Annotation of embedaddon/strongswan/src/ipsec/_ipsec.8, revision 1.1
1.1 ! misho 1: .TH IPSEC 8 "2013-10-29" "5.7.2dr1" "strongSwan"
! 2: .
! 3: .SH NAME
! 4: .
! 5: ipsec \- invoke IPsec utilities
! 6: .
! 7: .SH SYNOPSIS
! 8: .
! 9: .SY ipsec
! 10: .I command
! 11: .RI [ arguments ]
! 12: .RI [ options ]
! 13: .YS
! 14: .
! 15: .SH DESCRIPTION
! 16: .
! 17: The
! 18: .B ipsec
! 19: utility invokes any of several utilities involved in controlling and monitoring
! 20: the IPsec encryption/authentication system, running the specified \fIcommand\fP
! 21: with the specified \fIarguments\fP and \fIoptions\fP as if it had been invoked
! 22: directly. This largely eliminates possible name collisions with other software,
! 23: and also permits some centralized services.
! 24: .P
! 25: All the commands described in this manual page are built-in and are used to
! 26: control and monitor IPsec connections as well as the IKE daemon.
! 27: .P
! 28: For other commands
! 29: .I ipsec
! 30: supplies the invoked
! 31: .I command
! 32: with a suitable PATH environment variable,
! 33: and also provides the environment variables listed under
! 34: .IR ENVIRONMENT .
! 35: .
! 36: .SS CONTROL COMMANDS
! 37: .
! 38: .TP
! 39: .BI "start [" "starter options" ]
! 40: calls
! 41: .B "starter"
! 42: which in turn parses \fIipsec.conf\fR and starts the IKE daemon \fIcharon\fR.
! 43: .
! 44: .TP
! 45: .B "update"
! 46: sends a \fIHUP\fR signal to
! 47: .BR "starter"
! 48: which in turn determines any changes in \fIipsec.conf\fR
! 49: and updates the configuration on the running IKE daemon \fIcharon\fR.
! 50: .
! 51: .TP
! 52: .B "reload"
! 53: sends a \fIUSR1\fR signal to
! 54: .BR "starter"
! 55: which in turn reloads the whole configuration of the running IKE daemon
! 56: \fIcharon\fR based on the actual \fIipsec.conf\fR.
! 57: .
! 58: .TP
! 59: .B "restart"
! 60: is equivalent to
! 61: .B "stop"
! 62: followed by
! 63: .B "start"
! 64: after a guard of 2 seconds.
! 65: .
! 66: .TP
! 67: .B "stop"
! 68: terminates all IPsec connections and stops the IKE daemon \fIcharon\fR
! 69: by sending a \fITERM\fR signal to
! 70: .BR "starter".
! 71: .
! 72: .TP
! 73: .BI "up " name
! 74: tells the IKE daemon to start up connection \fIname\fP.
! 75: .
! 76: .TP
! 77: .BI "down " name
! 78: tells the IKE daemon to terminate connection \fIname\fP.
! 79: .
! 80: .TP
! 81: .BI "down " name{n}
! 82: terminates IKEv1 Quick Mode and IKEv2 CHILD SA instance \fIn\fP of
! 83: connection \fIname\fP.
! 84: .
! 85: .TP
! 86: .BI "down " name{*}
! 87: terminates all IKEv1 Quick Mode and IKEv2 CHILD SA instances of connection
! 88: \fIname\fP.
! 89: .
! 90: .TP
! 91: .BI "down " name[n]
! 92: terminates IKE SA instance \fIn\fP of connection \fIname\fP.
! 93: .
! 94: .TP
! 95: .BI "down " name[*]
! 96: terminates all IKE SA instances of connection \fIname\fP.
! 97: .
! 98: .TP
! 99: .BI "down-srcip <" start "> [<" end ">]"
! 100: terminates all IKE SA instances with clients having virtual IPs in the range
! 101: .IR start - end .
! 102: .
! 103: .TP
! 104: .BI "route " name
! 105: tells the IKE daemon to insert an IPsec policy in the kernel
! 106: for connection \fIname\fP. The first payload packet matching the IPsec policy
! 107: will automatically trigger an IKE connection setup.
! 108: .
! 109: .TP
! 110: .BI "unroute " name
! 111: remove the IPsec policy in the kernel for connection \fIname\fP.
