strongSwan

h1. ipsec

*ipsec* is actually an umbrella command comprising a collection of individual sub commands of the form 

  *ipsec _<command>_ [ _<argument>_ ]  [ _<options>_ ]*

that can be used to control and monitor IPsec connections as well as the IKE daemons.

h2. Control Commands

*ipsec start [ _<starter options>_ ]*

   calls [[IpsecStarter|ipsec starter] [ _<starter options>_ ]] which in turn parses

   [[IpsecConf|ipsecconf]] and starts the IKEv1 pluto and IKEv2 charon daemons.

*ipsec stop*

   terminates all IPsec connection and stops the IKEv1 pluto and IKEv2 charon daemons by sending

   a _TERM_ signal to [[IpsecStarter|ipsec starter]].

*ipsec restart [ _<starter options>_ ]*

   is equivalent to *ipsec stop* followed by *ipsec start [ _<starter options>_ ]* after a

   guard period of 2 seconds.

*ipsec update*

   sends a _HUP_ signal to [[IpsecStarter|ipsec starter]] which in turn determines any changes

   in [[IpsecConf|ipsecconf]] and updates the configuration on the running IKEv1 pluto and IKEv2 

   charon daemons, correspondingly.

*ipsec reload*

   sends a _USR1_ signal to [[IpsecStarter|ipsec starter]] which in turn reloads the

   whole configuration on the running IKEv1 pluto and IKEv2 charon daemons based on the actual

   [[IpsecConf|ipsecconf]].

*ipsec up  _<name>_ *

   tells the responsible IKE daemon to start up connection _<name>_. Implemented by calling the 

   [[IpsecWhack|ipsec whack] --name _<name>_ --initiate andor [wikiIpsecStroke ipsec stroke]]

   up _<name>_ commands.

*ipsec down  _<name>_ *

   tells the responsible IKE daemon to terminate connection _<name>_. Implemented by calling the 

   [[IpsecWhack|ipsec whack] --name _<name>_ --terminate andor [wikiIpsecStroke ipsec stroke]]

   down _<name>_ commands.

*ipsec route  _<name>_ *

   tells the responsible IKE daemon to insert an [[IpsecPolicy|IPsec policy]] in the kernel for 

   connection _<name>_. The first payload packet matching the [[IpsecPolicy|IPsec policy]]

   will automatically trigger an IKE connection setup. Implemented by calling the

   [[IpsecWhack|ipsec whack]] --name _<name>_ --route and/or

   [[IpsecStroke|ipsec stroke]] route _<name>_ commands.

*ipsec unroute  _<name>_ *

   remove the [[IpsecPolicy|IPsec policy]] in the kernel for connection _<name>_. Implemented

   by calling the [[IpsecWhack|ipsec whack]] --name _<name>_ --unroute and/or

   [[IpsecStroke|ipsec stroke]] unroute _<name>_ commands.

*ipsec status [ _<name>_ ] *

   returns concise status information either on connection _<name>_ or if the argument is lacking,

   on all connections. Implemented by calling the [[IpsecWhack|ipsec whack] [ --name _<name>_ ]]

   --status and/or [[IpsecStroke|ipsec stroke] status [ _<name>_ ]] commands.

*ipsec statusall [ _<name>_ ] *

   returns detailed status information either on connection _<name>_ or if the argument is lacking,

   on all connections. Implemented by calling the [[IpsecWhack|ipsec whack] [ --name _<name>_ ]]

   statusall and/or [[IpsecStroke|ipsec stroke] statusall [ _<name>_ ]] commands.

h2. Info Commands

*ipsec version*

   returns the ipsec version in the form of *Linux strongSwan

   U_*<strongSwan userland version>_*/K_*<Linux kernel version>_

   if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.

*ipsec copyright*

   returns the copyright information.

*ipsec --confdir*

   returns the _SYSCONFDIR_ directory as defined by the [[InstallationDocumentation|configure]]

   options.

*ipsec --directory*

   returns the _LIBEXECDIR_ directory as defined by the [[InstallationDocumentation|configure]]

   options.

*ipsec --help*

   returns the usage information for the ipsec command.

*ipsec --versioncode*

   returns the ipsec version number in the form of

   *'U_*<strongSwan userland version>_*/K_*<Linux kernel version>_

   if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.

h2. List Commands

*ipsec listaacerts [ --utc ]*

   returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by

   the IKE daemon from the [[IpsecDirectoryAacerts|etcipsecdaacerts]] directory.

   Implemented by calling the [[IpsecWhack|ipsec whack]] --listaacerts and/or

   [[IpsecStroke|ipsec stroke]] listaacerts commands.

*ipsec listacerts [ --utc ]*

   returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the

   [[IpsecDirectoryAcerts|etcipsecdacerts]] directory. Implemented by calling the

   [[IpsecWhack|ipsec whack] --listacerts andor [wikiIpsecStroke ipsec stroke]] listacerts

   commands.

*ipsec listalgs*

   returns a list of all supported IKE encryption and hash algorithms, the available Diffie-Hellman

   groups, as well as all ESP encryption and authentication algorithms registered via the Linux

   kernel's Crypto API. Supported by the IKEv1 pluto daemon only. Implemented by calling the

   [[IpsecWhack|ipsec whack]] --listalgs command.

*ipsec listcacerts [ --utc ]*

   returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by

   the IKE daemon from the [[IpsecDirectoryCacerts|etcipsecdcacerts]] directory or received

   in PKCS#7-wrapped certificate payloads via the IKE protocol. Implemented by calling the

   [[IpsecWhack|ipsec whack] --listcacerts andor [wikiIpsecStroke ipsec stroke]] listcacerts

   commands.

