Return to _ipsec.8 CVS log

Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / ipsec

Strongswan

    1: .TH IPSEC 8 "2013-10-29" "5.7.2dr1" "strongSwan"
    2: .
    3: .SH NAME
    4: .
    5: ipsec \- invoke IPsec utilities
    6: .
    7: .SH SYNOPSIS
    8: .
    9: .SY ipsec
   10: .I command
   11: .RI [ arguments ]
   12: .RI [ options ]
   13: .YS
   14: .
   15: .SH DESCRIPTION
   16: .
   17: The
   18: .B ipsec
   19: utility invokes any of several utilities involved in controlling and monitoring
   20: the IPsec encryption/authentication system, running the specified \fIcommand\fP
   21: with the specified \fIarguments\fP and \fIoptions\fP as if it had been invoked
   22: directly. This largely eliminates possible name collisions with other software,
   23: and also permits some centralized services.
   24: .P
   25: All the commands described in this manual page are built-in and are used to
   26: control and monitor IPsec connections as well as the IKE daemon.
   27: .P
   28: For other commands
   29: .I ipsec
   30: supplies the invoked
   31: .I command
   32: with a suitable PATH environment variable,
   33: and also provides the environment variables listed under
   34: .IR ENVIRONMENT .
   35: .
   36: .SS CONTROL COMMANDS
   37: .
   38: .TP
   39: .BI "start [" "starter options" ]
   40: calls
   41: .B "starter"
   42: which in turn parses \fIipsec.conf\fR and starts the IKE daemon \fIcharon\fR.
   43: .
   44: .TP
   45: .B "update"
   46: sends a \fIHUP\fR signal to
   47: .BR "starter"
   48: which in turn determines any changes in \fIipsec.conf\fR
   49: and updates the configuration on the running IKE daemon \fIcharon\fR.
   50: .
   51: .TP
   52: .B "reload"
   53: sends a \fIUSR1\fR signal to
   54: .BR "starter"
   55: which in turn reloads the whole configuration of the running IKE daemon
   56: \fIcharon\fR based on the actual \fIipsec.conf\fR.
   57: .
   58: .TP
   59: .B "restart"
   60: is equivalent to
   61: .B "stop"
   62: followed by
   63: .B "start"
   64: after a guard of 2 seconds.
   65: .
   66: .TP
   67: .B "stop"
   68: terminates all IPsec connections and stops the IKE daemon \fIcharon\fR
   69: by sending a \fITERM\fR signal to
   70: .BR "starter".
   71: .
   72: .TP
   73: .BI "up " name
   74: tells the IKE daemon to start up connection \fIname\fP.
   75: .
   76: .TP
   77: .BI "down " name
   78: tells the IKE daemon to terminate connection \fIname\fP.
   79: .
   80: .TP
   81: .BI "down " name{n}
   82: terminates IKEv1 Quick Mode and IKEv2 CHILD SA instance \fIn\fP of
   83: connection \fIname\fP.
   84: .
   85: .TP
   86: .BI "down " name{*}
   87: terminates all IKEv1 Quick Mode and  IKEv2 CHILD SA instances of connection
   88: \fIname\fP.
   89: .
   90: .TP
   91: .BI "down " name[n]
   92: terminates IKE SA instance \fIn\fP of connection \fIname\fP.
   93: .
   94: .TP
   95: .BI "down " name[*]
   96: terminates all IKE SA instances of connection \fIname\fP.
   97: .
   98: .TP
   99: .BI "down-srcip <" start "> [<" end ">]"
  100: terminates all IKE SA instances with clients having virtual IPs in the range
  101: .IR start - end .
  102: .
  103: .TP
  104: .BI "route " name
  105: tells the IKE daemon to insert an IPsec policy in the kernel
  106: for connection \fIname\fP. The first payload packet matching the IPsec policy
  107: will automatically trigger an IKE connection setup.
  108: .
  109: .TP
  110: .BI "unroute " name
  111: remove the IPsec policy in the kernel for connection \fIname\fP.