! 112: .
! 113: .TP
! 114: .BI "status [" name ]
! 115: returns concise status information either on connection
! 116: \fIname\fP or if the argument is lacking, on all connections.
! 117: .
! 118: .TP
! 119: .BI "statusall [" name ]
! 120: returns detailed status information either on connection
! 121: \fIname\fP or if the argument is lacking, on all connections.
! 122: .
! 123: .SS LIST COMMANDS
! 124: .
! 125: .TP
! 126: .BI "leases [<" poolname "> [<" address ">]]"
! 127: returns the status of all or the selected IP address pool (or even a single
! 128: virtual IP address).
! 129: .
! 130: .TP
! 131: .B "listalgs"
! 132: returns a list supported cryptographic algorithms usable for IKE, and their
! 133: corresponding plugin.
! 134: .
! 135: .TP
! 136: .BI "listpubkeys [" --utc ]
! 137: returns a list of RSA public keys that were either loaded in raw key format
! 138: or extracted from X.509 and|or OpenPGP certificates.
! 139: .
! 140: .TP
! 141: .BI "listcerts [" --utc ]
! 142: returns a list of X.509 and|or OpenPGP certificates that were either loaded
! 143: locally by the IKE daemon or received via the IKE protocol.
! 144: .
! 145: .TP
! 146: .BI "listcacerts [" --utc ]
! 147: returns a list of X.509 Certification Authority (CA) certificates that were
! 148: loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP
! 149: directory or received via the IKE protocol.
! 150: .
! 151: .TP
! 152: .BI "listaacerts [" --utc ]
! 153: returns a list of X.509 Authorization Authority (AA) certificates that were
! 154: loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP
! 155: directory.
! 156: .
! 157: .TP
! 158: .BI "listocspcerts [" --utc ]
! 159: returns a list of X.509 OCSP Signer certificates that were either loaded
! 160: locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP
! 161: directory or were sent by an OCSP server.
! 162: .
! 163: .TP
! 164: .BI "listacerts [" --utc ]
! 165: returns a list of X.509 Attribute certificates that were loaded locally by
! 166: the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory.
! 167: .
! 168: .TP
! 169: .BI "listgroups [" --utc ]
! 170: returns a list of groups that are used to define user authorization profiles.
! 171: .
! 172: .TP
! 173: .BI "listcainfos [" --utc ]
! 174: returns certification authority information (CRL distribution points, OCSP URIs,
! 175: LDAP servers) that were defined by
! 176: .BR ca
! 177: sections in \fIipsec.conf\fP.
! 178: .
! 179: .TP
! 180: .BI "listcrls [" --utc ]
! 181: returns a list of Certificate Revocation Lists (CRLs) that were either loaded
! 182: by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from
! 183: an HTTP- or LDAP-based CRL distribution point.
! 184: .
! 185: .TP
! 186: .BI "listocsp [" --utc ]
! 187: returns revocation information fetched from OCSP servers.
! 188: .
! 189: .TP
! 190: .BI "listplugins"
! 191: returns a list of all loaded plugin features.
! 192: .
! 193: .TP
! 194: .BI "listcounters [" name ]
! 195: returns a list of global or connection specific IKE counter values
! 196: collected since daemon startup.
! 197: .
! 198: .TP
! 199: .BI "listall [" --utc ]
! 200: returns all information generated by the list commands above. Each list command
! 201: can be called with the
! 202: \fB\-\-utc\fP
! 203: option which displays all dates in UTC instead of local time.
! 204: .
! 205: .SS REREAD COMMANDS
! 206: .
! 207: .TP
! 208: .B "rereadsecrets"
! 209: flushes and rereads all secrets defined in \fIipsec.secrets\fP.
! 210: .
! 211: .TP
! 212: .B "rereadcacerts"
! 213: removes previously loaded CA certificates, reads all certificate files
! 214: contained in the \fI/etc/ipsec.d/cacerts\fP directory and adds them to the list
! 215: of Certification Authority (CA) certificates. This does not affect certificates
! 216: explicitly defined in a
! 217: .BR ipsec.conf (5)
! 218: ca section, which may be separately updated using the \fBupdate\fP command.
! 219: .
