Project

General

Profile

ipsec » History » Version 12

« Previous - Version 12/30 (diff) - Next » - Current version
Martin Willi, 01.10.2007 15:26
completed reread and purge command descriptions


ipsec

ipsec is actually an umbrella command comprising a collection of individual sub commands of the form

ipsec <command> [ <argument> ] [ <options> ]

that can be used to control and monitor IPsec connections as well as the IKE daemons.

Control Commands

ipsec start [ <starter options> ]
calls [[IpsecStarter|ipsec starter] [ <starter options> ]] which in turn parses
ipsecconf and starts the IKEv1 pluto and IKEv2 charon daemons.

ipsec stop
terminates all IPsec connection and stops the IKEv1 pluto and IKEv2 charon daemons by sending
a TERM signal to ipsec starter.

ipsec restart [ <starter options> ]
is equivalent to ipsec stop followed by ipsec start [ <starter options> ] after a
guard period of 2 seconds.

ipsec update
sends a HUP signal to ipsec starter which in turn determines any changes
in ipsecconf and updates the configuration on the running IKEv1 pluto and IKEv2
charon daemons, correspondingly.

ipsec reload
sends a USR1 signal to ipsec starter which in turn reloads the
whole configuration on the running IKEv1 pluto and IKEv2 charon daemons based on the actual
ipsecconf.

*ipsec up <name> *
tells the responsible IKE daemon to start up connection <name>. Implemented by calling the
[[IpsecWhack|ipsec whack] --name <name> --initiate andor [wikiIpsecStroke ipsec stroke]]
up <name> commands.

*ipsec down <name> *
tells the responsible IKE daemon to terminate connection <name>. Implemented by calling the
[[IpsecWhack|ipsec whack] --name <name> --terminate andor [wikiIpsecStroke ipsec stroke]]
down <name> commands.

*ipsec route <name> *
tells the responsible IKE daemon to insert an IPsec policy in the kernel for
connection <name>. The first payload packet matching the IPsec policy
will automatically trigger an IKE connection setup. Implemented by calling the
ipsec whack --name <name> --route and/or
ipsec stroke route <name> commands.

*ipsec unroute <name> *
remove the IPsec policy in the kernel for connection <name>. Implemented
by calling the ipsec whack --name <name> --unroute and/or
ipsec stroke unroute <name> commands.

*ipsec status [ <name> ] *
returns concise status information either on connection <name> or if the argument is lacking,
on all connections. Implemented by calling the [[IpsecWhack|ipsec whack] [ --name <name> ]]
--status and/or [[IpsecStroke|ipsec stroke] status [ <name> ]] commands.

*ipsec statusall [ <name> ] *
returns detailed status information either on connection <name> or if the argument is lacking,
on all connections. Implemented by calling the [[IpsecWhack|ipsec whack] [ --name <name> ]]
statusall and/or [[IpsecStroke|ipsec stroke] statusall [ <name> ]] commands.

Info Commands

ipsec version
returns the ipsec version in the form of Linux strongSwan
U_
<strongSwan userland version>_*/K_*<Linux kernel version>_
if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.

ipsec copyright
returns the copyright information.

ipsec --confdir
returns the SYSCONFDIR directory as defined by the configure
options.

ipsec --directory
returns the LIBEXECDIR directory as defined by the configure
options.

ipsec --help
returns the usage information for the ipsec command.

ipsec --versioncode
returns the ipsec version number in the form of
'U_<strongSwan userland version>_*/K_*<Linux kernel version>_
if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.

List Commands

ipsec listaacerts [ --utc ]
returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by
the IKE daemon from the etcipsecdaacerts directory.
Implemented by calling the ipsec whack --listaacerts and/or
ipsec stroke listaacerts commands.

ipsec listacerts [ --utc ]
returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the
etcipsecdacerts directory. Implemented by calling the
[[IpsecWhack|ipsec whack] --listacerts andor [wikiIpsecStroke ipsec stroke]] listacerts
commands.

ipsec listalgs
returns a list of all supported IKE encryption and hash algorithms, the available Diffie-Hellman
groups, as well as all ESP encryption and authentication algorithms registered via the Linux
kernel's Crypto API. Supported by the IKEv1 pluto daemon only. Implemented by calling the
ipsec whack --listalgs command.

ipsec listcacerts [ --utc ]
returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by
the IKE daemon from the etcipsecdcacerts directory or received
in PKCS#7-wrapped certificate payloads via the IKE protocol. Implemented by calling the
[[IpsecWhack|ipsec whack] --listcacerts andor [wikiIpsecStroke ipsec stroke]] listcacerts
commands.

