates that were either loaded -locally by the IKE daemon or received via the IKEv2 protocol. -.PP -.TP -.B "ipsec listcacerts [ --utc ]" -returns a list of X.509 Certification Authority (CA) certificates that were -loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP -directory or received in PKCS#7-wrapped certificate payloads via the IKE -protocol. -.PP -.TP -.B "ipsec listaacerts [ --utc ]" -returns a list of X.509 Authorization Authority (AA) certificates that were -loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP -directory. -.PP -.TP -.B "ipsec listocspcerts [ --utc ]" -returns a list of X.509 OCSP Signer certificates that were either loaded -locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP -directory or were sent by an OCSP server. -.PP -.TP -.B "ipsec listacerts [ --utc ]" -returns a list of X.509 Attribute certificates that were loaded locally by -the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory. -.PP -.TP -.B "ipsec listgroups [ --utc ]" -returns a list of groups that are used to define user authorization profiles. -.br -Supported by the IKEv1 \fIpluto\fP daemon only. -.PP -.TP -.B "ipsec listcainfos [ --utc ]" -returns certification authority information (CRL distribution points, OCSP URIs, -LDAP servers) that were defined by -.BR ca -sections in \fIipsec.conf\fP. -.PP -.TP -.B "ipsec listcrls [ --utc ]" -returns a list of Certificate Revocation Lists (CRLs) that were either loaded -by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from -an HTTP- or LDAP-based CRL distribution point. -.PP -.TP -.B "ipsec listocsp [ --utc ]" -returns revocation information fetched from OCSP servers. -.PP -.TP -.B "ipsec listcards [ --utc ]" -list all certificates found on attached smart cards. -.br -Supported by the IKEv1 \fIpluto\fP daemon only. -.PP -.TP -.B "ipsec listall [ --utc ]" -returns all information generated by the list commands above. Each list command -can be called with the -\fB\-\-utc\fP -option which displays all dates in UTC instead of local time. -.PP -.SS REREAD COMMANDS -.TP -.B "ipsec rereadsecrets" -flushes and rereads all secrets defined in \fIipsec.secrets\fP. -.PP -.TP -.B "ipsec rereadcacerts" -reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP -directory and adds them to the list of Certification Authority (CA) -certificates. -.PP -.TP -.B "ipsec rereadaacerts" -reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP -directory and adds them to the list of Authorization Authority (AA) -certificates. -.PP -.TP -.B "ipsec rereadocspcerts" -reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP -directory and adds them to the list of OCSP signer certificates. -.PP -.TP -.B "ipsec rereadacerts" -reads all certificate files contained in the \fI/etc/ipsec.d/acerts/\fP -directory and adds them to the list of attribute certificates. -.PP -.TP -.B "ipsec rereadcrls" -reads all Certificate Revocation Lists (CRLs) contained in the -\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs. -.PP -.TP -.B "ipsec rereadall" -executes all reread commands listed above. -.PP -.SS PURGE COMMANDS -.TP -.B "ipsec purgeike" -purges IKEv2 SAs that don't have a CHILD SA. -.PP -.TP -.B "ipsec purgeocsp" -purges all cached OCSP information records. -.PP -.SS INFO COMMANDS -.TP -.B "ipsec \-\-help" -returns the usage information for the ipsec command. -.PP -.TP -.B "ipsec \-\-version" -returns the version in the form of -.B Linux strongSwan U/K -if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is -running on. -.PP -.TP -.B "ipsec \-\-versioncode" -returns the version number in the form of -.B U/K -if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is -running on. -.PP -.TP -.B "ipsec \-\-copyright" -returns the copyright information. -.PP -.TP -.B "ipsec \-\-directory" -returns the \fILIBEXECDIR\fP directory as defined by the configure options. -.PP -.TP -.B "ipsec \-\-confdir" -returns the \fISYSCONFDIR\fP directory as defined by the configure options. -.SH FILES -/usr/local/lib/ipsec usual utilities directory -.SH ENVIRONMENT -.PP -The following environment variables control where strongSwan finds its -components. -The -.B ipsec -command sets them if they are not already set. -.nf -.na - -IPSEC_DIR directory containing ipsec programs and utilities -IPSEC_SBINDIR directory containing \fBipsec\fP command -IPSEC_CONFDIR directory containing configuration files -IPSEC_PIDDIR directory containing PID files -IPSEC_NAME name of ipsec distribution -IPSEC_VERSION version numer of ipsec userland and kernel -IPSEC_STARTER_PID PID file for ipsec starter -IPSEC_PLUTO_PID PID file for IKEv1 keying daemon -IPSEC_CHARON_PID PID file for IKEv2 keying daemon -.ad -.fi -.SH SEE ALSO -.hy 0 -.na -ipsec.conf(5), ipsec.secrets(5) -.ad -.hy -.PP -.SH HISTORY -Originally written for the FreeS/WAN project by Henry Spencer. -Updated and extended for the strongSwan project by -Tobias Brunner and Andreas Steffen. diff --git a/src/ipsec/ipsec.in b/src/ipsec/ipsec.in deleted file mode 100755 index 479974a0e..000000000 --- a/src/ipsec/ipsec.in +++ /dev/null @@ -1,408 +0,0 @@ -#! @IPSEC_SHELL@ -# prefix command to run stuff from our programs directory -# Copyright (C) 1998-2002 Henry Spencer. -# Copyright (C) 2006 Andreas Steffen -# Copyright (C) 2006 Martin Willi -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:@IPSEC_SBINDIR@" -export PATH - -# name and version of the ipsec implementation -OS_NAME=`uname -s` -IPSEC_NAME="@IPSEC_NAME@" -IPSEC_VERSION="U@IPSEC_VERSION@/K`uname -r`" - -# where the private directory and the config files are -IPSEC_DIR="@IPSEC_DIR@" -IPSEC_SBINDIR="@IPSEC_SBINDIR@" -IPSEC_CONFDIR="@IPSEC_CONFDIR@" -IPSEC_PIDDIR="@IPSEC_PIDDIR@" - -IPSEC_STARTER_PID="${IPSEC_PIDDIR}/starter.pid" -IPSEC_PLUTO_PID="${IPSEC_PIDDIR}/pluto.pid" -IPSEC_CHARON_PID="${IPSEC_PIDDIR}/charon.pid" - -IPSEC_WHACK="${IPSEC_DIR}/whack" -IPSEC_STROKE="${IPSEC_DIR}/stroke" -IPSEC_STARTER="${IPSEC_DIR}/starter" - -export IPSEC_DIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_VERSION IPSEC_NAME IPSEC_STARTER_PID IPSEC_PLUTO_PID IPSEC_CHARON_PID - -IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland" - -case "$1" in -'') - echo "Usage: ipsec command argument ..." - echo "Use --help for list of commands, or see ipsec(8) manual page" - echo "or the $IPSEC_NAME documentation for names of the common ones." - echo "Most have their own manual pages, e.g. ipsec_auto(8)." - echo "See for more general info." - exit 0 - ;; ---help) - echo "Usage: ipsec command argument ..." - echo "where command is one of:" - echo " start|restart arguments..." - echo " update|reload|stop" - echo " up|down|route|unroute " - echo " status|statusall []" - echo " ready" - echo " listalgs|listpubkeys|listcerts [--utc]" - echo " listcacerts|listaacerts|listocspcerts [--utc]" - echo " listacerts|listgroups|listcainfos [--utc]" - echo " listcrls|listocsp|listcards|listplugins|listall [--utc]" - echo " leases [ [
