1: .TH IPSEC 8 "2013-10-29" "5.7.2dr1" "strongSwan"
2: .
3: .SH NAME
4: .
5: ipsec \- invoke IPsec utilities
6: .
7: .SH SYNOPSIS
8: .
9: .SY ipsec
10: .I command
11: .RI [ arguments ]
12: .RI [ options ]
13: .YS
14: .
15: .SH DESCRIPTION
16: .
17: The
18: .B ipsec
19: utility invokes any of several utilities involved in controlling and monitoring
20: the IPsec encryption/authentication system, running the specified \fIcommand\fP
21: with the specified \fIarguments\fP and \fIoptions\fP as if it had been invoked
22: directly. This largely eliminates possible name collisions with other software,
23: and also permits some centralized services.
24: .P
25: All the commands described in this manual page are built-in and are used to
26: control and monitor IPsec connections as well as the IKE daemon.
27: .P
28: For other commands
29: .I ipsec
30: supplies the invoked
31: .I command
32: with a suitable PATH environment variable,
33: and also provides the environment variables listed under
34: .IR ENVIRONMENT .
35: .
36: .SS CONTROL COMMANDS
37: .
38: .TP
39: .BI "start [" "starter options" ]
40: calls
41: .B "starter"
42: which in turn parses \fIipsec.conf\fR and starts the IKE daemon \fIcharon\fR.
43: .
44: .TP
45: .B "update"
46: sends a \fIHUP\fR signal to
47: .BR "starter"
48: which in turn determines any changes in \fIipsec.conf\fR
49: and updates the configuration on the running IKE daemon \fIcharon\fR.
50: .
51: .TP
52: .B "reload"
53: sends a \fIUSR1\fR signal to
54: .BR "starter"
55: which in turn reloads the whole configuration of the running IKE daemon
56: \fIcharon\fR based on the actual \fIipsec.conf\fR.
57: .
58: .TP
59: .B "restart"
60: is equivalent to
61: .B "stop"
62: followed by
63: .B "start"
64: after a guard of 2 seconds.
65: .
66: .TP
67: .B "stop"
68: terminates all IPsec connections and stops the IKE daemon \fIcharon\fR
69: by sending a \fITERM\fR signal to
70: .BR "starter".
71: .
72: .TP
73: .BI "up " name
74: tells the IKE daemon to start up connection \fIname\fP.
75: .
76: .TP
77: .BI "down " name
78: tells the IKE daemon to terminate connection \fIname\fP.
79: .
80: .TP
81: .BI "down " name{n}
82: terminates IKEv1 Quick Mode and IKEv2 CHILD SA instance \fIn\fP of
83: connection \fIname\fP.
84: .
85: .TP
86: .BI "down " name{*}
87: terminates all IKEv1 Quick Mode and IKEv2 CHILD SA instances of connection
88: \fIname\fP.
89: .
90: .TP
91: .BI "down " name[n]
92: terminates IKE SA instance \fIn\fP of connection \fIname\fP.
93: .
94: .TP
95: .BI "down " name[*]
96: terminates all IKE SA instances of connection \fIname\fP.
97: .
98: .TP
99: .BI "down-srcip <" start "> [<" end ">]"
100: terminates all IKE SA instances with clients having virtual IPs in the range
101: .IR start - end .
102: .
103: .TP
104: .BI "route " name
105: tells the IKE daemon to insert an IPsec policy in the kernel
106: for connection \fIname\fP. The first payload packet matching the IPsec policy
107: will automatically trigger an IKE connection setup.
108: .
109: .TP
110: .BI "unroute " name
111: remove the IPsec policy in the kernel for connection \fIname\fP.
112: .
113: .TP
114: .BI "status [" name ]
115: returns concise status information either on connection
116: \fIname\fP or if the argument is lacking, on all connections.
117: .
118: .TP
119: .BI "statusall [" name ]
120: returns detailed status information either on connection
121: \fIname\fP or if the argument is lacking, on all connections.
122: .
123: .SS LIST COMMANDS
124: .
125: .TP
126: .BI "leases [<" poolname "> [<" address ">]]"
127: returns the status of all or the selected IP address pool (or even a single
128: virtual IP address).
129: .
130: .TP
131: .B "listalgs"
132: returns a list supported cryptographic algorithms usable for IKE, and their
133: corresponding plugin.
134: .
135: .TP
136: .BI "listpubkeys [" --utc ]
137: returns a list of RSA public keys that were either loaded in raw key format
138: or extracted from X.509 and|or OpenPGP certificates.
139: .
140: .TP
141: .BI "listcerts [" --utc ]
142: returns a list of X.509 and|or OpenPGP certificates that were either loaded
143: locally by the IKE daemon or received via the IKE protocol.
144: .
145: .TP
146: .BI "listcacerts [" --utc ]
147: returns a list of X.509 Certification Authority (CA) certificates that were
148: loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP
149: directory or received via the IKE protocol.
150: .
151: .TP
152: .BI "listaacerts [" --utc ]
153: returns a list of X.509 Authorization Authority (AA) certificates that were
154: loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP
155: directory.
156: .
157: .TP
158: .BI "listocspcerts [" --utc ]
159: returns a list of X.509 OCSP Signer certificates that were either loaded
160: locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP
161: directory or were sent by an OCSP server.
162: .
163: .TP
164: .BI "listacerts [" --utc ]
165: returns a list of X.509 Attribute certificates that were loaded locally by
166: the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory.
167: .
