Project

General

Profile

ipsec » History » Version 12

Martin Willi, 01.10.2007 15:26
completed reread and purge command descriptions

1 1 Martin Willi
2 12 Martin Willi
h1. ipsec
3 1 Martin Willi
4 1 Martin Willi
5 12 Martin Willi
*ipsec* is actually an umbrella command comprising a collection of individual sub commands of the form 
6 12 Martin Willi
7 12 Martin Willi
  *ipsec _<command>_ [ _<argument>_ ]  [ _<options>_ ]*
8 12 Martin Willi
9 1 Martin Willi
that can be used to control and monitor IPsec connections as well as the IKE daemons.
10 1 Martin Willi
11 1 Martin Willi
12 12 Martin Willi
h2. Control Commands
13 1 Martin Willi
14 12 Martin Willi
15 12 Martin Willi
*ipsec start [ _<starter options>_ ]*
16 12 Martin Willi
   calls [[IpsecStarter|ipsec starter] [ _<starter options>_ ]] which in turn parses
17 12 Martin Willi
   [[IpsecConf|ipsecconf]] and starts the IKEv1 pluto and IKEv2 charon daemons.
18 12 Martin Willi
19 12 Martin Willi
*ipsec stop*
20 1 Martin Willi
   terminates all IPsec connection and stops the IKEv1 pluto and IKEv2 charon daemons by sending
21 12 Martin Willi
   a _TERM_ signal to [[IpsecStarter|ipsec starter]].
22 1 Martin Willi
23 12 Martin Willi
*ipsec restart [ _<starter options>_ ]*
24 12 Martin Willi
   is equivalent to *ipsec stop* followed by *ipsec start [ _<starter options>_ ]* after a
25 1 Martin Willi
   guard period of 2 seconds.
26 1 Martin Willi
   
27 12 Martin Willi
*ipsec update*
28 12 Martin Willi
   sends a _HUP_ signal to [[IpsecStarter|ipsec starter]] which in turn determines any changes
29 12 Martin Willi
   in [[IpsecConf|ipsecconf]] and updates the configuration on the running IKEv1 pluto and IKEv2 
30 1 Martin Willi
   charon daemons, correspondingly.
31 7 Martin Willi
32 12 Martin Willi
*ipsec reload*
33 12 Martin Willi
   sends a _USR1_ signal to [[IpsecStarter|ipsec starter]] which in turn reloads the
34 1 Martin Willi
   whole configuration on the running IKEv1 pluto and IKEv2 charon daemons based on the actual
35 12 Martin Willi
   [[IpsecConf|ipsecconf]].
36 1 Martin Willi
37 12 Martin Willi
*ipsec up  _<name>_ *
38 12 Martin Willi
   tells the responsible IKE daemon to start up connection _<name>_. Implemented by calling the 
39 12 Martin Willi
   [[IpsecWhack|ipsec whack] --name _<name>_ --initiate andor [wikiIpsecStroke ipsec stroke]]
40 12 Martin Willi
   up _<name>_ commands.
41 1 Martin Willi
42 12 Martin Willi
*ipsec down  _<name>_ *
43 12 Martin Willi
   tells the responsible IKE daemon to terminate connection _<name>_. Implemented by calling the 
44 12 Martin Willi
   [[IpsecWhack|ipsec whack] --name _<name>_ --terminate andor [wikiIpsecStroke ipsec stroke]]
45 12 Martin Willi
   down _<name>_ commands.
46 1 Martin Willi
47 12 Martin Willi
*ipsec route  _<name>_ *
48 12 Martin Willi
   tells the responsible IKE daemon to insert an [[IpsecPolicy|IPsec policy]] in the kernel for 
49 12 Martin Willi
   connection _<name>_. The first payload packet matching the [[IpsecPolicy|IPsec policy]]
50 1 Martin Willi
   will automatically trigger an IKE connection setup. Implemented by calling the
51 12 Martin Willi
   [[IpsecWhack|ipsec whack]] --name _<name>_ --route and/or
52 12 Martin Willi
   [[IpsecStroke|ipsec stroke]] route _<name>_ commands.
53 6 Martin Willi
54 12 Martin Willi
*ipsec unroute  _<name>_ *
55 12 Martin Willi
   remove the [[IpsecPolicy|IPsec policy]] in the kernel for connection _<name>_. Implemented
56 12 Martin Willi
   by calling the [[IpsecWhack|ipsec whack]] --name _<name>_ --unroute and/or
57 12 Martin Willi
   [[IpsecStroke|ipsec stroke]] unroute _<name>_ commands.
58 5 Martin Willi
 