*ipsec listcainfos [ --utc ]*

   returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers)

   that were defined by [[CaSection|ca sections] in [wikiIpsecConf ipsecconf]]. Implemented

   by calling the [[IpsecWhack|ipsec whack] --listcainfos andor [wikiIpsecStroke ipsec stroke]]

   listcainfos commands.

*ipsec listcards [ --utc ]*

   lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only.

   Implemented by calling the [[IpsecWhack|ipsec whack]] --listcards command.

*ipsec listcrls [ --utc ]*

   returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon

   from the [[IpsecDirectoryCrls|etcipsecdcrls]] directory or fetched from an HTTP- or

   LDAP-based CRL distribution point. Implemented by calling the [[IpsecWhack|ipsec whack]] 

   --listcrls and/or wiki:IpsecStroke ipsec stroke] listcrls commands.

*ipsec listcerts [ --utc ]*

   returns a list of X.509 and|or [[OpenPGP]] certificates that were either loaded locally by the IKE

   daemon or received via the IKEv2 protocol. Implemented by calling the [[IpsecWhack|ipsec whack]]

   --listcerts and/or [[IpsecStroke|ipsec stroke]] listcerts commands.

*ipsec listgroups [ --utc ]*

   returns a list of all groups that are used to define user authorization profiles. Supported by

   the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listgroups

   command.

*ipsec listocsp [ --utc ]*

   returns cached revocation information fetched from OCSP servers. Implemented by calling the

   [[IpsecWhack|ipsec whack] --listocps andor [wikiIpsecStroke ipsec stroke]] listocsp commands.

*ipsec listocspcerts [ --utc ]*

   returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE

   daemon from the [[IpsecDirectoryOcspcerts|etcipsecdocspcerts]] directory or were sent

   by an OCSP server. Implemented by calling the [[IpsecWhack|ipsec whack]] --listocspcerts

   and/or [[IpsecStroke|ipsec stroke]] listocspcerts commands.

*ipsec listpubkeys [ --utc ]*

   returns  a  list  of  RSA  public keys that were either loaded in raw key format or extracted

   from X.509 and|or [[OpenPGP]] certificates. Supported by the IKEv1 pluto daemon only. Implemented

   by calling the [[IpsecWhack|ipsec whack]] --listpubkeys command.

*ipsec listall [ --utc ]*

   returns  all information generated by the list commands above. Each list command can be called

   with the _--url_ option which displays all dates in UTC instead of local time. Implemented by

   calling the [[IpsecWhack|ipsec whack] --listall andor [wikiIpsecStroke ipsec stroke]]

   listall commands.

h2. Reread Commands

*ipsec rereadaacerts*

   reads all certificate files contained in the [[IpsecDirectoryAacerts|etcipsecdaacerts]]

   directory and adds them to the list of Authorization Authority (AA) certificates. Implemented

   by calling the [[IpsecWhack|ipsec whack]] --readaacerts and/or

   [[IpsecStroke|ipsec stroke]] rereadaacerts commands.

*ipsec rereadacerts*

   reads all certificate files contained in the [[IpsecDirectoryAcerts|etcipsecdacerts]]

   directory and adds them to the list of attribute certificates. Implemented by calling the

   [[IpsecWhack|ipsec whack] --rereadacerts andor [wikiIpsecStroke ipsec stroke]]

   rereadacerts commands.

*ipsec rereadcacerts*

   reads all certificate files contained in  the [[IpsecDirectoryCacerts|etcipsecdcacerts]]

   directory  and adds them to the list of Certification Authority (CA) certificates. Implemented

   by calling the [[IpsecWhack|ipsec whack]] --rereadcacerts and/or

   [[IpsecStroke|ipsec stroke]] rereadcacerts commands.

*ipsec rereadcrls*

   reads all Certificate Revocation Lists (CRLs) contained in the

   [[IpsecDirectoryCrls|etcipsecdcrls]] directory and adds them to the list of CRLs.

   Older CRLs are replaced by newer ones. Implemented by calling the [[IpsecWhack|ipsec whack]]

   --rereadcrls and/or [[IpsecStroke|ipsec stroke]] rereadcrls commands.

*ipsec rereadocspcerts*

   reads all certificate files contained in the

   [[IpsecDirectoryOcspcerts|etcipsecdocspcerts]] directory and adds them to the list

   of OCSP signer certificates. Implemented by calling the [[IpsecWhack|ipsec whack]]

   --rereadocspcerts and/or [[IpsecStroke|ipsec stroke]] rereadocspcerts commands.

*ipsec rereadsecrets*

   flushes and rereads all secrets defined in [[IpsecSecrets|ipsecsecrets]].

   Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadsecrets and/or

   [[IpsecStroke|ipsec stroke]] rereadsecrets commands.

*ipsec secrets*

   is equivalent to *ipsec rereadsecrets*.

*ipsec rereadall*

   executes all reread commands listed above. Implemented by calling the

   [[IpsecWhack|ipsec whack]] --rereadall and/or

   [[IpsecStroke|ipsec stroke]] rereadall commands.

h2. Purge Commands

*ipsec purgeocsp*

   purges all cached OCSP information records. Implemented by calling the

   [[IpsecWhack|ipsec whack]] --purgeocsp and/or

   [[IpsecStroke|ipsec stroke]] purgeocsp commands.

h2. PKCS11 Proxy Commands

*ipsec scencrypt _<value>_ [ --inbase _<base>_ ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*

   Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]]

   --scencrypt command.

*ipsec scdecrypt _<value>_ [ --inbase <base> ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*

   Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]]

   --scdecrypt command.