]]" - echo " rereadsecrets|rereadgroups" - echo " rereadcacerts|rereadaacerts|rereadocspcerts" - echo " rereadacerts|rereadcrls|rereadall" - echo " purgeocsp|purgecrls|purgecerts|purgeike" - echo " scencrypt|scdecrypt [--inbase ] [--outbase ] [--keyid ]" - echo " openac" - echo " pluto" - echo " scepclient" - echo " secrets" - echo " starter" - echo " version" - echo " whack" - echo " stroke" - echo - echo "Some of these functions have their own manual pages, e.g. ipsec_scepclient(8)." - exit 0 - ;; ---versioncode) - echo "$IPSEC_VERSION" - exit 0 - ;; ---directory) - echo "$IPSEC_DIR" - exit 0 - ;; ---confdir) - echo "$IPSEC_CONFDIR" - exit 0 - ;; -copyright|--copyright) - set _copyright - # and fall through, invoking "ipsec _copyright" - ;; -down) - shift - if [ "$#" -ne 1 ] - then - echo "Usage: ipsec down " - exit 2 - fi - rc=7 - if [ -e $IPSEC_PLUTO_PID ] - then - $IPSEC_WHACK --name "$1" --terminate - rc="$?" - fi - if [ -e $IPSEC_CHARON_PID ] - then - $IPSEC_STROKE down "$1" - rc="$?" - fi - exit "$rc" - ;; -down-srcip) - shift - if [ "$#" -lt 1 ] - then - echo "Usage: ipsec down-srcip []" - exit 2 - fi - rc=7 - if [ -e $IPSEC_CHARON_PID ] - then - $IPSEC_STROKE down-srcip $* - rc="$?" - fi - exit "$rc" - ;; -listcards|rereadgroups) - op="$1" - shift - if [ -e $IPSEC_PLUTO_PID ] - then - $IPSEC_WHACK "$@" "--$op" - rc="$?" - fi - if [ -e $IPSEC_CHARON_PID ] - then - exit 3 - else - exit 7 - fi - ;; -leases) - op="$1" - rc=7 - shift - if [ -e $IPSEC_PLUTO_PID ] - then - case "$#" in - 0) $IPSEC_WHACK "--$op" ;; - 1) $IPSEC_WHACK "--$op" --name "$1" ;; - *) $IPSEC_WHACK "--$op" --name "$1" --lease-addr "$2" ;; - esac - rc="$?" - fi - if [ -e $IPSEC_CHARON_PID ] - then - case "$#" in - 0) $IPSEC_STROKE "$op" ;; - 1) $IPSEC_STROKE "$op" "$1" ;; - *) $IPSEC_STROKE "$op" "$1" "$2" ;; - esac - rc="$?" - fi - exit "$rc" - ;; -listalgs|listpubkeys|listplugins|\ -listcerts|listcacerts|listaacerts|\ -listacerts|listgroups|listocspcerts|\ -listcainfos|listcrls|listocsp|listall|\ -rereadsecrets|rereadcacerts|rereadaacerts|\ -rereadacerts|rereadocspcerts|rereadcrls|\ -rereadall|purgeocsp) - op="$1" - rc=7 - shift - if [ -e $IPSEC_PLUTO_PID ] - then - $IPSEC_WHACK "$@" "--$op" - rc="$?" - fi - if [ -e $IPSEC_CHARON_PID ] - then - $IPSEC_STROKE "$op" "$@" - rc="$?" - fi - exit "$rc" - ;; -purgeike|purgecrls|purgecerts) - rc=7 - if [ -e $IPSEC_CHARON_PID ] - then - $IPSEC_STROKE "$1" - rc="$?" - fi - exit "$rc" - ;; -ready) - shift - if [ -e $IPSEC_PLUTO_PID ] - then - $IPSEC_WHACK --listen - exit 0 - else - exit 7 - fi - ;; -reload) - rc=7 - if [ -e $IPSEC_STARTER_PID ] - then - echo "Reloading strongSwan IPsec configuration..." >&2 - kill -USR1 `cat $IPSEC_STARTER_PID` 2>/dev/null && rc=0 - else - echo "Reloading strongSwan IPsec failed: starter is not running" >&2 - fi - exit "$rc" - ;; -restart) - $IPSEC_SBINDIR/ipsec