ipsec listcainfos [ --utc ]
returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers)
that were defined by [[CaSection|ca sections] in [wikiIpsecConf ipsecconf]]. Implemented
by calling the [[IpsecWhack|ipsec whack] --listcainfos andor [wikiIpsecStroke ipsec stroke]]
listcainfos commands.

ipsec listcards [ --utc ]
lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only.
Implemented by calling the ipsec whack --listcards command.

ipsec listcrls [ --utc ]
returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon
from the etcipsecdcrls directory or fetched from an HTTP- or
LDAP-based CRL distribution point. Implemented by calling the ipsec whack
--listcrls and/or wiki:IpsecStroke ipsec stroke] listcrls commands.

ipsec listcerts [ --utc ]
returns a list of X.509 and|or OpenPGP certificates that were either loaded locally by the IKE
daemon or received via the IKEv2 protocol. Implemented by calling the ipsec whack
--listcerts and/or ipsec stroke listcerts commands.

ipsec listgroups [ --utc ]
returns a list of all groups that are used to define user authorization profiles. Supported by
the IKEv1 pluto daemon only. Implemented by calling the ipsec whack --listgroups
command.

ipsec listocsp [ --utc ]
returns cached revocation information fetched from OCSP servers. Implemented by calling the
[[IpsecWhack|ipsec whack] --listocps andor [wikiIpsecStroke ipsec stroke]] listocsp commands.

ipsec listocspcerts [ --utc ]
returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE
daemon from the etcipsecdocspcerts directory or were sent
by an OCSP server. Implemented by calling the ipsec whack --listocspcerts
and/or ipsec stroke listocspcerts commands.

ipsec listpubkeys [ --utc ]
returns a list of RSA public keys that were either loaded in raw key format or extracted
from X.509 and|or OpenPGP certificates. Supported by the IKEv1 pluto daemon only. Implemented
by calling the ipsec whack --listpubkeys command.

ipsec listall [ --utc ]
returns all information generated by the list commands above. Each list command can be called
with the --url option which displays all dates in UTC instead of local time. Implemented by
calling the [[IpsecWhack|ipsec whack] --listall andor [wikiIpsecStroke ipsec stroke]]
listall commands.

Reread Commands

ipsec rereadaacerts
reads all certificate files contained in the etcipsecdaacerts
directory and adds them to the list of Authorization Authority (AA) certificates. Implemented
by calling the ipsec whack --readaacerts and/or
ipsec stroke rereadaacerts commands.

ipsec rereadacerts
reads all certificate files contained in the etcipsecdacerts
directory and adds them to the list of attribute certificates. Implemented by calling the
[[IpsecWhack|ipsec whack] --rereadacerts andor [wikiIpsecStroke ipsec stroke]]
rereadacerts commands.

ipsec rereadcacerts
reads all certificate files contained in the etcipsecdcacerts
directory and adds them to the list of Certification Authority (CA) certificates. Implemented
by calling the ipsec whack --rereadcacerts and/or
ipsec stroke rereadcacerts commands.

ipsec rereadcrls
reads all Certificate Revocation Lists (CRLs) contained in the
etcipsecdcrls directory and adds them to the list of CRLs.
Older CRLs are replaced by newer ones. Implemented by calling the ipsec whack
--rereadcrls and/or ipsec stroke rereadcrls commands.

ipsec rereadocspcerts
reads all certificate files contained in the
etcipsecdocspcerts directory and adds them to the list
of OCSP signer certificates. Implemented by calling the ipsec whack
--rereadocspcerts and/or ipsec stroke rereadocspcerts commands.

ipsec rereadsecrets
flushes and rereads all secrets defined in ipsecsecrets.
Implemented by calling the ipsec whack --rereadsecrets and/or
ipsec stroke rereadsecrets commands.

ipsec secrets
is equivalent to ipsec rereadsecrets.

ipsec rereadall
executes all reread commands listed above. Implemented by calling the
ipsec whack --rereadall and/or
ipsec stroke rereadall commands.

Purge Commands

ipsec purgeocsp
purges all cached OCSP information records. Implemented by calling the
ipsec whack --purgeocsp and/or
ipsec stroke purgeocsp commands.

PKCS11 Proxy Commands

ipsec scencrypt <value> [ --inbase <base> ] [ --outbase <base> ] [ --keyid <id> ]
Supported by the IKEv1 pluto daemon only. Implemented by calling the ipsec whack
--scencrypt command.

ipsec scdecrypt <value> [ --inbase <base> ] [ --outbase <base> ] [ --keyid <id> ]
Supported by the IKEv1 pluto daemon only. Implemented by calling the ipsec whack
--scdecrypt command.