summaryrefslogtreecommitdiff
path: root/src/ipsec/_ipsec.8
blob: 1ae6375c8b28e9125c86fabd60e48608ffa20715 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
.TH IPSEC 8 "2013-10-29" "5.5.2dr4" "strongSwan"
.
.SH NAME
.
ipsec \- invoke IPsec utilities
.
.SH SYNOPSIS
.
.SY ipsec
.I command
.RI [ arguments ]
.RI [ options ]
.YS
.
.SH DESCRIPTION
.
The
.B ipsec
utility invokes any of several utilities involved in controlling and monitoring
the IPsec encryption/authentication system, running the specified \fIcommand\fP
with the specified \fIarguments\fP and \fIoptions\fP as if it had been invoked
directly. This largely eliminates possible name collisions with other software,
and also permits some centralized services.
.P
All the commands described in this manual page are built-in and are used to
control and monitor IPsec connections as well as the IKE daemon.
.P
For other commands
.I ipsec
supplies the invoked
.I command
with a suitable PATH environment variable,
and also provides the environment variables listed under
.IR ENVIRONMENT .
.
.SS CONTROL COMMANDS
.
.TP
.BI "start [" "starter options" ]
calls
.B "starter"
which in turn parses \fIipsec.conf\fR and starts the IKE daemon \fIcharon\fR.
.
.TP
.B "update"
sends a \fIHUP\fR signal to
.BR "starter"
which in turn determines any changes in \fIipsec.conf\fR
and updates the configuration on the running IKE daemon \fIcharon\fR.
.
.TP
.B "reload"
sends a \fIUSR1\fR signal to
.BR "starter"
which in turn reloads the whole configuration of the running IKE daemon
\fIcharon\fR based on the actual \fIipsec.conf\fR.
.
.TP
.B "restart"
is equivalent to
.B "stop"
followed by
.B "start"
after a guard of 2 seconds.
.
.TP
.B "stop"
terminates all IPsec connections and stops the IKE daemon \fIcharon\fR
by sending a \fITERM\fR signal to
.BR "starter".
.
.TP
.BI "up " name
tells the IKE daemon to start up connection \fIname\fP.
.
.TP
.BI "down " name
tells the IKE daemon to terminate connection \fIname\fP.
.
.TP
.BI "down " name{n}
terminates IKEv1 Quick Mode and IKEv2 CHILD SA instance \fIn\fP of
connection \fIname\fP.
.
.TP
.BI "down " name{*}
terminates all IKEv1 Quick Mode and  IKEv2 CHILD SA instances of connection
\fIname\fP.
.
.TP
.BI "down " name[n]
terminates IKE SA instance \fIn\fP of connection \fIname\fP.
.
.TP
.BI "down " name[*]
terminates all IKE SA instances of connection \fIname\fP.
.
.TP
.BI "down-srcip <" start "> [<" end ">]"
terminates all IKE SA instances with clients having virtual IPs in the range
.IR start - end .
.
.TP
.BI "route " name
tells the IKE daemon to insert an IPsec policy in the kernel
for connection \fIname\fP. The first payload packet matching the IPsec policy
will automatically trigger an IKE connection setup.
.
.TP
.BI "unroute " name
remove the IPsec policy in the kernel for connection \fIname\fP.
.
.TP
.BI "status [" name ]
returns concise status information either on connection
\fIname\fP or if the argument is lacking, on all connections.
.
.TP
.BI "statusall [" name ]
returns detailed status information either on connection
\fIname\fP or if the argument is lacking, on all connections.
.
.SS LIST COMMANDS
.
.TP
.BI "leases [<" poolname "> [<" address ">]]"
returns the status of all or the selected IP address pool (or even a single
virtual IP address).
.
.TP
.B "listalgs"
returns a list supported cryptographic algorithms usable for IKE, and their
corresponding plugin.
.
.TP
.BI "listpubkeys [" --utc ]
returns a list of RSA public keys that were either loaded in raw key format
or extracted from X.509 and|or OpenPGP certificates.
.
.TP
.BI "listcerts [" --utc ]
returns a list of X.509 and|or OpenPGP certificates that were either loaded
locally by the IKE daemon or received via the IKE protocol.
.
.TP
.BI "listcacerts [" --utc ]
returns a list of X.509 Certification Authority (CA) certificates that were
loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP
directory or received via the IKE protocol.
.
.TP
.BI "listaacerts [" --utc ]
returns a list of X.509 Authorization Authority (AA) certificates that were
loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP
directory.
.
.TP
.BI "listocspcerts [" --utc ]
returns a list of X.509 OCSP Signer certificates that were either loaded
locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP
directory or were sent by an OCSP server.
.
.TP
.BI "listacerts [" --utc ]
returns a list of X.509 Attribute certificates that were loaded locally by
the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory.
