Project

General

Profile

ipsec

ipsec is actually an umbrella command comprising a collection of individual sub commands of the form

ipsec <command> [ <argument> ] [ <options> ]

that can be used to control and monitor IPsec connections as well as the IKE daemons.

Note: Some distributions (e.g. Fedora and its offsprings) rename the ipsec command to strongswan

Control Commands

ipsec start [ <starter options> ]

calls ipsec starter [ <starter options> ] which in turn parses ipsec.conf and starts the IKE daemon charon.

ipsec stop

terminates all IPsec connection and stops the IKE daemon charon by sending a TERM signal to ipsec starter.

ipsec restart [ <starter options> ]

is equivalent to ipsec stop followed by ipsec start [ <starter options> ] after a guard period of 2 seconds.

ipsec update

sends a HUP signal to ipsec starter which in turn determines any changes in ipsec.conf and updates the configuration on the running IKE daemon charon. Currently established connections are not affected by configuration changes.

ipsec reload

sends a USR1 signal to ipsec starter which in turn reloads the whole configuration on the running IKE daemon charon based on the actual ipsec.conf. Currently established connections are not affected by configuration changes.

ipsec up <name>

tells the IKE daemon to start up connection <name>. Implemented by calling the ipsec stroke up <name> command.

ipsec down <name>

tells the IKE daemon to terminate connection <name>. Implemented by calling the ipsec stroke down <name> command.

ipsec down <name>{n}

terminates CHILD_SA instance n of connection <name>. Since {n} uniquely identifis a CHILD_SA the name is optional.

ipsec down <name>{*}

terminates all CHILD_SA instances of connection <name>.

ipsec down <name>[n]

terminates IKE_SA instance n of connection <name> plus dependent CHILD_SAs. Since [n] uniquely identifis an IKE_SA the name is optional.

ipsec down <name>[*]

terminates all IKE_SA instances of connection <name>.

ipsec route <name>

tells the IKE daemon to insert IPsec policies in the kernel for connection <name>. The first payload packet matching the IPsec policies will automatically trigger an IKE connection setup. Implemented by calling the ipsec stroke route <name> command.

ipsec unroute <name>

remove the IPsec policies in the kernel for connection <name>. Implemented by calling the ipsec stroke unroute <name> command.

ipsec status [ <name> ]

returns concise status information either on connection <name> or if the argument is lacking, on all connections. Implemented by calling the ipsec stroke status [ <name> ] command.

ipsec statusall [ <name> ]

returns detailed status information either on connection <name> or if the argument is lacking, on all connections. Implemented by calling the ipsec stroke statusall [ <name> ] command.

Info Commands

ipsec version

returns the ipsec version in the form of Linux strongSwan U<strongSwan userland version>/K<Linux kernel version> if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.

ipsec copyright

returns the copyright information.

ipsec --confdir

returns the SYSCONFDIR directory as defined by the configure options.

ipsec --directory

returns the LIBEXECDIR directory as defined by the configure options.

ipsec --help

returns the usage information for the ipsec command.

ipsec --versioncode

returns the ipsec version number in the form of U<strongSwan userland version>/K<Linux kernel version> if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.

List Commands

ipsec leases [ [ <poolname> [ <address> ] ]

returns the status of all or the selected IP address pools (or even a single virtual IP address).

ipsec listaacerts [ --utc ]

returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by the IKE daemon from the /etc/ipsec.d/aacerts directory. Implemented by calling the ipsec stroke listaacerts command.

ipsec listacerts [ --utc ]

returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the /etc/ipsec.d/acerts directory. Implemented by calling the ipsec stroke listacerts command.

ipsec listalgs

returns a list of all supported IKE encryption and hash algorithms, and the available Diffie-Hellman groups. Implemented by calling the ipsec stroke listalgs command.

ipsec listcacerts [ --utc ]

returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by the IKE daemon from the /etc/ipsec.d/cacerts directory or received via the IKE protocol. Implemented by calling the ipsec stroke listcacerts command.

ipsec listcainfos [ --utc ]

returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers) that were defined by ca sections in ipsec.conf. Implemented by calling the ipsec stroke listcainfos command.

ipsec listcerts [ --utc ]

returns a list of X.509 and/or OpenPGP certificates that were either loaded locally by the IKE daemon or received via the IKE protocol. Implemented by calling the ipsec stroke listcerts command.

