Project

General

Profile

ipsec » History » Version 10

Martin Willi, 01.10.2007 11:48
added details to reread commands

1 1 Martin Willi
= ipsec =
2 2 Martin Willi
3 2 Martin Willi
'''ipsec''' is actually an umbrella command comprising a collection of individual sub commands of the form 
4 2 Martin Willi
5 3 Martin Willi
  '''ipsec ''<command>'' [ ''<argument>'' ]  [ ''<options>'' ]'''
6 2 Martin Willi
7 2 Martin Willi
that can be used to control and monitor IPsec connections as well as the IKE daemons.
8 2 Martin Willi
9 2 Martin Willi
== Control Commands ==
10 2 Martin Willi
11 1 Martin Willi
'''ipsec start [ ''<starter options>'' ]'''
12 6 Martin Willi
   calls [wiki:IpsecStarter ipsec starter] [ ''<starter options>'' ] which in turn parses
13 6 Martin Willi
   [wiki:IpsecConf ipsec.conf] and starts the IKEv1 pluto and IKEv2 charon daemons.
14 2 Martin Willi
15 1 Martin Willi
'''ipsec stop'''
16 3 Martin Willi
   terminates all IPsec connection and stops the IKEv1 pluto and IKEv2 charon daemons by sending
17 3 Martin Willi
   a ''TERM'' signal to [wiki:IpsecStarter ipsec starter].
18 1 Martin Willi
19 1 Martin Willi
'''ipsec restart [ ''<starter options>'' ]'''
20 3 Martin Willi
   is equivalent to '''ipsec stop''' followed by '''ipsec start [ ''<starter options>'' ]''' after a
21 3 Martin Willi
   guard period of 2 seconds.
22 1 Martin Willi
   
23 1 Martin Willi
'''ipsec update'''
24 3 Martin Willi
   sends a ''HUP'' signal to [wiki:IpsecStarter ipsec starter] which in turn determines any changes
25 4 Martin Willi
   in [wiki:IpsecConf ipsec.conf] and updates the configuration on the running IKEv1 pluto and IKEv2 
26 3 Martin Willi
   charon daemons, correspondingly.
27 1 Martin Willi
28 1 Martin Willi
'''ipsec reload'''
29 3 Martin Willi
   sends a ''USR1'' signal to [wiki:IpsecStarter ipsec starter] which in turn reloads the
30 3 Martin Willi
   whole configuration on the running IKEv1 pluto and IKEv2 charon daemons based on the actual
31 3 Martin Willi
   [wiki:IpsecConf ipsec.conf].
32 1 Martin Willi
33 1 Martin Willi
'''ipsec up  ''<name>'' '''
34 4 Martin Willi
   tells the responsible IKE daemon to start up connection ''<name>''. Implemented by calling the 
35 5 Martin Willi
   [wiki:IpsecWhack ipsec whack] --name ''<name>'' --initiate and/or [wiki:IpsecStroke ipsec stroke]
36 5 Martin Willi
   up ''<name>'' commands.
37 1 Martin Willi
38 1 Martin Willi
'''ipsec down  ''<name>'' '''
39 1 Martin Willi
   tells the responsible IKE daemon to terminate connection ''<name>''. Implemented by calling the 
40 5 Martin Willi
   [wiki:IpsecWhack ipsec whack] --name ''<name>'' --terminate and/or [wiki:IpsecStroke ipsec stroke]
41 5 Martin Willi
   down ''<name>'' commands.
42 1 Martin Willi
43 1 Martin Willi
'''ipsec route  ''<name>'' '''
44 7 Martin Willi
   tells the responsible IKE daemon to insert an [wiki:IpsecPolicy IPsec policy] in the kernel for 
45 7 Martin Willi
   connection ''<name>''. The first payload packet matching the [wiki:IpsecPolicy IPsec policy]
46 7 Martin Willi
   will automatically trigger an IKE connection setup. Implemented by calling the
47 7 Martin Willi
   [wiki:IpsecWhack ipsec whack] --name ''<name>'' --route and/or
48 5 Martin Willi
   [wiki:IpsecStroke ipsec stroke] route ''<name>'' commands.
49 1 Martin Willi
50 4 Martin Willi
'''ipsec unroute  ''<name>'' '''
51 7 Martin Willi
   remove the [wiki:IpsecPolicy IPsec policy] in the kernel for connection ''<name>''. Implemented
52 7 Martin Willi
   by calling the [wiki:IpsecWhack ipsec whack] --name ''<name>'' --unroute and/or
53 7 Martin Willi
   [wiki:IpsecStroke ipsec stroke] unroute ''<name>'' commands.
54 1 Martin Willi
 
