ipsec » History » Version 11
Version 10 (Martin Willi, 01.10.2007 11:48) → Version 11/31 (Martin Willi, 01.10.2007 15:26)
= ipsec =
'''ipsec''' is actually an umbrella command comprising a collection of individual sub commands of the form
'''ipsec ''<command>'' [ ''<argument>'' ] [ ''<options>'' ]'''
that can be used to control and monitor IPsec connections as well as the IKE daemons.
== Control Commands ==
'''ipsec start [ ''<starter options>'' ]'''
calls [wiki:IpsecStarter ipsec starter] [ ''<starter options>'' ] which in turn parses
[wiki:IpsecConf ipsec.conf] and starts the IKEv1 pluto and IKEv2 charon daemons.
'''ipsec stop'''
terminates all IPsec connection and stops the IKEv1 pluto and IKEv2 charon daemons by sending
a ''TERM'' signal to [wiki:IpsecStarter ipsec starter].
'''ipsec restart [ ''<starter options>'' ]'''
is equivalent to '''ipsec stop''' followed by '''ipsec start [ ''<starter options>'' ]''' after a
guard period of 2 seconds.
'''ipsec update'''
sends a ''HUP'' signal to [wiki:IpsecStarter ipsec starter] which in turn determines any changes
in [wiki:IpsecConf ipsec.conf] and updates the configuration on the running IKEv1 pluto and IKEv2
charon daemons, correspondingly.
'''ipsec reload'''
sends a ''USR1'' signal to [wiki:IpsecStarter ipsec starter] which in turn reloads the
whole configuration on the running IKEv1 pluto and IKEv2 charon daemons based on the actual
[wiki:IpsecConf ipsec.conf].
'''ipsec up ''<name>'' '''
tells the responsible IKE daemon to start up connection ''<name>''. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --name ''<name>'' --initiate and/or [wiki:IpsecStroke ipsec stroke]
up ''<name>'' commands.
'''ipsec down ''<name>'' '''
tells the responsible IKE daemon to terminate connection ''<name>''. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --name ''<name>'' --terminate and/or [wiki:IpsecStroke ipsec stroke]
down ''<name>'' commands.
'''ipsec route ''<name>'' '''
tells the responsible IKE daemon to insert an [wiki:IpsecPolicy IPsec policy] in the kernel for
connection ''<name>''. The first payload packet matching the [wiki:IpsecPolicy IPsec policy]
will automatically trigger an IKE connection setup. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --name ''<name>'' --route and/or
[wiki:IpsecStroke ipsec stroke] route ''<name>'' commands.
'''ipsec unroute ''<name>'' '''
remove the [wiki:IpsecPolicy IPsec policy] in the kernel for connection ''<name>''. Implemented
by calling the [wiki:IpsecWhack ipsec whack] --name ''<name>'' --unroute and/or
[wiki:IpsecStroke ipsec stroke] unroute ''<name>'' commands.
'''ipsec status [ ''<name>'' ] '''
returns concise status information either on connection ''<name>'' or if the argument is lacking,
on all connections. Implemented by calling the [wiki:IpsecWhack ipsec whack] [ --name ''<name>'' ]
--status and/or [wiki:IpsecStroke ipsec stroke] status [ ''<name>'' ] commands.
'''ipsec statusall [ ''<name>'' ] '''
returns detailed status information either on connection ''<name>'' or if the argument is lacking,
on all connections. Implemented by calling the [wiki:IpsecWhack ipsec whack] [ --name ''<name>'' ]
statusall and/or [wiki:IpsecStroke ipsec stroke] statusall [ ''<name>'' ] commands.
== Info Commands ==
'''ipsec version'''
returns the ipsec version in the form of '''Linux strongSwan
U'''''<strongSwan userland version>'''''/K'''''<Linux kernel version>''
if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
'''ipsec copyright'''
returns the copyright information.
'''ipsec --confdir'''
returns the ''SYSCONFDIR'' directory as defined by the [wiki:InstallationDocumentation ./configure]
options.
'''ipsec --directory'''
returns the ''LIBEXECDIR'' directory as defined by the [wiki:InstallationDocumentation ./configure]
options.
'''ipsec --help'''
returns the usage information for the ipsec command.
'''ipsec --versioncode'''
returns the ipsec version number in the form of
''''U'''''<strongSwan userland version>'''''/K'''''<Linux kernel version>''
if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
== List Commands ==
'''ipsec listaacerts [ --utc ]'''
returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by
the IKE daemon from the [wiki:IpsecDirectoryAacerts /etc/ipsec.d/aacerts/] directory.