59 12 Martin Willi
*ipsec status [ _<name>_ ] *
60 12 Martin Willi
   returns concise status information either on connection _<name>_ or if the argument is lacking,
61 12 Martin Willi
   on all connections. Implemented by calling the [[IpsecWhack|ipsec whack] [ --name _<name>_ ]]
62 12 Martin Willi
   --status and/or [[IpsecStroke|ipsec stroke] status [ _<name>_ ]] commands.
63 1 Martin Willi
64 12 Martin Willi
*ipsec statusall [ _<name>_ ] *
65 12 Martin Willi
   returns detailed status information either on connection _<name>_ or if the argument is lacking,
66 12 Martin Willi
   on all connections. Implemented by calling the [[IpsecWhack|ipsec whack] [ --name _<name>_ ]]
67 12 Martin Willi
   statusall and/or [[IpsecStroke|ipsec stroke] statusall [ _<name>_ ]] commands.
68 1 Martin Willi
69 1 Martin Willi
70 12 Martin Willi
h2. Info Commands
71 12 Martin Willi
72 12 Martin Willi
73 12 Martin Willi
*ipsec version*
74 12 Martin Willi
   returns the ipsec version in the form of *Linux strongSwan
75 12 Martin Willi
   U_*<strongSwan userland version>_*/K_*<Linux kernel version>_
76 1 Martin Willi
   if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
77 1 Martin Willi
  