55 1 Martin Willi
'''ipsec status [ ''<name>'' ] '''
56 1 Martin Willi
   returns concise status information either on connection ''<name>'' or if the argument is lacking,
57 5 Martin Willi
   on all connections. Implemented by calling the [wiki:IpsecWhack ipsec whack] [ --name ''<name>'' ]
58 5 Martin Willi
   --status and/or [wiki:IpsecStroke ipsec stroke] status [ ''<name>'' ] commands.
59 2 Martin Willi
60 1 Martin Willi
'''ipsec statusall [ ''<name>'' ] '''
61 3 Martin Willi
   returns detailed status information either on connection ''<name>'' or if the argument is lacking,
62 5 Martin Willi
   on all connections. Implemented by calling the [wiki:IpsecWhack ipsec whack] [ --name ''<name>'' ]
63 5 Martin Willi
   statusall and/or [wiki:IpsecStroke ipsec stroke] statusall [ ''<name>'' ] commands.
64 1 Martin Willi
65 2 Martin Willi
== Info Commands ==
66 1 Martin Willi
67 1 Martin Willi
'''ipsec version'''
68 6 Martin Willi
   returns the ipsec version in the form of '''Linux strongSwan
69 6 Martin Willi
   U'''''<strongSwan userland version>'''''/K'''''<Linux kernel version>''
70 6 Martin Willi
   if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
71 6 Martin Willi
  