  112: .
  113: .TP
  114: .BI "status [" name ]
  115: returns concise status information either on connection
  116: \fIname\fP or if the argument is lacking, on all connections.
  117: .
  118: .TP
  119: .BI "statusall [" name ]
  120: returns detailed status information either on connection
  121: \fIname\fP or if the argument is lacking, on all connections.
  122: .
  123: .SS LIST COMMANDS
  124: .
  125: .TP
  126: .BI "leases [<" poolname "> [<" address ">]]"
  127: returns the status of all or the selected IP address pool (or even a single
  128: virtual IP address).
  129: .
  130: .TP
  131: .B "listalgs"
  132: returns a list supported cryptographic algorithms usable for IKE, and their
  133: corresponding plugin.
  134: .
  135: .TP
  136: .BI "listpubkeys [" --utc ]
  137: returns a list of RSA public keys that were either loaded in raw key format
  138: or extracted from X.509 and|or OpenPGP certificates.
  139: .
  140: .TP
  141: .BI "listcerts [" --utc ]
  142: returns a list of X.509 and|or OpenPGP certificates that were either loaded
  143: locally by the IKE daemon or received via the IKE protocol.
  144: .
  145: .TP
  146: .BI "listcacerts [" --utc ]
  147: returns a list of X.509 Certification Authority (CA) certificates that were
  148: loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP
  149: directory or received via the IKE protocol.
  150: .
  151: .TP
  152: .BI "listaacerts [" --utc ]
  153: returns a list of X.509 Authorization Authority (AA) certificates that were
  154: loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP
  155: directory.
  156: .
  157: .TP
  158: .BI "listocspcerts [" --utc ]
  159: returns a list of X.509 OCSP Signer certificates that were either loaded
  160: locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP
  161: directory or were sent by an OCSP server.
  162: .
  163: .TP
  164: .BI "listacerts [" --utc ]
  165: returns a list of X.509 Attribute certificates that were loaded locally by
  166: the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory.
  167: .
  168: .TP
  169: .BI "listgroups [" --utc ]
  170: returns a list of groups that are used to define user authorization profiles.
  171: .
  172: .TP
  173: .BI "listcainfos [" --utc ]
  174: returns certification authority information (CRL distribution points, OCSP URIs,
  175: LDAP servers) that were defined by
  176: .BR ca
  177: sections in \fIipsec.conf\fP.
  178: .
  179: .TP
  180: .BI "listcrls [" --utc ]
  181: returns a list of Certificate Revocation Lists (CRLs) that were either loaded
  182: by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from
  183: an HTTP- or LDAP-based CRL distribution point.
  184: .
  185: .TP
  186: .BI "listocsp [" --utc ]
  187: returns revocation information fetched from OCSP servers.
  188: .
  189: .TP
  190: .BI "listplugins"
  191: returns a list of all loaded plugin features.
  192: .
  193: .TP
  194: .BI "listcounters [" name ]
  195: returns a list of global or connection specific IKE counter values
  196: collected since daemon startup.
  197: .
  198: .TP
  199: .BI "listall [" --utc ]
  200: returns all information generated by the list commands above. Each list command
  201: can be called with the
  202: \fB\-\-utc\fP
  203: option which displays all dates in UTC instead of local time.
  204: .
  205: .SS REREAD COMMANDS
  206: .
  207: .TP
  208: .B "rereadsecrets"
  209: flushes and rereads all secrets defined in \fIipsec.secrets\fP.
  210: .
  211: .TP
  212: .B "rereadcacerts"
  213: removes previously loaded CA certificates, reads all certificate files
  214: contained in the \fI/etc/ipsec.d/cacerts\fP directory and adds them to the list
  215: of Certification Authority (CA) certificates. This does not affect certificates
  216: explicitly defined in a
  217: .BR ipsec.conf (5)
  218: ca section, which may be separately updated using the \fBupdate\fP command.
  219: .
