charon-cmd¶
Synopsis¶
charon-cmd --host hostname --identity identity [options]
Description¶
charon-cmd is a command-line program for setting up IPsec VPN connections using the Internet Key Exchange protocol (IKE) in version 1 and 2. It supports a number of different road-warrior scenarios.
It is available since 5.1.0.
Like the IKE daemon charon, charon-cmd has to be run as root (or more specifically as a user with CAP_NET_ADMIN capability).
Of the options below at least --host and --identity are required. Depending on the selected authentication profile credentials also have to be provided with their respective options.
Many of the charon-specific configuration options in strongswan.conf also apply to charon-cmd. For instance, to configure customized logging to stdout the following snippet can be used:
charon-cmd { filelog { stdout { default = 1 ike = 2 cfg = 2 } } }
Options¶
--help
Prints usage information and a short summary of the available options.
--version
Prints the strongSwan version.
--debug level
Sets the default log level (defaults to 1). level is a number between -1 and 4. Refer to LoggerConfiguration for options that allow more fine-grained configuration of the logging output.
--host hostname
DNS name of IP address to connect to.
--identity identity
Identity the client uses for the IKE exchange.
--remote-identity identity
Server identity to expect, defaults to hostname.
--cert path
Trusted certificate, either for authentication or trust chain validation. To provide more than one certificate multiple --cert options can be used.
--rsa path
RSA private key to use for authentication (if a password is required, it will be requested on demand).
--p12 path
PKCS#12 file with private key and certificates to use for authentication and trust chain validation (if a password is required it will be requested on demand).
--agent[= socket]
Use SSH agent for authentication. If socket is not specified it is read from the SSH_AUTH_SOCK
environment variable.
--local-ts subnet
Additional traffic selector to propose for our side, the requested virtual IP address will always be proposed.
--remote-ts subnet
Traffic selector to propose for remote side, defaults to 0.0.0.0/0.
--profile name
Authentication profile to use, the list of supported profiles can be found in the Authentication Profiles sections below. Defaults to ikev2-pub if a private key was supplied, and to ikev2-eap otherwise.
Authentication Profiles¶
Name | Description |
---|---|
IKEv2 | |
ikev2-pub | IKEv2 with public key client and server authentication |
ikev2-eap | IKEv2 with EAP client authentication and public key server authentication |
ikev2-pub-eap | IKEv2 with public key and EAP client authentication (RFC 4739) and public key server authentication |
IKEv1 | |
The following authentication profiles use either Main Mode or Aggressive Mode, the latter is denoted wit a -am suffix | |
ikev1-pub ikev1-pub-am |
IKEv1 with public key client and server authentication |
ikev1-xauth ikev1-xauth-am |
IKEv1 with public key client and server authentication, followed by client XAuth authentication |
ikev1-xauth-psk ikev1-xauth-psk-am |
IKEv1 with pre-shared key (PSK) client and server authentication, followed by client XAuth authentication (INSECURE!) |
ikev1-hybrid ikev1-hybrid-am |
IKEv1 with public key server authentication only, followed by client XAuth authentication |