72 1 Martin Willi
73 1 Martin Willi
'''ipsec copyright'''
74 1 Martin Willi
   returns the copyright information.
75 1 Martin Willi
76 5 Martin Willi
'''ipsec --confdir'''
77 6 Martin Willi
   returns the ''SYSCONFDIR'' directory as defined by the [wiki:InstallationDocumentation ./configure]
78 6 Martin Willi
   options.
79 1 Martin Willi
80 2 Martin Willi
'''ipsec --directory'''
81 6 Martin Willi
   returns the ''LIBEXECDIR'' directory as defined by the [wiki:InstallationDocumentation ./configure]
82 6 Martin Willi
   options.
83 5 Martin Willi
84 1 Martin Willi
'''ipsec --help'''
85 1 Martin Willi
   returns the usage information for the ipsec command.
86 1 Martin Willi
87 5 Martin Willi
'''ipsec --versioncode'''
88 6 Martin Willi
   returns the ipsec version number in the form of
89 6 Martin Willi
   ''''U'''''<strongSwan userland version>'''''/K'''''<Linux kernel version>''
90 6 Martin Willi
   if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
91 5 Martin Willi
92 1 Martin Willi
== List Commands ==
93 1 Martin Willi
94 1 Martin Willi
'''ipsec listaacerts [ --utc ]'''
95 10 Martin Willi
   returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by
96 10 Martin Willi
   the IKE daemon from the [wiki:IpsecDirectoryAacerts /etc/ipsec.d/aacerts/] directory.
97 10 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] --listaacerts and/or
98 10 Martin Willi
   [wiki:IpsecStroke ipsec stroke] listaacerts commands.
99 1 Martin Willi
100 1 Martin Willi
'''ipsec listacerts [ --utc ]'''
101 1 Martin Willi
   returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the
102 1 Martin Willi
   [wiki:IpsecDirectoryAcerts /etc/ipsec.d/acerts/] directory. Implemented by calling the
103 10 Martin Willi
   [wiki:IpsecWhack ipsec whack] --listacerts and/or [wiki:IpsecStroke ipsec stroke] listacerts
104 10 Martin Willi
   commands.
105 1 Martin Willi
106 1 Martin Willi
'''ipsec listalgs'''
107 10 Martin Willi
   returns a list of all supported IKE encryption and hash algorithms, the available Diffie-Hellman
108 10 Martin Willi
   groups, as well as all ESP encryption and authentication algorithms registered via the Linux
109 10 Martin Willi
   kernel's Crypto API. Supported by the IKEv1 pluto daemon only. Implemented by calling the
110 10 Martin Willi
   [wiki:IpsecWhack ipsec whack] --listalgs command.
111 1 Martin Willi
112 1 Martin Willi
'''ipsec listcacerts [ --utc ]'''
113 10 Martin Willi
   returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by
114 10 Martin Willi
   the IKE daemon from the [wiki:IpsecDirectoryCacerts /etc/ipsec.d/cacerts/] directory or received
115 10 Martin Willi
   in PKCS#7-wrapped certificate payloads via the IKE protocol. Implemented by calling the
116 10 Martin Willi
   [wiki:IpsecWhack ipsec whack] --listcacerts and/or [wiki:IpsecStroke ipsec stroke] listcacerts
117 10 Martin Willi
   commands.
118 1 Martin Willi
119 1 Martin Willi
'''ipsec listcainfos [ --utc ]'''
120 10 Martin Willi
   returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers)
121 10 Martin Willi
   that were defined by [wiki:CaSection ca sections] in [wiki:IpsecConf ipsec.conf]. Implemented
122 10 Martin Willi
   by calling the [wiki:IpsecWhack ipsec whack] --listcainfos and/or [wiki:IpsecStroke ipsec stroke]
123 10 Martin Willi
   listcainfos commands.
124 1 Martin Willi
125 1 Martin Willi
'''ipsec listcards [ --utc ]'''
126 1 Martin Willi
   lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only.
127 1 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] --listcards command.
128 1 Martin Willi
129 1 Martin Willi
'''ipsec listcrls [ --utc ]'''
130 10 Martin Willi
   returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon
131 10 Martin Willi
   from the [wiki:IpsecDirectoryCrls /etc/ipsec.d/crls/] directory or fetched from an HTTP- or
132 10 Martin Willi
   LDAP-based CRL distribution point. Implemented by calling the [wiki:IpsecWhack ipsec whack] 
133 10 Martin Willi
   --listcrls and/or wiki:IpsecStroke ipsec stroke] listcrls commands.
134 1 Martin Willi
135 1 Martin Willi
'''ipsec listcerts [ --utc ]'''
136 10 Martin Willi
   returns a list of X.509 and|or OpenPGP certificates that were either loaded locally by the IKE
137 10 Martin Willi
   daemon or received via the IKEv2 protocol. Implemented by calling the [wiki:IpsecWhack ipsec whack]
138 10 Martin Willi
   --listcerts and/or [wiki:IpsecStroke ipsec stroke] listcerts commands.
139 1 Martin Willi
140 1 Martin Willi
'''ipsec listgroups [ --utc ]'''
141 10 Martin Willi
   returns a list of all groups that are used to define user authorization profiles. Supported by
142 10 Martin Willi
   the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack] --listgroups
143 10 Martin Willi
   command.
144 1 Martin Willi
145 1 Martin Willi
'''ipsec listocsp [ --utc ]'''
146 9 Martin Willi
   returns cached revocation information fetched from OCSP servers. Implemented by calling the
147 1 Martin Willi
   [wiki:IpsecWhack ipsec whack] --listocps and/or [wiki:IpsecStroke ipsec stroke] listocsp commands.
148 1 Martin Willi
149 9 Martin Willi
'''ipsec listocspcerts [ --utc ]'''
150 10 Martin Willi
   returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE
151 10 Martin Willi
   daemon from the [wiki:IpsecDirectoryOcspcerts /etc/ipsec.d/ocspcerts/] directory or were sent
152 10 Martin Willi
   by an OCSP server. Implemented by calling the [wiki:IpsecWhack ipsec whack] --listocspcerts
153 10 Martin Willi
   and/or [wiki:IpsecStroke ipsec stroke] listocspcerts commands.
154 9 Martin Willi
155 1 Martin Willi
'''ipsec listpubkeys [ --utc ]'''
156 10 Martin Willi
   returns  a  list  of  RSA  public keys that were either loaded in raw key format or extracted
157 10 Martin Willi
   from X.509 and|or OpenPGP certificates. Supported by the IKEv1 pluto daemon only. Implemented
158 10 Martin Willi
   by calling the [wiki:IpsecWhack ipsec whack] --listpubkeys command.
159 1 Martin Willi
160 4 Martin Willi
'''ipsec listall [ --utc ]'''
161 10 Martin Willi
   returns  all information generated by the list commands above. Each list command can be called
162 10 Martin Willi
   with the ''--url'' option which displays all dates in UTC instead of local time. Implemented by
163 10 Martin Willi
   calling the [wiki:IpsecWhack ipsec whack] --listall and/or [wiki:IpsecStroke ipsec stroke]
164 10 Martin Willi
   listall commands.
165 9 Martin Willi
166 9 Martin Willi
== Reread Commands ==
167 9 Martin Willi
168 1 Martin Willi
'''ipsec rereadaacerts'''
169 10 Martin Willi
   reads all certificate files contained in the [wiki:IpsecDirectoryAacerts /etc/ipsec.d/aacerts/]
170 10 Martin Willi
   directory and adds them to the list of Authorization Authority (AA) certificates. Implemented
171 10 Martin Willi
   by calling the [wiki:IpsecWhack ipsec whack] --readaacerts and/or
172 8 Martin Willi
   [wiki:IpsecStroke ipsec stroke] rereadaacerts commands.
173 8 Martin Willi
174 4 Martin Willi
'''ipsec rereadacerts'''
175 10 Martin Willi
   reads all certificate files contained in the [wiki:IpsecDirectoryAcerts /etc/ipsec.d/acerts/]
176 10 Martin Willi
   directory and adds them to the list of attribute certificates. Implemented by calling the
177 10 Martin Willi
   [wiki:IpsecWhack ipsec whack] --rereadacerts and/or [wiki:IpsecStroke ipsec stroke]
178 10 Martin Willi
   rereadacerts commands.
179 4 Martin Willi
180 8 Martin Willi
'''ipsec rereadcacerts'''
181 10 Martin Willi
   reads all certificate files contained in  the [wiki:IpsecDirectoryCacerts /etc/ipsec.d/cacerts/]
182 10 Martin Willi
   directory  and adds them to the list of Certification Authority (CA) certificates. Implemented
183 10 Martin Willi
   by calling the [wiki:IpsecWhack ipsec whack] --rereadcacerts and/or
184 8 Martin Willi
   [wiki:IpsecStroke ipsec stroke] rereadcacerts commands.
185 8 Martin Willi
186 1 Martin Willi
'''ipsec rereadcrls'''
187 1 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] --rereadcrls and/or
188 8 Martin Willi
   [wiki:IpsecStroke ipsec stroke] rereadcrls commands.
189 8 Martin Willi
190 1 Martin Willi
'''ipsec rereadocspcerts'''
191 2 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] --rereadocspcerts and/or
192 8 Martin Willi
   [wiki:IpsecStroke ipsec stroke] rereadocspcerts commands.
193 8 Martin Willi
 
