strongSwan

= ipsec =

'''ipsec''' is actually an umbrella command comprising a collection of individual sub commands of the form 

  '''ipsec ''<command>'' [ ''<argument>'' ]  [ ''<options>'' ]'''

that can be used to control and monitor IPsec connections as well as the IKE daemons.

== Control Commands ==

'''ipsec start [ ''<starter options>'' ]'''

   calls [wiki:IpsecStarter ipsec starter] [ ''<starter options>'' ] which in turn parses

   [wiki:IpsecConf ipsec.conf] and starts the IKEv1 pluto and IKEv2 charon daemons.

'''ipsec stop'''

   terminates all IPsec connection and stops the IKEv1 pluto and IKEv2 charon daemons by sending

   a ''TERM'' signal to [wiki:IpsecStarter ipsec starter].

'''ipsec restart [ ''<starter options>'' ]'''

   is equivalent to '''ipsec stop''' followed by '''ipsec start [ ''<starter options>'' ]''' after a

   guard period of 2 seconds.

'''ipsec update'''

   sends a ''HUP'' signal to [wiki:IpsecStarter ipsec starter] which in turn determines any changes

   in [wiki:IpsecConf ipsec.conf] and updates the configuration on the running IKEv1 pluto and IKEv2 

   charon daemons, correspondingly.

'''ipsec reload'''

   sends a ''USR1'' signal to [wiki:IpsecStarter ipsec starter] which in turn reloads the

   whole configuration on the running IKEv1 pluto and IKEv2 charon daemons based on the actual

   [wiki:IpsecConf ipsec.conf].

'''ipsec up  ''<name>'' '''

   tells the responsible IKE daemon to start up connection ''<name>''. Implemented by calling the 

   [wiki:IpsecWhack ipsec whack] --name ''<name>'' --initiate and/or [wiki:IpsecStroke ipsec stroke]

   up ''<name>'' commands.

'''ipsec down  ''<name>'' '''

   tells the responsible IKE daemon to terminate connection ''<name>''. Implemented by calling the 

   [wiki:IpsecWhack ipsec whack] --name ''<name>'' --terminate and/or [wiki:IpsecStroke ipsec stroke]

   down ''<name>'' commands.

'''ipsec route  ''<name>'' '''

   tells the responsible IKE daemon to insert an [wiki:IpsecPolicy IPsec policy] in the kernel for 

   connection ''<name>''. The first payload packet matching the [wiki:IpsecPolicy IPsec policy]

   will automatically trigger an IKE connection setup. Implemented by calling the

   [wiki:IpsecWhack ipsec whack] --name ''<name>'' --route and/or

   [wiki:IpsecStroke ipsec stroke] route ''<name>'' commands.

'''ipsec unroute  ''<name>'' '''

   remove the [wiki:IpsecPolicy IPsec policy] in the kernel for connection ''<name>''. Implemented

   by calling the [wiki:IpsecWhack ipsec whack] --name ''<name>'' --unroute and/or

   [wiki:IpsecStroke ipsec stroke] unroute ''<name>'' commands.

'''ipsec status [ ''<name>'' ] '''

   returns concise status information either on connection ''<name>'' or if the argument is lacking,

   on all connections. Implemented by calling the [wiki:IpsecWhack ipsec whack] [ --name ''<name>'' ]

   --status and/or [wiki:IpsecStroke ipsec stroke] status [ ''<name>'' ] commands.

'''ipsec statusall [ ''<name>'' ] '''

   returns detailed status information either on connection ''<name>'' or if the argument is lacking,

   on all connections. Implemented by calling the [wiki:IpsecWhack ipsec whack] [ --name ''<name>'' ]

   statusall and/or [wiki:IpsecStroke ipsec stroke] statusall [ ''<name>'' ] commands.

== Info Commands ==

'''ipsec version'''

   returns the ipsec version in the form of '''Linux strongSwan

   U'''''<strongSwan userland version>'''''/K'''''<Linux kernel version>''

   if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.

'''ipsec copyright'''

   returns the copyright information.