ipsec listcounters [ <name> ]

returns a list of global or connection specific counter values about received and sent IKE messages and rekeyings. Connection specific ounters are available since 5.0.3. Implemented by calling the ipsec stroke listcounters command.

ipsec listcrls [ --utc ]

returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon from the /etc/ipsec.d/crls directory or fetched from an HTTP- or LDAP-based CRL distribution point. Implemented by calling the ipsec stroke listcrls command. Note that X.509 Authority Key Identifier extension is used to associate CRL with a particular CA, otherwise CRL is listed but not applied.

ipsec listgroups [ --utc ]

returns a list of all groups that are used to define user authorization profiles. Currently not supported.

ipsec listocsp [ --utc ]

returns cached revocation information fetched from OCSP servers. Implemented by calling the ipsec stroke listocsp command.

ipsec listocspcerts [ --utc ]

returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE daemon from the /etc/ipsec.d/ocspcerts directory or were sent by an OCSP server. Implemented by calling the ipsec stroke listocspcerts command.

ipsec listplugins

returns a list of all loaded plugin features. Implemented by calling the ipsec stroke listplugins command.

ipsec listpubkeys [ --utc ]

returns a list of public keys that were loaded in raw key format. Implemented by calling the ipsec stroke listpubkeys command.

ipsec listall [ --utc ]

returns all information generated by the list commands above. Each list command can be called with the --utc option which displays all dates in UTC instead of local time. Implemented by calling the ipsec stroke listall command.

Reread Commands

ipsec rereadaacerts

reads all certificate files contained in the /etc/ipsec.d/aacerts directory and adds them to the list of Authorization Authority (AA) certificates. Implemented by calling the ipsec stroke rereadaacerts command.

ipsec rereadacerts

reads all certificate files contained in the /etc/ipsec.d/acerts directory and adds them to the list of attribute certificates. Implemented by calling the ipsec stroke rereadacerts command.

ipsec rereadcacerts

reads all certificate files contained in the /etc/ipsec.d/cacerts directory and adds them to the list of Certification Authority (CA) certificates. Implemented by calling the ipsec stroke rereadcacerts command.

ipsec rereadcrls

reads all Certificate Revocation Lists (CRLs) contained in the /etc/ipsec.d/crls directory and adds them to the list of CRLs. Older CRLs are replaced by newer ones. Implemented by calling the ipsec stroke rereadcrls command.

ipsec rereadocspcerts

reads all certificate files contained in the /etc/ipsec.d/ocspcerts directory and adds them to the list of OCSP signer certificates. Implemented by calling the ipsec stroke rereadocspcerts command.

ipsec rereadsecrets

flushes and rereads all secrets defined in ipsec.secrets. Implemented by calling the ipsec stroke rereadsecrets command.

ipsec secrets

is equivalent to ipsec rereadsecrets.

ipsec rereadall

executes all reread commands listed above. Implemented by calling the ipsec stroke rereadall command.

Reset Commands

ipsec resetcounters [ <name> ]

resets global or connection specific counters. Since 5.0.3. Implemented by calling the ipsec stroke resetcounters command.

Purge Commands

ipsec purgecerts

purges all cached certificates. Implemented by calling the ipsec stroke purgecerts command.

ipsec purgecrls

purges all cached CRLs. Implemented by calling the ipsec stroke purgecrls command.

ipsec purgeike

purges IKE_SAs that don't have a CHILD_SA. Implemented by calling the ipsec stroke purgeike command.

ipsec purgeocsp

purges all cached OCSP information records. Implemented by calling the ipsec stroke purgeocsp command.

Before 5.0.0

In releases before 5.0.0 IKEv1 connections were handled by the separate pluto keying daemon. The ipsec command then used the ipsec whack in addition to the ipsec stroke command to communicate with pluto.

List Commands

ipsec listcards [ --utc ]

lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only. Implemented by calling the ipsec whack --listcards command.

PKCS11 Proxy Commands

ipsec scencrypt <value> [ --inbase <base> ] [ --outbase <base> ] [ --keyid <id> ]

Supported by the IKEv1 pluto daemon only. Implemented by calling the ipsec whack --scencrypt command.

ipsec scdecrypt <value> [ --inbase <base> ] [ --outbase <base> ] [ --keyid <id> ]

Supported by the IKEv1 pluto daemon only. Implemented by calling the ipsec whack --scdecrypt command.