Implemented by calling the [wiki:IpsecWhack ipsec whack] --listaacerts and/or
[wiki:IpsecStroke ipsec stroke] listaacerts commands.
'''ipsec listacerts [ --utc ]'''
returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the
[wiki:IpsecDirectoryAcerts /etc/ipsec.d/acerts/] directory. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --listacerts and/or [wiki:IpsecStroke ipsec stroke] listacerts
commands.
'''ipsec listalgs'''
returns a list of all supported IKE encryption and hash algorithms, the available Diffie-Hellman
groups, as well as all ESP encryption and authentication algorithms registered via the Linux
kernel's Crypto API. Supported by the IKEv1 pluto daemon only. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --listalgs command.
'''ipsec listcacerts [ --utc ]'''
returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by
the IKE daemon from the [wiki:IpsecDirectoryCacerts /etc/ipsec.d/cacerts/] directory or received
in PKCS#7-wrapped certificate payloads via the IKE protocol. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --listcacerts and/or [wiki:IpsecStroke ipsec stroke] listcacerts
commands.
'''ipsec listcainfos [ --utc ]'''
returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers)
that were defined by [wiki:CaSection ca sections] in [wiki:IpsecConf ipsec.conf]. Implemented
by calling the [wiki:IpsecWhack ipsec whack] --listcainfos and/or [wiki:IpsecStroke ipsec stroke]
listcainfos commands.
'''ipsec listcards [ --utc ]'''
lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only.
Implemented by calling the [wiki:IpsecWhack ipsec whack] --listcards command.
'''ipsec listcrls [ --utc ]'''
returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon
from the [wiki:IpsecDirectoryCrls /etc/ipsec.d/crls/] directory or fetched from an HTTP- or
LDAP-based CRL distribution point. Implemented by calling the [wiki:IpsecWhack ipsec whack]
--listcrls and/or wiki:IpsecStroke ipsec stroke] listcrls commands.
'''ipsec listcerts [ --utc ]'''
returns a list of X.509 and|or OpenPGP certificates that were either loaded locally by the IKE
daemon or received via the IKEv2 protocol. Implemented by calling the [wiki:IpsecWhack ipsec whack]
--listcerts and/or [wiki:IpsecStroke ipsec stroke] listcerts commands.
'''ipsec listgroups [ --utc ]'''
returns a list of all groups that are used to define user authorization profiles. Supported by
the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack] --listgroups
command.
'''ipsec listocsp [ --utc ]'''
returns cached revocation information fetched from OCSP servers. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --listocps and/or [wiki:IpsecStroke ipsec stroke] listocsp commands.
'''ipsec listocspcerts [ --utc ]'''
returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE
daemon from the [wiki:IpsecDirectoryOcspcerts /etc/ipsec.d/ocspcerts/] directory or were sent
by an OCSP server. Implemented by calling the [wiki:IpsecWhack ipsec whack] --listocspcerts
and/or [wiki:IpsecStroke ipsec stroke] listocspcerts commands.
'''ipsec listpubkeys [ --utc ]'''
returns a list of RSA public keys that were either loaded in raw key format or extracted
from X.509 and|or OpenPGP certificates. Supported by the IKEv1 pluto daemon only. Implemented
by calling the [wiki:IpsecWhack ipsec whack] --listpubkeys command.
'''ipsec listall [ --utc ]'''
returns all information generated by the list commands above. Each list command can be called
with the ''--url'' option which displays all dates in UTC instead of local time. Implemented by
calling the [wiki:IpsecWhack ipsec whack] --listall and/or [wiki:IpsecStroke ipsec stroke]
listall commands.
== Reread Commands ==
'''ipsec rereadaacerts'''
reads all certificate files contained in the [wiki:IpsecDirectoryAacerts /etc/ipsec.d/aacerts/]
directory and adds them to the list of Authorization Authority (AA) certificates. Implemented
by calling the [wiki:IpsecWhack ipsec whack] --readaacerts and/or
[wiki:IpsecStroke ipsec stroke] rereadaacerts commands.
'''ipsec rereadacerts'''
reads all certificate files contained in the [wiki:IpsecDirectoryAcerts /etc/ipsec.d/acerts/]
directory and adds them to the list of attribute certificates. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --rereadacerts and/or [wiki:IpsecStroke ipsec stroke]
rereadacerts commands.