stop - sleep 2 - shift - exec $IPSEC_SBINDIR/ipsec start "$@" - ;; -route|unroute) - op="$1" - rc=7 - shift - if [ "$#" -ne 1 ] - then - echo "Usage: ipsec $op " - exit 2 - fi - if [ -e $IPSEC_PLUTO_PID ] - then - $IPSEC_WHACK --name "$1" "--$op" - rc="$?" - fi - if [ -e $IPSEC_CHARON_PID ] - then - $IPSEC_STROKE "$op" "$1" - rc="$?" - fi - exit "$rc" - ;; -scencrypt|scdecrypt) - op="$1" - shift - if [ -e $IPSEC_PLUTO_PID ] - then - $IPSEC_WHACK "--$op" "$@" - exit "$?" - else - exit 7 - fi - ;; -secrets) - rc=7 - if [ -e $IPSEC_PLUTO_PID ] - then - $IPSEC_WHACK --rereadsecrets - rc="$?" - fi - if [ -e $IPSEC_CHARON_PID ] - then - $IPSEC_STROKE rereadsecrets - rc="$?" - fi - exit "$rc" - ;; -start) - shift - if [ -d /var/lock/subsys ]; then - touch /var/lock/subsys/ipsec - fi - exec $IPSEC_STARTER "$@" - ;; -status|statusall) - op="$1" - # Return value is slightly different for the status command: - # 0 - service up and running - # 1 - service dead, but /var/run/ pid file exists - # 2 - service dead, but /var/lock/ lock file exists - # 3 - service not running (unused) - # 4 - service status unknown :-( - # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) - shift - if [ $# -eq 0 ] - then - if [ -e $IPSEC_PLUTO_PID ] - then - $IPSEC_WHACK "--$op" - fi - if [ -e $IPSEC_CHARON_PID ] - then - $IPSEC_STROKE "$op" - fi - else - if [ -e $IPSEC_PLUTO_PID ] - then - $IPSEC_WHACK --name "$1" "--$op" - fi - if [ -e $IPSEC_CHARON_PID ] - then - $IPSEC_STROKE "$op" "$1" - fi - fi - if [ -e $IPSEC_STARTER_PID ] - then - kill -0 `cat $IPSEC_STARTER_PID` 2>/dev/null - exit $? - fi - exit 3 - ;; -stop) - # stopping a not-running service is considered as success - if [ -e $IPSEC_STARTER_PID ] - then - echo "Stopping strongSwan IPsec..." >&2 - spid=`cat $IPSEC_STARTER_PID` - if [ -n "$spid" ] - then - kill $spid 2>/dev/null - loop=11 - while [ $loop -gt 0 ] ; do - kill -0 $spid 2>/dev/null || break - sleep 1 - loop=$(($loop - 1)) - done - if [ $loop -eq 0 ] - then - kill -KILL $spid 2>/dev/null - rm -f $IPSEC_STARTER_PID - fi - fi - else - echo "Stopping strongSwan IPsec failed: starter is not running" >&2 - fi - if [ -d /var/lock/subsys ]; then - rm -f /var/lock/subsys/ipsec - fi - exit 0 - ;; -up) - shift - if [ "$#" -ne 1 ] - then - echo "Usage: ipsec up " - exit 2 - fi - rc=7 - if [ -e $IPSEC_PLUTO_PID ] - then - $IPSEC_WHACK --name "$1" --initiate - rc="$?" - fi - if [ -e $IPSEC_CHARON_PID ] - then - $IPSEC_STROKE up "$1" - rc="$?" - fi - exit "$rc" - ;; -update) - if [ -e $IPSEC_STARTER_PID ] - then - echo "Updating strongSwan IPsec configuration..." >&2 - kill -HUP `cat $IPSEC_STARTER_PID` - exit 0 - else - echo "Updating strongSwan IPsec failed: starter is not running" >&2 - exit 7 - fi - ;; -version|--version) - printf "$OS_NAME $IPSEC_NAME $IPSEC_VERSION\n" - printf "$IPSEC_DISTRO\n" - printf "See 'ipsec --copyright' for copyright information.\n" - exit 0 - ;; ---*) - echo "$0: unknown option \`$1' (perhaps command name was omitted?)" >&2 - exit 2 - ;; -esac - -cmd="$1" -shift - -path="$IPSEC_DIR/$cmd" - -if [ ! -x "$path" ] -then - path="$IPSEC_DIR/$cmd" - if [ ! -x "$path" ] - then - echo "$0: unknown IPsec command \`$cmd' (\`ipsec --help' for list)" >&2 - exit 2 - fi -fi - -exec $path "$@" -- cgit v1.2.3