  220: .TP
  221: .B "rereadaacerts"
  222: removes previously loaded AA certificates, reads all certificate files
  223: contained in the \fI/etc/ipsec.d/aacerts\fP directory and adds them to the list
  224: of Authorization Authority (AA) certificates.
  225: .
  226: .TP
  227: .B "rereadocspcerts"
  228: reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP
  229: directory and adds them to the list of OCSP signer certificates.
  230: .
  231: .TP
  232: .B "rereadacerts"
  233: reads all certificate files contained in the  \fI/etc/ipsec.d/acerts/\fP
  234: directory and adds them to the list of attribute certificates.
  235: .
  236: .TP
  237: .B "rereadcrls"
  238: reads  all Certificate  Revocation Lists (CRLs) contained in the
  239: \fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
  240: .
  241: .TP
  242: .B "rereadall"
  243: executes all reread commands listed above.
  244: .
  245: .SS RESET COMMANDS
  246: .
  247: .TP
  248: .BI "resetcounters [" name ]
  249: resets global or connection specific counters.
  250: .
  251: .SS PURGE COMMANDS
  252: .
  253: .TP
  254: .B "purgecerts"
  255: purges all cached certificates.
  256: .
  257: .TP
  258: .B "purgecrls"
  259: purges all cached CRLs.
  260: .
  261: .TP
  262: .B "purgeike"
  263: purges IKE SAs that don't have a Quick Mode or CHILD SA.
  264: .
  265: .TP
  266: .B "purgeocsp"
  267: purges all cached OCSP information records.
  268: .
  269: .SS INFO COMMANDS
  270: .
  271: .TP
  272: .B "\-\-help"
  273: returns the usage information for the
  274: .B ipsec
  275: command.
  276: .
  277: .TP
  278: .B "\-\-version"
  279: returns the version in the form of
  280: .B Linux strongSwan U<strongSwan userland version>/K<Linux kernel version>
  281: if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
  282: running on.
  283: .
  284: .TP
  285: .B "\-\-versioncode"
  286: returns the version number in the form of
  287: .B U<strongSwan userland version>/K<Linux kernel version>
  288: if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
  289: running on.
  290: .
  291: .TP
  292: .B "\-\-copyright"
  293: returns the copyright information.
  294: .
  295: .TP
  296: .B "\-\-directory"
  297: returns the \fILIBEXECDIR\fP directory as defined by the configure options.
  298: .
  299: .TP
  300: .B "\-\-confdir"
  301: returns the \fISYSCONFDIR\fP directory as defined by the configure options.
  302: .
  303: .TP
  304: .B "\-\-piddir"
  305: returns the \fIPIDDIR\fP directory as defined by the configure options.
  306: .
  307: .SH FILES
  308: .
  309: /usr/libexec/ipsec		utilities directory
  310: .
  311: .SH ENVIRONMENT
  312: .
  313: When calling other commands the
  314: .B ipsec
  315: command supplies the following environment variables.
  316: .nf
  317: .na
  318: 
  319: IPSEC_DIR               directory containing ipsec programs and utilities
  320: IPSEC_BINDIR            directory containing \fBpki\fP command
  321: IPSEC_SBINDIR           directory containing \fBipsec\fP command
  322: IPSEC_CONFDIR           directory containing configuration files
  323: IPSEC_PIDDIR            directory containing PID/socket files
  324: IPSEC_SCRIPT            name of the ipsec script
  325: IPSEC_NAME              name of ipsec distribution
  326: IPSEC_VERSION           version number of ipsec userland and kernel
  327: IPSEC_STARTER_PID       PID file for ipsec starter
  328: IPSEC_CHARON_PID        PID file for IKE keying daemon
  329: .ad
  330: .fi
  331: .
  332: .SH SEE ALSO
  333: .
  334: .BR ipsec.conf (5),
  335: .BR ipsec.secrets (5)
  336: .
  337: .SH HISTORY
  338: Originally written for the FreeS/WAN project by Henry Spencer.
  339: Updated and extended for the strongSwan project <http://www.strongswan.org> by
  340: Tobias Brunner and Andreas Steffen.