168: .TP
169: .BI "listgroups [" --utc ]
170: returns a list of groups that are used to define user authorization profiles.
171: .
172: .TP
173: .BI "listcainfos [" --utc ]
174: returns certification authority information (CRL distribution points, OCSP URIs,
175: LDAP servers) that were defined by
176: .BR ca
177: sections in \fIipsec.conf\fP.
178: .
179: .TP
180: .BI "listcrls [" --utc ]
181: returns a list of Certificate Revocation Lists (CRLs) that were either loaded
182: by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from
183: an HTTP- or LDAP-based CRL distribution point.
184: .
185: .TP
186: .BI "listocsp [" --utc ]
187: returns revocation information fetched from OCSP servers.
188: .
189: .TP
190: .BI "listplugins"
191: returns a list of all loaded plugin features.
192: .
193: .TP
194: .BI "listcounters [" name ]
195: returns a list of global or connection specific IKE counter values
196: collected since daemon startup.
197: .
198: .TP
199: .BI "listall [" --utc ]
200: returns all information generated by the list commands above. Each list command
201: can be called with the
202: \fB\-\-utc\fP
203: option which displays all dates in UTC instead of local time.
204: .
205: .SS REREAD COMMANDS
206: .
207: .TP
208: .B "rereadsecrets"
209: flushes and rereads all secrets defined in \fIipsec.secrets\fP.
210: .
211: .TP
212: .B "rereadcacerts"
213: removes previously loaded CA certificates, reads all certificate files
214: contained in the \fI/etc/ipsec.d/cacerts\fP directory and adds them to the list
215: of Certification Authority (CA) certificates. This does not affect certificates
216: explicitly defined in a
217: .BR ipsec.conf (5)
218: ca section, which may be separately updated using the \fBupdate\fP command.
219: .
220: .TP
221: .B "rereadaacerts"
222: removes previously loaded AA certificates, reads all certificate files
223: contained in the \fI/etc/ipsec.d/aacerts\fP directory and adds them to the list
224: of Authorization Authority (AA) certificates.
225: .
226: .TP
227: .B "rereadocspcerts"
228: reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP
229: directory and adds them to the list of OCSP signer certificates.
230: .
231: .TP
232: .B "rereadacerts"
233: reads all certificate files contained in the \fI/etc/ipsec.d/acerts/\fP
234: directory and adds them to the list of attribute certificates.
235: .
236: .TP
237: .B "rereadcrls"
238: reads all Certificate Revocation Lists (CRLs) contained in the
239: \fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
240: .
241: .TP
242: .B "rereadall"
243: executes all reread commands listed above.
244: .
245: .SS RESET COMMANDS
246: .
247: .TP
248: .BI "resetcounters [" name ]
249: resets global or connection specific counters.
250: .
251: .SS PURGE COMMANDS
252: .
253: .TP
254: .B "purgecerts"
255: purges all cached certificates.
256: .
257: .TP
258: .B "purgecrls"
259: purges all cached CRLs.
260: .
261: .TP
262: .B "purgeike"
263: purges IKE SAs that don't have a Quick Mode or CHILD SA.
264: .
265: .TP
266: .B "purgeocsp"
267: purges all cached OCSP information records.
268: .
269: .SS INFO COMMANDS
270: .
271: .TP
272: .B "\-\-help"
273: returns the usage information for the
274: .B ipsec
275: command.
276: .
277: .TP
278: .B "\-\-version"
279: returns the version in the form of
280: .B Linux strongSwan U<strongSwan userland version>/K<Linux kernel version>
281: if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
282: running on.
283: .
284: .TP
285: .B "\-\-versioncode"
286: returns the version number in the form of
287: .B U<strongSwan userland version>/K<Linux kernel version>
288: if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
289: running on.
290: .
291: .TP
292: .B "\-\-copyright"
293: returns the copyright information.
294: .
295: .TP
296: .B "\-\-directory"
297: returns the \fILIBEXECDIR\fP directory as defined by the configure options.
298: .
299: .TP
300: .B "\-\-confdir"
301: returns the \fISYSCONFDIR\fP directory as defined by the configure options.
302: .
303: .TP
304: .B "\-\-piddir"
305: returns the \fIPIDDIR\fP directory as defined by the configure options.
306: .
307: .SH FILES
308: .
309: /usr/libexec/ipsec utilities directory
310: .
311: .SH ENVIRONMENT
312: .
313: When calling other commands the
314: .B ipsec
315: command supplies the following environment variables.
316: .nf
317: .na
318:
319: IPSEC_DIR directory containing ipsec programs and utilities
320: IPSEC_BINDIR directory containing \fBpki\fP command
321: IPSEC_SBINDIR directory containing \fBipsec\fP command
322: IPSEC_CONFDIR directory containing configuration files
323: IPSEC_PIDDIR directory containing PID/socket files
324: IPSEC_SCRIPT name of the ipsec script
325: IPSEC_NAME name of ipsec distribution
326: IPSEC_VERSION version number of ipsec userland and kernel
327: IPSEC_STARTER_PID PID file for ipsec starter
328: IPSEC_CHARON_PID PID file for IKE keying daemon
329: .ad
330: .fi
331: .
332: .SH SEE ALSO
333: .
334: .BR ipsec.conf (5),
335: .BR ipsec.secrets (5)
336: .
337: .SH HISTORY
338: Originally written for the FreeS/WAN project by Henry Spencer.
339: Updated and extended for the strongSwan project <http://www.strongswan.org> by
340: Tobias Brunner and Andreas Steffen.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>