'''ipsec --confdir'''

   returns the ''SYSCONFDIR'' directory as defined by the [wiki:InstallationDocumentation ./configure]

   options.

'''ipsec --directory'''

   returns the ''LIBEXECDIR'' directory as defined by the [wiki:InstallationDocumentation ./configure]

   options.

'''ipsec --help'''

   returns the usage information for the ipsec command.

'''ipsec --versioncode'''

   returns the ipsec version number in the form of

   ''''U'''''<strongSwan userland version>'''''/K'''''<Linux kernel version>''

   if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.

== List Commands ==

'''ipsec listaacerts [ --utc ]'''

   returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by

   the IKE daemon from the [wiki:IpsecDirectoryAacerts /etc/ipsec.d/aacerts/] directory.

   Implemented by calling the [wiki:IpsecWhack ipsec whack] --listaacerts and/or

   [wiki:IpsecStroke ipsec stroke] listaacerts commands.

'''ipsec listacerts [ --utc ]'''

   returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the

   [wiki:IpsecDirectoryAcerts /etc/ipsec.d/acerts/] directory. Implemented by calling the

   [wiki:IpsecWhack ipsec whack] --listacerts and/or [wiki:IpsecStroke ipsec stroke] listacerts

   commands.

'''ipsec listalgs'''

   returns a list of all supported IKE encryption and hash algorithms, the available Diffie-Hellman

   groups, as well as all ESP encryption and authentication algorithms registered via the Linux

   kernel's Crypto API. Supported by the IKEv1 pluto daemon only. Implemented by calling the

   [wiki:IpsecWhack ipsec whack] --listalgs command.

'''ipsec listcacerts [ --utc ]'''

   returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by

   the IKE daemon from the [wiki:IpsecDirectoryCacerts /etc/ipsec.d/cacerts/] directory or received

   in PKCS#7-wrapped certificate payloads via the IKE protocol. Implemented by calling the

   [wiki:IpsecWhack ipsec whack] --listcacerts and/or [wiki:IpsecStroke ipsec stroke] listcacerts

   commands.

'''ipsec listcainfos [ --utc ]'''

   returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers)

   that were defined by [wiki:CaSection ca sections] in [wiki:IpsecConf ipsec.conf]. Implemented

   by calling the [wiki:IpsecWhack ipsec whack] --listcainfos and/or [wiki:IpsecStroke ipsec stroke]

   listcainfos commands.

'''ipsec listcards [ --utc ]'''

   lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only.

   Implemented by calling the [wiki:IpsecWhack ipsec whack] --listcards command.

'''ipsec listcrls [ --utc ]'''

   returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon

   from the [wiki:IpsecDirectoryCrls /etc/ipsec.d/crls/] directory or fetched from an HTTP- or

   LDAP-based CRL distribution point. Implemented by calling the [wiki:IpsecWhack ipsec whack] 

   --listcrls and/or wiki:IpsecStroke ipsec stroke] listcrls commands.

'''ipsec listcerts [ --utc ]'''

   returns a list of X.509 and|or OpenPGP certificates that were either loaded locally by the IKE

   daemon or received via the IKEv2 protocol. Implemented by calling the [wiki:IpsecWhack ipsec whack]

   --listcerts and/or [wiki:IpsecStroke ipsec stroke] listcerts commands.

'''ipsec listgroups [ --utc ]'''

   returns a list of all groups that are used to define user authorization profiles. Supported by

   the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack] --listgroups

   command.

'''ipsec listocsp [ --utc ]'''

   returns cached revocation information fetched from OCSP servers. Implemented by calling the

   [wiki:IpsecWhack ipsec whack] --listocps and/or [wiki:IpsecStroke ipsec stroke] listocsp commands.

'''ipsec listocspcerts [ --utc ]'''

   returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE

   daemon from the [wiki:IpsecDirectoryOcspcerts /etc/ipsec.d/ocspcerts/] directory or were sent

   by an OCSP server. Implemented by calling the [wiki:IpsecWhack ipsec whack] --listocspcerts

   and/or [wiki:IpsecStroke ipsec stroke] listocspcerts commands.