! 220: .TP
! 221: .B "rereadaacerts"
! 222: removes previously loaded AA certificates, reads all certificate files
! 223: contained in the \fI/etc/ipsec.d/aacerts\fP directory and adds them to the list
! 224: of Authorization Authority (AA) certificates.
! 225: .
! 226: .TP
! 227: .B "rereadocspcerts"
! 228: reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP
! 229: directory and adds them to the list of OCSP signer certificates.
! 230: .
! 231: .TP
! 232: .B "rereadacerts"
! 233: reads all certificate files contained in the \fI/etc/ipsec.d/acerts/\fP
! 234: directory and adds them to the list of attribute certificates.
! 235: .
! 236: .TP
! 237: .B "rereadcrls"
! 238: reads all Certificate Revocation Lists (CRLs) contained in the
! 239: \fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
! 240: .
! 241: .TP
! 242: .B "rereadall"
! 243: executes all reread commands listed above.
! 244: .
! 245: .SS RESET COMMANDS
! 246: .
! 247: .TP
! 248: .BI "resetcounters [" name ]
! 249: resets global or connection specific counters.
! 250: .
! 251: .SS PURGE COMMANDS
! 252: .
! 253: .TP
! 254: .B "purgecerts"
! 255: purges all cached certificates.
! 256: .
! 257: .TP
! 258: .B "purgecrls"
! 259: purges all cached CRLs.
! 260: .
! 261: .TP
! 262: .B "purgeike"
! 263: purges IKE SAs that don't have a Quick Mode or CHILD SA.
! 264: .
! 265: .TP
! 266: .B "purgeocsp"
! 267: purges all cached OCSP information records.
! 268: .
! 269: .SS INFO COMMANDS
! 270: .
! 271: .TP
! 272: .B "\-\-help"
! 273: returns the usage information for the
! 274: .B ipsec
! 275: command.
! 276: .
! 277: .TP
! 278: .B "\-\-version"
! 279: returns the version in the form of
! 280: .B Linux strongSwan U<strongSwan userland version>/K<Linux kernel version>
! 281: if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
! 282: running on.
! 283: .
! 284: .TP
! 285: .B "\-\-versioncode"
! 286: returns the version number in the form of
! 287: .B U<strongSwan userland version>/K<Linux kernel version>
! 288: if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
! 289: running on.
! 290: .
! 291: .TP
! 292: .B "\-\-copyright"
! 293: returns the copyright information.
! 294: .
! 295: .TP
! 296: .B "\-\-directory"
! 297: returns the \fILIBEXECDIR\fP directory as defined by the configure options.
! 298: .
! 299: .TP
! 300: .B "\-\-confdir"
! 301: returns the \fISYSCONFDIR\fP directory as defined by the configure options.
! 302: .
! 303: .TP
! 304: .B "\-\-piddir"
! 305: returns the \fIPIDDIR\fP directory as defined by the configure options.
! 306: .
! 307: .SH FILES
! 308: .
! 309: /usr/libexec/ipsec utilities directory
! 310: .
! 311: .SH ENVIRONMENT
! 312: .
! 313: When calling other commands the
! 314: .B ipsec
! 315: command supplies the following environment variables.
! 316: .nf
! 317: .na
! 318:
! 319: IPSEC_DIR directory containing ipsec programs and utilities
! 320: IPSEC_BINDIR directory containing \fBpki\fP command
! 321: IPSEC_SBINDIR directory containing \fBipsec\fP command
! 322: IPSEC_CONFDIR directory containing configuration files
! 323: IPSEC_PIDDIR directory containing PID/socket files
! 324: IPSEC_SCRIPT name of the ipsec script
! 325: IPSEC_NAME name of ipsec distribution
! 326: IPSEC_VERSION version number of ipsec userland and kernel
! 327: IPSEC_STARTER_PID PID file for ipsec starter
! 328: IPSEC_CHARON_PID PID file for IKE keying daemon
! 329: .ad
! 330: .fi
! 331: .
! 332: .SH SEE ALSO
! 333: .
! 334: .BR ipsec.conf (5),
! 335: .BR ipsec.secrets (5)
! 336: .
! 337: .SH HISTORY
! 338: Originally written for the FreeS/WAN project by Henry Spencer.
! 339: Updated and extended for the strongSwan project <http://www.strongswan.org> by
! 340: Tobias Brunner and Andreas Steffen.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to _ipsec.8 CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / ipsec