'''ipsec rereadcacerts'''
reads all certificate files contained in the [wiki:IpsecDirectoryCacerts /etc/ipsec.d/cacerts/]
directory and adds them to the list of Certification Authority (CA) certificates. Implemented
by calling the [wiki:IpsecWhack ipsec whack] --rereadcacerts and/or
[wiki:IpsecStroke ipsec stroke] rereadcacerts commands.
'''ipsec rereadcrls'''
reads all Certificate Revocation Lists (CRLs) contained in the
[wiki:IpsecDirectoryCrls /etc/ipsec.d/crls/] directory and adds them to the list of CRLs.
Older CRLs are replaced by newer ones. Implemented by calling the [wiki:IpsecWhack ipsec whack]
--rereadcrls and/or
[wiki:IpsecStroke ipsec stroke] rereadcrls commands.
'''ipsec rereadocspcerts'''
reads all certificate files contained in the
[wiki:IpsecDirectoryOcspcerts /etc/ipsec.d/ocspcerts/] directory and adds them to the list
of OCSP signer certificates. Implemented by calling the [wiki:IpsecWhack ipsec whack]
--rereadocspcerts and/or
[wiki:IpsecStroke ipsec stroke] rereadocspcerts commands.
'''ipsec rereadsecrets'''
flushes and rereads all secrets defined in [wiki:IpsecSecrets ipsec.secrets].
Implemented by calling the [wiki:IpsecWhack ipsec whack] --rereadsecrets and/or
[wiki:IpsecStroke ipsec stroke] rereadsecrets commands.
'''ipsec secrets'''
is equivalent to '''ipsec rereadsecrets'''.
'''ipsec rereadall'''
executes all reread commands listed above. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --rereadall and/or
[wiki:IpsecStroke ipsec stroke] rereadall commands.
== Purge Commands ==
'''ipsec purgeocsp'''
purges all cached OCSP information records. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --purgeocsp and/or
[wiki:IpsecStroke ipsec stroke] purgeocsp commands.
== PKCS11 Proxy Commands ==
'''ipsec scencrypt ''<value>'' [ --inbase ''<base>'' ] [ --outbase ''<base>'' ] [ --keyid ''<id>'' ]''' scencrypt'''
Supported by the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack]
--scencrypt command.
'''ipsec scdecrypt ''<value>'' [ --inbase <base> ] [ --outbase ''<base>'' ] [ --keyid ''<id>'' ]''' scdecrypt'''
Supported by the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack]
--scdecrypt command.
'''ipsec''' is actually an umbrella command comprising a collection of individual sub commands of the form
'''ipsec ''<command>'' [ ''<argument>'' ] [ ''<options>'' ]'''
that can be used to control and monitor IPsec connections as well as the IKE daemons.
== Control Commands ==
'''ipsec start [ ''<starter options>'' ]'''
calls [wiki:IpsecStarter ipsec starter] [ ''<starter options>'' ] which in turn parses
[wiki:IpsecConf ipsec.conf] and starts the IKEv1 pluto and IKEv2 charon daemons.
'''ipsec stop'''
terminates all IPsec connection and stops the IKEv1 pluto and IKEv2 charon daemons by sending
a ''TERM'' signal to [wiki:IpsecStarter ipsec starter].
'''ipsec restart [ ''<starter options>'' ]'''
is equivalent to '''ipsec stop''' followed by '''ipsec start [ ''<starter options>'' ]''' after a
guard period of 2 seconds.
'''ipsec update'''
sends a ''HUP'' signal to [wiki:IpsecStarter ipsec starter] which in turn determines any changes
in [wiki:IpsecConf ipsec.conf] and updates the configuration on the running IKEv1 pluto and IKEv2
charon daemons, correspondingly.
'''ipsec reload'''
sends a ''USR1'' signal to [wiki:IpsecStarter ipsec starter] which in turn reloads the
whole configuration on the running IKEv1 pluto and IKEv2 charon daemons based on the actual
[wiki:IpsecConf ipsec.conf].
'''ipsec up ''<name>'' '''
tells the responsible IKE daemon to start up connection ''<name>''. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --name ''<name>'' --initiate and/or [wiki:IpsecStroke ipsec stroke]
up ''<name>'' commands.
'''ipsec down ''<name>'' '''
tells the responsible IKE daemon to terminate connection ''<name>''. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --name ''<name>'' --terminate and/or [wiki:IpsecStroke ipsec stroke]
down ''<name>'' commands.
'''ipsec route ''<name>'' '''
tells the responsible IKE daemon to insert an [wiki:IpsecPolicy IPsec policy] in the kernel for
connection ''<name>''. The first payload packet matching the [wiki:IpsecPolicy IPsec policy]
will automatically trigger an IKE connection setup. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --name ''<name>'' --route and/or
[wiki:IpsecStroke ipsec stroke] route ''<name>'' commands.