'''ipsec listpubkeys [ --utc ]'''

   returns  a  list  of  RSA  public keys that were either loaded in raw key format or extracted

   from X.509 and|or OpenPGP certificates. Supported by the IKEv1 pluto daemon only. Implemented

   by calling the [wiki:IpsecWhack ipsec whack] --listpubkeys command.

'''ipsec listall [ --utc ]'''

   returns  all information generated by the list commands above. Each list command can be called

   with the ''--url'' option which displays all dates in UTC instead of local time. Implemented by

   calling the [wiki:IpsecWhack ipsec whack] --listall and/or [wiki:IpsecStroke ipsec stroke]

   listall commands.

== Reread Commands ==

'''ipsec rereadaacerts'''

   reads all certificate files contained in the [wiki:IpsecDirectoryAacerts /etc/ipsec.d/aacerts/]

   directory and adds them to the list of Authorization Authority (AA) certificates. Implemented

   by calling the [wiki:IpsecWhack ipsec whack] --readaacerts and/or

   [wiki:IpsecStroke ipsec stroke] rereadaacerts commands.

'''ipsec rereadacerts'''

   reads all certificate files contained in the [wiki:IpsecDirectoryAcerts /etc/ipsec.d/acerts/]

   directory and adds them to the list of attribute certificates. Implemented by calling the

   [wiki:IpsecWhack ipsec whack] --rereadacerts and/or [wiki:IpsecStroke ipsec stroke]

   rereadacerts commands.

'''ipsec rereadcacerts'''

   reads all certificate files contained in  the [wiki:IpsecDirectoryCacerts /etc/ipsec.d/cacerts/]

   directory  and adds them to the list of Certification Authority (CA) certificates. Implemented

   by calling the [wiki:IpsecWhack ipsec whack] --rereadcacerts and/or

   [wiki:IpsecStroke ipsec stroke] rereadcacerts commands.

'''ipsec rereadcrls'''

   reads all Certificate Revocation Lists (CRLs) contained in the

   [wiki:IpsecDirectoryCrls /etc/ipsec.d/crls/] directory and adds them to the list of CRLs.

   Older CRLs are replaced by newer ones. Implemented by calling the [wiki:IpsecWhack ipsec whack]

   --rereadcrls and/or [wiki:IpsecStroke ipsec stroke] rereadcrls commands.

'''ipsec rereadocspcerts'''

   reads all certificate files contained in the

   [wiki:IpsecDirectoryOcspcerts /etc/ipsec.d/ocspcerts/] directory and adds them to the list

   of OCSP signer certificates. Implemented by calling the [wiki:IpsecWhack ipsec whack]

   --rereadocspcerts and/or [wiki:IpsecStroke ipsec stroke] rereadocspcerts commands.

'''ipsec rereadsecrets'''

   flushes and rereads all secrets defined in [wiki:IpsecSecrets ipsec.secrets].

   Implemented by calling the [wiki:IpsecWhack ipsec whack] --rereadsecrets and/or

   [wiki:IpsecStroke ipsec stroke] rereadsecrets commands.

'''ipsec secrets'''

   is equivalent to '''ipsec rereadsecrets'''.

'''ipsec rereadall'''

   executes all reread commands listed above. Implemented by calling the

   [wiki:IpsecWhack ipsec whack] --rereadall and/or

   [wiki:IpsecStroke ipsec stroke] rereadall commands.

== Purge Commands ==

'''ipsec purgeocsp'''

   purges all cached OCSP information records. Implemented by calling the

   [wiki:IpsecWhack ipsec whack] --purgeocsp and/or

   [wiki:IpsecStroke ipsec stroke] purgeocsp commands.

== PKCS11 Proxy Commands ==

'''ipsec scencrypt ''<value>'' [ --inbase ''<base>'' ] [ --outbase ''<base>'' ] [ --keyid ''<id>'' ]'''

   Supported by the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack]

   --scencrypt command.

'''ipsec scdecrypt ''<value>'' [ --inbase <base> ] [ --outbase ''<base>'' ] [ --keyid ''<id>'' ]'''

   Supported by the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack]

   --scdecrypt command.