78 1 Martin Willi
79 12 Martin Willi
*ipsec copyright*
80 1 Martin Willi
   returns the copyright information.
81 1 Martin Willi
82 12 Martin Willi
*ipsec --confdir*
83 12 Martin Willi
   returns the _SYSCONFDIR_ directory as defined by the [[InstallationDocumentation|configure]]
84 1 Martin Willi
   options.
85 1 Martin Willi
86 12 Martin Willi
*ipsec --directory*
87 12 Martin Willi
   returns the _LIBEXECDIR_ directory as defined by the [[InstallationDocumentation|configure]]
88 1 Martin Willi
   options.
89 1 Martin Willi
90 12 Martin Willi
*ipsec --help*
91 1 Martin Willi
   returns the usage information for the ipsec command.
92 1 Martin Willi
93 12 Martin Willi
*ipsec --versioncode*
94 1 Martin Willi
   returns the ipsec version number in the form of
95 12 Martin Willi
   *'U_*<strongSwan userland version>_*/K_*<Linux kernel version>_
96 1 Martin Willi
   if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
97 1 Martin Willi
98 1 Martin Willi
99 12 Martin Willi
h2. List Commands
100 12 Martin Willi
101 12 Martin Willi
102 12 Martin Willi
*ipsec listaacerts [ --utc ]*
103 1 Martin Willi
   returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by
104 12 Martin Willi
   the IKE daemon from the [[IpsecDirectoryAacerts|etcipsecdaacerts]] directory.
105 12 Martin Willi
   Implemented by calling the [[IpsecWhack|ipsec whack]] --listaacerts and/or
106 12 Martin Willi
   [[IpsecStroke|ipsec stroke]] listaacerts commands.
107 1 Martin Willi
108 12 Martin Willi
*ipsec listacerts [ --utc ]*
109 10 Martin Willi
   returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the
110 12 Martin Willi
   [[IpsecDirectoryAcerts|etcipsecdacerts]] directory. Implemented by calling the
111 12 Martin Willi
   [[IpsecWhack|ipsec whack] --listacerts andor [wikiIpsecStroke ipsec stroke]] listacerts
112 1 Martin Willi
   commands.
113 9 Martin Willi
114 12 Martin Willi
*ipsec listalgs*
115 1 Martin Willi
   returns a list of all supported IKE encryption and hash algorithms, the available Diffie-Hellman
116 9 Martin Willi
   groups, as well as all ESP encryption and authentication algorithms registered via the Linux
117 10 Martin Willi
   kernel's Crypto API. Supported by the IKEv1 pluto daemon only. Implemented by calling the
118 12 Martin Willi
   [[IpsecWhack|ipsec whack]] --listalgs command.
119 10 Martin Willi
120 12 Martin Willi
*ipsec listcacerts [ --utc ]*
121 9 Martin Willi
   returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by
122 12 Martin Willi
   the IKE daemon from the [[IpsecDirectoryCacerts|etcipsecdcacerts]] directory or received
123 10 Martin Willi
   in PKCS#7-wrapped certificate payloads via the IKE protocol. Implemented by calling the
124 12 Martin Willi
   [[IpsecWhack|ipsec whack] --listcacerts andor [wikiIpsecStroke ipsec stroke]] listcacerts
125 10 Martin Willi
   commands.
126 1 Martin Willi
127 12 Martin Willi
*ipsec listcainfos [ --utc ]*
128 10 Martin Willi
   returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers)
129 12 Martin Willi
   that were defined by [[CaSection|ca sections] in [wikiIpsecConf ipsecconf]]. Implemented
130 12 Martin Willi
   by calling the [[IpsecWhack|ipsec whack] --listcainfos andor [wikiIpsecStroke ipsec stroke]]
131 10 Martin Willi
   listcainfos commands.
132 9 Martin Willi
133 12 Martin Willi
*ipsec listcards [ --utc ]*
134 9 Martin Willi
   lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only.
135 12 Martin Willi
   Implemented by calling the [[IpsecWhack|ipsec whack]] --listcards command.
136 10 Martin Willi
137 12 Martin Willi
*ipsec listcrls [ --utc ]*
138 10 Martin Willi
   returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon
139 12 Martin Willi
   from the [[IpsecDirectoryCrls|etcipsecdcrls]] directory or fetched from an HTTP- or
140 12 Martin Willi
   LDAP-based CRL distribution point. Implemented by calling the [[IpsecWhack|ipsec whack]] 
141 4 Martin Willi
   --listcrls and/or wiki:IpsecStroke ipsec stroke] listcrls commands.
142 10 Martin Willi
143 12 Martin Willi
*ipsec listcerts [ --utc ]*
144 12 Martin Willi
   returns a list of X.509 and|or [[OpenPGP]] certificates that were either loaded locally by the IKE
145 12 Martin Willi
   daemon or received via the IKEv2 protocol. Implemented by calling the [[IpsecWhack|ipsec whack]]
146 12 Martin Willi
   --listcerts and/or [[IpsecStroke|ipsec stroke]] listcerts commands.
147 8 Martin Willi
148 12 Martin Willi
*ipsec listgroups [ --utc ]*
149 10 Martin Willi
   returns a list of all groups that are used to define user authorization profiles. Supported by
150 12 Martin Willi
   the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listgroups
151 8 Martin Willi
   command.
152 8 Martin Willi
153 12 Martin Willi
*ipsec listocsp [ --utc ]*
154 11 Martin Willi
   returns cached revocation information fetched from OCSP servers. Implemented by calling the
155 12 Martin Willi
   [[IpsecWhack|ipsec whack] --listocps andor [wikiIpsecStroke ipsec stroke]] listocsp commands.
156 11 Martin Willi
157 12 Martin Willi
*ipsec listocspcerts [ --utc ]*
158 1 Martin Willi
   returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE
159 12 Martin Willi
   daemon from the [[IpsecDirectoryOcspcerts|etcipsecdocspcerts]] directory or were sent
160 12 Martin Willi
   by an OCSP server. Implemented by calling the [[IpsecWhack|ipsec whack]] --listocspcerts
161 12 Martin Willi
   and/or [[IpsecStroke|ipsec stroke]] listocspcerts commands.
162 11 Martin Willi
163 12 Martin Willi
*ipsec listpubkeys [ --utc ]*
164 8 Martin Willi
   returns  a  list  of  RSA  public keys that were either loaded in raw key format or extracted
165 12 Martin Willi
   from X.509 and|or [[OpenPGP]] certificates. Supported by the IKEv1 pluto daemon only. Implemented
166 12 Martin Willi
   by calling the [[IpsecWhack|ipsec whack]] --listpubkeys command.
167 2 Martin Willi
168 12 Martin Willi
*ipsec listall [ --utc ]*
169 1 Martin Willi
   returns  all information generated by the list commands above. Each list command can be called
170 12 Martin Willi
   with the _--url_ option which displays all dates in UTC instead of local time. Implemented by
171 12 Martin Willi
   calling the [[IpsecWhack|ipsec whack] --listall andor [wikiIpsecStroke ipsec stroke]]
172 4 Martin Willi
   listall commands.
173 1 Martin Willi
174 11 Martin Willi
175 12 Martin Willi
h2. Reread Commands
176 12 Martin Willi
177 12 Martin Willi
178 12 Martin Willi
*ipsec rereadaacerts*
179 12 Martin Willi
   reads all certificate files contained in the [[IpsecDirectoryAacerts|etcipsecdaacerts]]
180 1 Martin Willi
   directory and adds them to the list of Authorization Authority (AA) certificates. Implemented
181 12 Martin Willi
   by calling the [[IpsecWhack|ipsec whack]] --readaacerts and/or
182 12 Martin Willi
   [[IpsecStroke|ipsec stroke]] rereadaacerts commands.
183 1 Martin Willi
184 12 Martin Willi
*ipsec rereadacerts*
185 12 Martin Willi
   reads all certificate files contained in the [[IpsecDirectoryAcerts|etcipsecdacerts]]
186 2 Martin Willi
   directory and adds them to the list of attribute certificates. Implemented by calling the
187 12 Martin Willi
   [[IpsecWhack|ipsec whack] --rereadacerts andor [wikiIpsecStroke ipsec stroke]]
188 4 Martin Willi
   rereadacerts commands.
189 8 Martin Willi
190 12 Martin Willi
*ipsec rereadcacerts*
191 12 Martin Willi
   reads all certificate files contained in  the [[IpsecDirectoryCacerts|etcipsecdcacerts]]
192 1 Martin Willi
   directory  and adds them to the list of Certification Authority (CA) certificates. Implemented
193 12 Martin Willi
   by calling the [[IpsecWhack|ipsec whack]] --rereadcacerts and/or
194 12 Martin Willi
   [[IpsecStroke|ipsec stroke]] rereadcacerts commands.
195 1 Martin Willi
196 12 Martin Willi
*ipsec rereadcrls*
197 1 Martin Willi
   reads all Certificate Revocation Lists (CRLs) contained in the
198 12 Martin Willi
   [[IpsecDirectoryCrls|etcipsecdcrls]] directory and adds them to the list of CRLs.
199 12 Martin Willi
   Older CRLs are replaced by newer ones. Implemented by calling the [[IpsecWhack|ipsec whack]]
200 12 Martin Willi
   --rereadcrls and/or [[IpsecStroke|ipsec stroke]] rereadcrls commands.
201 1 Martin Willi
202 12 Martin Willi
*ipsec rereadocspcerts*
203 1 Martin Willi
   reads all certificate files contained in the
204 12 Martin Willi
   [[IpsecDirectoryOcspcerts|etcipsecdocspcerts]] directory and adds them to the list
205 12 Martin Willi
   of OCSP signer certificates. Implemented by calling the [[IpsecWhack|ipsec whack]]
206 12 Martin Willi
   --rereadocspcerts and/or [[IpsecStroke|ipsec stroke]] rereadocspcerts commands.
207 1 Martin Willi
 