'''ipsec unroute ''<name>'' '''
remove the [wiki:IpsecPolicy IPsec policy] in the kernel for connection ''<name>''. Implemented
by calling the [wiki:IpsecWhack ipsec whack] --name ''<name>'' --unroute and/or
[wiki:IpsecStroke ipsec stroke] unroute ''<name>'' commands.
'''ipsec status [ ''<name>'' ] '''
returns concise status information either on connection ''<name>'' or if the argument is lacking,
on all connections. Implemented by calling the [wiki:IpsecWhack ipsec whack] [ --name ''<name>'' ]
--status and/or [wiki:IpsecStroke ipsec stroke] status [ ''<name>'' ] commands.
'''ipsec statusall [ ''<name>'' ] '''
returns detailed status information either on connection ''<name>'' or if the argument is lacking,
on all connections. Implemented by calling the [wiki:IpsecWhack ipsec whack] [ --name ''<name>'' ]
statusall and/or [wiki:IpsecStroke ipsec stroke] statusall [ ''<name>'' ] commands.
== Info Commands ==
'''ipsec version'''
returns the ipsec version in the form of '''Linux strongSwan
U'''''<strongSwan userland version>'''''/K'''''<Linux kernel version>''
if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
'''ipsec copyright'''
returns the copyright information.
'''ipsec --confdir'''
returns the ''SYSCONFDIR'' directory as defined by the [wiki:InstallationDocumentation ./configure]
options.
'''ipsec --directory'''
returns the ''LIBEXECDIR'' directory as defined by the [wiki:InstallationDocumentation ./configure]
options.
'''ipsec --help'''
returns the usage information for the ipsec command.
'''ipsec --versioncode'''
returns the ipsec version number in the form of
''''U'''''<strongSwan userland version>'''''/K'''''<Linux kernel version>''
if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
== List Commands ==
'''ipsec listaacerts [ --utc ]'''
returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by
the IKE daemon from the [wiki:IpsecDirectoryAacerts /etc/ipsec.d/aacerts/] directory.
Implemented by calling the [wiki:IpsecWhack ipsec whack] --listaacerts and/or
[wiki:IpsecStroke ipsec stroke] listaacerts commands.
'''ipsec listacerts [ --utc ]'''
returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the
[wiki:IpsecDirectoryAcerts /etc/ipsec.d/acerts/] directory. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --listacerts and/or [wiki:IpsecStroke ipsec stroke] listacerts
commands.
'''ipsec listalgs'''
returns a list of all supported IKE encryption and hash algorithms, the available Diffie-Hellman
groups, as well as all ESP encryption and authentication algorithms registered via the Linux
kernel's Crypto API. Supported by the IKEv1 pluto daemon only. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --listalgs command.
'''ipsec listcacerts [ --utc ]'''
returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by
the IKE daemon from the [wiki:IpsecDirectoryCacerts /etc/ipsec.d/cacerts/] directory or received
in PKCS#7-wrapped certificate payloads via the IKE protocol. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --listcacerts and/or [wiki:IpsecStroke ipsec stroke] listcacerts
commands.
'''ipsec listcainfos [ --utc ]'''
returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers)
that were defined by [wiki:CaSection ca sections] in [wiki:IpsecConf ipsec.conf]. Implemented
by calling the [wiki:IpsecWhack ipsec whack] --listcainfos and/or [wiki:IpsecStroke ipsec stroke]
listcainfos commands.
'''ipsec listcards [ --utc ]'''
lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only.
Implemented by calling the [wiki:IpsecWhack ipsec whack] --listcards command.
'''ipsec listcrls [ --utc ]'''
returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon
from the [wiki:IpsecDirectoryCrls /etc/ipsec.d/crls/] directory or fetched from an HTTP- or
LDAP-based CRL distribution point. Implemented by calling the [wiki:IpsecWhack ipsec whack]
--listcrls and/or wiki:IpsecStroke ipsec stroke] listcrls commands.
'''ipsec listcerts [ --utc ]'''
returns a list of X.509 and|or OpenPGP certificates that were either loaded locally by the IKE
daemon or received via the IKEv2 protocol. Implemented by calling the [wiki:IpsecWhack ipsec whack]
--listcerts and/or [wiki:IpsecStroke ipsec stroke] listcerts commands.