194 2 Martin Willi
'''ipsec rereadsecrets'''
195 10 Martin Willi
   flushes and rereads all secrets defined in [wiki:IpsecSecrets ipsec.secrets].
196 2 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] --rereadsecrets and/or
197 2 Martin Willi
   [wiki:IpsecStroke ipsec stroke] rereadsecrets commands.
198 1 Martin Willi
199 8 Martin Willi
'''ipsec secrets'''
200 8 Martin Willi
   is equivalent to '''ipsec rereadsecrets'''.
201 4 Martin Willi
202 1 Martin Willi
'''ipsec rereadall'''
203 1 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] --rereadall and/or
204 2 Martin Willi
   [wiki:IpsecStroke ipsec stroke] rereadall commands.
205 8 Martin Willi
206 8 Martin Willi
== Purge Commands ==
207 2 Martin Willi
208 2 Martin Willi
'''ipsec purgeocsp'''
209 2 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] --purgeocsp and/or
210 2 Martin Willi
   [wiki:IpsecStroke ipsec stroke] purgeocsp commands.
211 4 Martin Willi
212 8 Martin Willi
== PKCS11 Proxy Commands ==
213 2 Martin Willi
214 1 Martin Willi
'''ipsec scencrypt'''
215 4 Martin Willi
   Supported by the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack]
216 8 Martin Willi
   --scencrypt command.
217 1 Martin Willi
218 1 Martin Willi
'''ipsec scdecrypt'''
219 1 Martin Willi
   Supported by the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack]
220 1 Martin Willi
   --scdecrypt command.