208 12 Martin Willi
*ipsec rereadsecrets*
209 12 Martin Willi
   flushes and rereads all secrets defined in [[IpsecSecrets|ipsecsecrets]].
210 12 Martin Willi
   Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadsecrets and/or
211 12 Martin Willi
   [[IpsecStroke|ipsec stroke]] rereadsecrets commands.
212 1 Martin Willi
213 12 Martin Willi
*ipsec secrets*
214 12 Martin Willi
   is equivalent to *ipsec rereadsecrets*.
215 1 Martin Willi
216 12 Martin Willi
*ipsec rereadall*
217 1 Martin Willi
   executes all reread commands listed above. Implemented by calling the
218 12 Martin Willi
   [[IpsecWhack|ipsec whack]] --rereadall and/or
219 12 Martin Willi
   [[IpsecStroke|ipsec stroke]] rereadall commands.
220 1 Martin Willi
221 1 Martin Willi
222 12 Martin Willi
h2. Purge Commands
223 12 Martin Willi
224 12 Martin Willi
225 12 Martin Willi
*ipsec purgeocsp*
226 1 Martin Willi
   purges all cached OCSP information records. Implemented by calling the
227 12 Martin Willi
   [[IpsecWhack|ipsec whack]] --purgeocsp and/or
228 12 Martin Willi
   [[IpsecStroke|ipsec stroke]] purgeocsp commands.
229 1 Martin Willi
230 1 Martin Willi
231 12 Martin Willi
h2. PKCS11 Proxy Commands
232 12 Martin Willi
233 12 Martin Willi
234 12 Martin Willi
*ipsec scencrypt _<value>_ [ --inbase _<base>_ ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*
235 12 Martin Willi
   Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]]
236 1 Martin Willi
   --scencrypt command.
237 1 Martin Willi
238 12 Martin Willi
*ipsec scdecrypt _<value>_ [ --inbase <base> ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*
239 12 Martin Willi
   Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]]
240 1 Martin Willi
   --scdecrypt command.