'''ipsec listgroups [ --utc ]'''
returns a list of all groups that are used to define user authorization profiles. Supported by
the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack] --listgroups
command.
'''ipsec listocsp [ --utc ]'''
returns cached revocation information fetched from OCSP servers. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --listocps and/or [wiki:IpsecStroke ipsec stroke] listocsp commands.
'''ipsec listocspcerts [ --utc ]'''
returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE
daemon from the [wiki:IpsecDirectoryOcspcerts /etc/ipsec.d/ocspcerts/] directory or were sent
by an OCSP server. Implemented by calling the [wiki:IpsecWhack ipsec whack] --listocspcerts
and/or [wiki:IpsecStroke ipsec stroke] listocspcerts commands.
'''ipsec listpubkeys [ --utc ]'''
returns a list of RSA public keys that were either loaded in raw key format or extracted
from X.509 and|or OpenPGP certificates. Supported by the IKEv1 pluto daemon only. Implemented
by calling the [wiki:IpsecWhack ipsec whack] --listpubkeys command.
'''ipsec listall [ --utc ]'''
returns all information generated by the list commands above. Each list command can be called
with the ''--url'' option which displays all dates in UTC instead of local time. Implemented by
calling the [wiki:IpsecWhack ipsec whack] --listall and/or [wiki:IpsecStroke ipsec stroke]
listall commands.
== Reread Commands ==
'''ipsec rereadaacerts'''
reads all certificate files contained in the [wiki:IpsecDirectoryAacerts /etc/ipsec.d/aacerts/]
directory and adds them to the list of Authorization Authority (AA) certificates. Implemented
by calling the [wiki:IpsecWhack ipsec whack] --readaacerts and/or
[wiki:IpsecStroke ipsec stroke] rereadaacerts commands.
'''ipsec rereadacerts'''
reads all certificate files contained in the [wiki:IpsecDirectoryAcerts /etc/ipsec.d/acerts/]
directory and adds them to the list of attribute certificates. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --rereadacerts and/or [wiki:IpsecStroke ipsec stroke]
rereadacerts commands.
'''ipsec rereadcacerts'''
reads all certificate files contained in the [wiki:IpsecDirectoryCacerts /etc/ipsec.d/cacerts/]
directory and adds them to the list of Certification Authority (CA) certificates. Implemented
by calling the [wiki:IpsecWhack ipsec whack] --rereadcacerts and/or
[wiki:IpsecStroke ipsec stroke] rereadcacerts commands.
'''ipsec rereadcrls'''
reads all Certificate Revocation Lists (CRLs) contained in the
[wiki:IpsecDirectoryCrls /etc/ipsec.d/crls/] directory and adds them to the list of CRLs.
Older CRLs are replaced by newer ones. Implemented by calling the [wiki:IpsecWhack ipsec whack]
--rereadcrls and/or
[wiki:IpsecStroke ipsec stroke] rereadcrls commands.
'''ipsec rereadocspcerts'''
reads all certificate files contained in the
[wiki:IpsecDirectoryOcspcerts /etc/ipsec.d/ocspcerts/] directory and adds them to the list
of OCSP signer certificates. Implemented by calling the [wiki:IpsecWhack ipsec whack]
--rereadocspcerts and/or
[wiki:IpsecStroke ipsec stroke] rereadocspcerts commands.
'''ipsec rereadsecrets'''
flushes and rereads all secrets defined in [wiki:IpsecSecrets ipsec.secrets].
Implemented by calling the [wiki:IpsecWhack ipsec whack] --rereadsecrets and/or
[wiki:IpsecStroke ipsec stroke] rereadsecrets commands.
'''ipsec secrets'''
is equivalent to '''ipsec rereadsecrets'''.
'''ipsec rereadall'''
executes all reread commands listed above. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --rereadall and/or
[wiki:IpsecStroke ipsec stroke] rereadall commands.
== Purge Commands ==
'''ipsec purgeocsp'''
purges all cached OCSP information records. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --purgeocsp and/or
[wiki:IpsecStroke ipsec stroke] purgeocsp commands.
== PKCS11 Proxy Commands ==
'''ipsec scencrypt ''<value>'' [ --inbase ''<base>'' ] [ --outbase ''<base>'' ] [ --keyid ''<id>'' ]''' scencrypt'''
Supported by the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack]
--scencrypt command.
'''ipsec scdecrypt ''<value>'' [ --inbase <base> ] [ --outbase ''<base>'' ] [ --keyid ''<id>'' ]''' scdecrypt'''
Supported by the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack]
--scdecrypt command.