1: .TH CHARON\-CMD 8 "2013-06-21" "@PACKAGE_VERSION@" "strongSwan"
2: .SH "NAME"
3: charon\-cmd \- Simple IKE client (IPsec VPN client)
4: .SH SYNOPSIS
5: .B charon\-cmd
6: .B \-\-host
7: .I hostname
8: .B \-\-identity
9: .I identity
10: .B [ options ]
11: .PP
12: .SH "DESCRIPTION"
13: .B charon\-cmd
14: is a program for setting up IPsec VPN connections using the Internet Key
15: Exchange protocol (IKE) in version 1 and 2. It supports a number of different
16: road-warrior scenarios.
17: .PP
18: Like the IKE daemon
19: .BR charon ,
20: .B charon\-cmd
21: has to be run as
22: .B root
23: (or more specifically as a user with
24: .B CAP_NET_ADMIN
25: capability).
26: .PP
27: Of the following options at least
28: .I \-\-host
29: and
30: .I \-\-identity
31: are required. Depending on the selected authentication
32: .I profile
33: credentials also have to be provided with their respective options.
34: .PP
35: Many of the
36: .BR charon -specific
37: configuration options in
38: .I strongswan.conf
39: also apply to
40: .BR charon\-cmd .
41: For instance, to configure customized logging to
42: .B stdout
43: the following snippet can be used:
44: .PP
45: .EX
46: charon-cmd {
47: filelog {
48: stdout {
49: default = 1
50: ike = 2
51: cfg = 2
52: }
53: }
54: }
55: .EE
56: .PP
57: .SH "OPTIONS"
58: .TP
59: .B "\-\-help"
60: Prints usage information and a short summary of the available options.
61: .TP
62: .B "\-\-version"
63: Prints the strongSwan version.
64: .TP
65: .BI "\-\-debug " level
66: Sets the default log level (defaults to 1).
67: .I level
68: is a number between -1 and 4.
69: Refer to
70: .I strongswan.conf
71: for options that allow a more fine-grained configuration of the logging
72: output.
73: .TP
74: .BI "\-\-host " hostname
75: DNS name or IP address to connect to.
76: .TP
77: .BI "\-\-identity " identity
78: Identity the client uses for the IKE exchange.
79: .TP
80: .BI "\-\-eap\-identity " identity
81: Identity the client uses for EAP authentication.
82: .TP
83: .BI "\-\-xauth\-username " username
84: Username the client uses for XAuth authentication.
85: .TP
86: .BI "\-\-remote\-identity " identity
87: Server identity to expect, defaults to
88: .IR hostname .
89: .TP
90: .BI "\-\-cert " path
91: Trusted certificate, either for authentication or trust chain validation.
92: To provide more than one certificate multiple
93: .B \-\-cert
94: options can be used.
95: .TP
96: .BI "\-\-rsa " path
97: RSA private key to use for authentication (if a password is required, it will
98: be requested on demand).
99: .TP
100: .BI "\-\-p12 " path
101: PKCS#12 file with private key and certificates to use for authentication and
102: trust chain validation (if a password is required it will be requested on
103: demand).
104: .TP
105: .RI "\fB\-\-agent\fR[=" socket ]
106: Use SSH agent for authentication. If
107: .I socket
108: is not specified it is read from the
109: .B SSH_AUTH_SOCK
110: environment variable.
111: .TP
112: .BI "\-\-local\-ts " subnet
113: Additional traffic selector to propose for our side, the requested virtual IP
114: address will always be proposed.
115: .TP
116: .BI "\-\-remote\-ts " subnet
117: Traffic selector to propose for remote side, defaults to 0.0.0.0/0.
118: .TP
119: .BI "\-\-ike\-proposal " proposal
120: IKE proposal to offer instead of default. For IKEv1, a single proposal consists
121: of one encryption algorithm, an integrity/PRF algorithm and a DH group. IKEv2
122: can propose multiple algorithms of the same kind. To specify multiple proposals,
123: repeat the option.
124: .TP
125: .BI "\-\-esp\-proposal " proposal
126: ESP proposal to offer instead of default. For IKEv1, a single proposal consists
127: of one encryption algorithm, an integrity algorithm and an optional DH group for
128: Perfect Forward Secrecy rekeying. IKEv2 can propose multiple algorithms of the
129: same kind. To specify multiple proposals, repeat the option.
130: .TP
131: .BI "\-\-ah\-proposal " proposal
132: AH proposal to offer instead of ESP. For IKEv1, a single proposal consists
133: of an integrity algorithm and an optional DH group for Perfect Forward Secrecy
134: rekeying. IKEv2 can propose multiple algorithms of the same kind. To specify
135: multiple proposals, repeat the option.
136: .TP
137: .BI "\-\-profile " name
138: Authentication profile to use, the list of supported profiles can be found
139: in the
140: .B Authentication Profiles
141: sections below. Defaults to
142: .B ikev2\-pub
143: if a private key was supplied, and to
144: .B ikev2\-eap
145: otherwise.
146: .PP
147: .SS "IKEv2 Authentication Profiles"
148: .TP
149: .B "ikev2\-pub"
150: IKEv2 with public key client and server authentication
151: .TP
152: .B "ikev2\-eap"
153: IKEv2 with EAP client authentication and public key server authentication
154: .TP
155: .B "ikev2\-pub\-eap"
156: IKEv2 with public key and EAP client authentication (RFC 4739) and public key
157: server authentication
158: .PP
159: .SS "IKEv1 Authentication Profiles"
160: The following authentication profiles use either Main Mode or Aggressive Mode,
161: the latter is denoted with a \fB\-am\fR suffix.
162: .TP
163: .BR "ikev1\-pub" ", " "ikev1\-pub\-am"
164: IKEv1 with public key client and server authentication
165: .TP
166: .BR "ikev1\-xauth" ", " "ikev1\-xauth\-am"
167: IKEv1 with public key client and server authentication, followed by client XAuth
168: authentication
169: .TP
170: .BR "ikev1\-xauth\-psk" ", " "ikev1\-xauth\-psk\-am"
171: IKEv1 with pre-shared key (PSK) client and server authentication, followed by
172: client XAuth authentication (INSECURE!)
173: .TP
174: .BR "ikev1\-hybrid" ", " "ikev1\-hybrid\-am"
175: IKEv1 with public key server authentication only, followed by client XAuth
176: authentication
177: .PP
178: .SH "SEE ALSO"
179: \fBstrongswan.conf\fR(5), \fBipsec\fR(8)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to charon-cmd.8.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / charon-cmd