.
.TP
.BI "listgroups [" --utc ]
returns a list of groups that are used to define user authorization profiles.
.
.TP
.BI "listcainfos [" --utc ]
returns certification authority information (CRL distribution points, OCSP URIs,
LDAP servers) that were defined by
.BR ca
sections in \fIipsec.conf\fP.
.
.TP
.BI "listcrls [" --utc ]
returns a list of Certificate Revocation Lists (CRLs) that were either loaded
by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from
an HTTP- or LDAP-based CRL distribution point.
.
.TP
.BI "listocsp [" --utc ]
returns revocation information fetched from OCSP servers.
.
.TP
.BI "listplugins"
returns a list of all loaded plugin features.
.
.TP
.BI "listcounters [" name ]
returns a list of global or connection specific IKE counter values
collected since daemon startup.
.
.TP
.BI "listall [" --utc ]
returns all information generated by the list commands above. Each list command
can be called with the
\fB\-\-utc\fP
option which displays all dates in UTC instead of local time.
.
.SS REREAD COMMANDS
.
.TP
.B "rereadsecrets"
flushes and rereads all secrets defined in \fIipsec.secrets\fP.
.
.TP
.B "rereadcacerts"
removes previously loaded CA certificates, reads all certificate files
contained in the \fI/etc/ipsec.d/cacerts\fP directory and adds them to the list
of Certification Authority (CA) certificates. This does not affect certificates
explicitly defined in a
.BR ipsec.conf (5)
ca section, which may be separately updated using the \fBupdate\fP command.
.
.TP
.B "rereadaacerts"
removes previously loaded AA certificates, reads all certificate files
contained in the \fI/etc/ipsec.d/aacerts\fP directory and adds them to the list
of Authorization Authority (AA) certificates.
.
.TP
.B "rereadocspcerts"
reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP
directory and adds them to the list of OCSP signer certificates.
.
.TP
.B "rereadacerts"
reads all certificate files contained in the  \fI/etc/ipsec.d/acerts/\fP
directory and adds them to the list of attribute certificates.
.
.TP
.B "rereadcrls"
reads  all Certificate  Revocation Lists (CRLs) contained in the
\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
.
.TP
.B "rereadall"
executes all reread commands listed above.
.
.SS RESET COMMANDS
.
.TP
.BI "resetcounters [" name ]
resets global or connection specific counters.
.
.SS PURGE COMMANDS
.
.TP
.B "purgecerts"
purges all cached certificates.
.
.TP
.B "purgecrls"
purges all cached CRLs.
.
.TP
.B "purgeike"
purges IKE SAs that don't have a Quick Mode or CHILD SA.
.
.TP
.B "purgeocsp"
purges all cached OCSP information records.
.
.SS INFO COMMANDS
.
.TP
.B "\-\-help"
returns the usage information for the
.B ipsec
command.
.
.TP
.B "\-\-version"
returns the version in the form of
.B Linux strongSwan U<strongSwan userland version>/K<Linux kernel version>
if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
running on.
.
.TP
.B "\-\-versioncode"
returns the version number in the form of
.B U<strongSwan userland version>/K<Linux kernel version>
if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
running on.
.
.TP
.B "\-\-copyright"
returns the copyright information.
.
.TP
.B "\-\-directory"
returns the \fILIBEXECDIR\fP directory as defined by the configure options.
.
.TP
.B "\-\-confdir"
returns the \fISYSCONFDIR\fP directory as defined by the configure options.
.
.TP
.B "\-\-piddir"
returns the \fIPIDDIR\fP directory as defined by the configure options.
.
.SH FILES
.
/usr/libexec/ipsec		utilities directory
.
.SH ENVIRONMENT
.
When calling other commands the
.B ipsec
command supplies the following environment variables.
.nf
.na

IPSEC_DIR               directory containing ipsec programs and utilities
IPSEC_BINDIR            directory containing \fBpki\fP command
IPSEC_SBINDIR           directory containing \fBipsec\fP command
IPSEC_CONFDIR           directory containing configuration files
IPSEC_PIDDIR            directory containing PID/socket files
IPSEC_SCRIPT            name of the ipsec script
IPSEC_NAME              name of ipsec distribution
IPSEC_VERSION           version numer of ipsec userland and kernel
IPSEC_STARTER_PID       PID file for ipsec starter
IPSEC_CHARON_PID        PID file for IKE keying daemon
.ad
.fi
.
.SH SEE ALSO
.
.BR ipsec.conf (5),
.BR ipsec.secrets (5)
.
.SH HISTORY
Originally written for the FreeS/WAN project by Henry Spencer.
Updated and extended for the strongSwan project <http://www.strongswan.org> by
Tobias Brunner and Andreas Steffen.