1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
|
.TH CHARON\-CMD 8 "2013-06-21" "@PACKAGE_VERSION@" "strongSwan"
.SH "NAME"
charon\-cmd \- Simple IKE client (IPsec VPN client)
.SH SYNOPSIS
.B charon\-cmd
.B \-\-host
.I hostname
.B \-\-identity
.I identity
.B [ options ]
.PP
.SH "DESCRIPTION"
.B charon\-cmd
is a program for setting up IPsec VPN connections using the Internet Key
Exchange protocol (IKE) in version 1 and 2. It supports a number of different
road-warrior scenarios.
.PP
Like the IKE daemon
.BR charon ,
.B charon\-cmd
has to be run as
.B root
(or more specifically as a user with
.B CAP_NET_ADMIN
capability).
.PP
Of the following options at least
.I \-\-host
and
.I \-\-identity
are required. Depending on the selected authentication
.I profile
credentials also have to be provided with their respective options.
.PP
Many of the
.BR charon -specific
configuration options in
.I strongswan.conf
also apply to
.BR charon\-cmd .
For instance, to configure customized logging to
.B stdout
the following snippet can be used:
.PP
.EX
charon-cmd {
filelog {
stdout {
default = 1
ike = 2
cfg = 2
}
}
}
.EE
.PP
.SH "OPTIONS"
.TP
.B "\-\-help"
Prints usage information and a short summary of the available options.
.TP
.B "\-\-version"
Prints the strongSwan version.
.TP
.BI "\-\-debug " level
Sets the default log level (defaults to 1).
.I level
is a number between -1 and 4.
Refer to
.I strongswan.conf
for options that allow a more fine-grained configuration of the logging
output.
.TP
.BI "\-\-host " hostname
DNS name or IP address to connect to.
.TP
.BI "\-\-identity " identity
Identity the client uses for the IKE exchange.
.TP
.BI "\-\-eap\-identity " identity
Identity the client uses for EAP authentication.
.TP
.BI "\-\-xauth\-username " username
Username the client uses for XAuth authentication.
.TP
.BI "\-\-remote\-identity " identity
Server identity to expect, defaults to
.IR hostname .
.TP
.BI "\-\-cert " path
Trusted certificate, either for authentication or trust chain validation.
To provide more than one certificate multiple
.B \-\-cert
options can be used.
.TP
.BI "\-\-rsa " path
RSA private key to use for authentication (if a password is required, it will
be requested on demand).
.TP
.BI "\-\-p12 " path
PKCS#12 file with private key and certificates to use for authentication and
trust chain validation (if a password is required it will be requested on
demand).
.TP
.RI "\fB\-\-agent\fR[=" socket ]
Use SSH agent for authentication. If
.I socket
is not specified it is read from the
.B SSH_AUTH_SOCK
environment variable.
.TP
.BI "\-\-local\-ts " subnet
Additional traffic selector to propose for our side, the requested virtual IP
address will always be proposed.
.TP
.BI "\-\-remote\-ts " subnet
Traffic selector to propose for remote side, defaults to 0.0.0.0/0.
.TP
.BI "\-\-ike\-proposal " proposal
IKE proposal to offer instead of default. For IKEv1, a single proposal consists
of one encryption algorithm, an integrity/PRF algorithm and a DH group. IKEv2
can propose multiple algorithms of the same kind. To specify multiple proposals,
repeat the option.
.TP
.BI "\-\-esp\-proposal " proposal
ESP proposal to offer instead of default. For IKEv1, a single proposal consists
of one encryption algorithm, an integrity algorithm and an optional DH group for
Perfect Forward Secrecy rekeying. IKEv2 can propose multiple algorithms of the
same kind. To specify multiple proposals, repeat the option.
.TP
.BI "\-\-ah\-proposal " proposal
AH proposal to offer instead of ESP. For IKEv1, a single proposal consists
of an integrity algorithm and an optional DH group for Perfect Forward Secrecy
rekeying. IKEv2 can propose multiple algorithms of the same kind. To specify
multiple proposals, repeat the option.
.TP
.BI "\-\-profile " name
Authentication profile to use, the list of supported profiles can be found
in the
.B Authentication Profiles
sections below. Defaults to
.B ikev2\-pub
if a private key was supplied, and to
.B ikev2\-eap
otherwise.
.PP
.SS "IKEv2 Authentication Profiles"
.TP
.B "ikev2\-pub"
IKEv2 with public key client and server authentication
.TP
.B "ikev2\-eap"
IKEv2 with EAP client authentication and public key server authentication
.TP
.B "ikev2\-pub\-eap"
IKEv2 with public key and EAP client authentication (RFC 4739) and public key
server authentication
.PP
.SS "IKEv1 Authentication Profiles"
The following authentication profiles use either Main Mode or Aggressive Mode,
the latter is denoted with a \fB\-am\fR suffix.
.TP
.BR "ikev1\-pub" ", " "ikev1\-pub\-am"
IKEv1 with public key client and server authentication
.TP
.BR "ikev1\-xauth" ", " "ikev1\-xauth\-am"
IKEv1 with public key client and server authentication, followed by client XAuth
authentication
.TP
.BR "ikev1\-xauth\-psk" ", " "ikev1\-xauth\-psk\-am"
IKEv1 with pre-shared key (PSK) client and server authentication, followed by
client XAuth authentication (INSECURE!)
.TP
.BR "ikev1\-hybrid" ", " "ikev1\-hybrid\-am"
IKEv1 with public key server authentication only, followed by client XAuth
authentication
.PP
.SH "SEE ALSO"
\fBstrongswan.conf\fR(5), \fBipsec\fR(8)
|