strongSwan

h1. ipsec



*ipsec* is actually an umbrella command comprising a collection of individual sub commands of the form

p((.

*ipsec _<command>_ [ _<argument>_ ] [ _<options>_ ]*

that can be used to control and monitor IPsec connections as well as the IKE daemons.



h2. Control Commands



*ipsec start [ _<starter options>_ ]*
p((.
calls [[IpsecStarter|ipsec starter]] starter] [ _<starter options>_ ]] which in turn parses [[IpsecConf|ipsec.conf]]
[[IpsecConf|ipsecconf]] and starts the IKEv1 pluto and IKEv2 charon daemons.

*ipsec stop*
p((.
terminates all IPsec connection and stops the IKEv1 pluto and IKEv2 charon daemons by sending
a _TERM_ signal to [[IpsecStarter|ipsec starter]].

*ipsec restart [ _<starter options>_ ]*
p((.
is equivalent to *ipsec stop* followed by *ipsec start [ _<starter options>_ ]* after a
guard period of 2 seconds.

*ipsec update*
p((.
sends a _HUP_ signal to [[IpsecStarter|ipsec starter]] which in turn determines any changes
in [[IpsecConf|ipsec.conf]] [[IpsecConf|ipsecconf]] and updates the configuration on the running IKEv1 pluto and IKEv2
charon daemons, correspondingly.

*ipsec reload*
p((.
sends a _USR1_ signal to [[IpsecStarter|ipsec starter]] which in turn reloads the
whole configuration on the running IKEv1 pluto and IKEv2 charon daemons based on the actual [[IpsecConf|ipsec.conf]].
[[IpsecConf|ipsecconf]].

*ipsec up _<name>_*
p((. _<name>_ *
tells the responsible IKE daemon to start up connection _<name>_. Implemented by calling the
[[IpsecWhack|ipsec whack]] whack] --name _<name>_ --initiate and/or [[IpsecStroke|ipsec andor [wikiIpsecStroke ipsec stroke]]
up _<name>_ commands.

*ipsec down _<name>_*
p((. _<name>_ *
tells the responsible IKE daemon to terminate connection _<name>_. Implemented by calling the
[[IpsecWhack|ipsec whack]] whack] --name _<name>_ --terminate and/or [[IpsecStroke|ipsec andor [wikiIpsecStroke ipsec stroke]]
down _<name>_ commands.

*ipsec route _<name>_*
p((. _<name>_ *
tells the responsible IKE daemon to insert an [[IpsecPolicy|IPsec policy]] in the kernel for
connection _<name>_. The first payload packet matching the [[IpsecPolicy|IPsec policy]]
will automatically trigger an IKE connection setup. Implemented by calling the
[[IpsecWhack|ipsec whack]] --name _<name>_ --route and/or
[[IpsecStroke|ipsec stroke]] route _<name>_ commands.

*ipsec unroute _<name>_*
p((. _<name>_ *
remove the [[IpsecPolicy|IPsec policy]] in the kernel for connection _<name>_. Implemented
by calling the [[IpsecWhack|ipsec whack]] --name _<name>_ --unroute and/or
[[IpsecStroke|ipsec stroke]] unroute _<name>_ commands.

*ipsec status [ _<name>_ ]*
p((. ] *
returns concise status information either on connection _<name>_ or if the argument is lacking,
on all connections. Implemented by calling the [[IpsecWhack|ipsec whack]] whack] [ --name _<name>_ ] ]]
--status and/or [[IpsecStroke|ipsec stroke]] stroke] status [ _<name>_ ] ]] commands.

*ipsec statusall [ _<name>_ ]*
p((. ] *
returns detailed status information either on connection _<name>_ or if the argument is lacking,
on all connections. Implemented by calling the [[IpsecWhack|ipsec whack]] whack] [ --name _<name>_ ] ]]
statusall and/or [[IpsecStroke|ipsec stroke]] stroke] statusall [ _<name>_ ] ]] commands.



h2. Info Commands



*ipsec version*
p((.
returns the ipsec version in the form of *Linux strongSwan U<strongSwan
U_*<strongSwan userland version>/K<Linux version>_*/K_*<Linux kernel version>* version>_
if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.


*ipsec copyright*
p((.
returns the copyright information.

*ipsec --confdir*
p((.
returns the _SYSCONFDIR_ directory as defined by the [[InstallationDocumentation|configure]]
options.

*ipsec --directory*
p((.
returns the _LIBEXECDIR_ directory as defined by the [[InstallationDocumentation|configure]]
options.

*ipsec --help*
p((.
returns the usage information for the ipsec command.

*ipsec --versioncode*
p((.
returns the ipsec version number in the form of *U<strongSwan
*'U_*<strongSwan userland version>/K<Linux version>_*/K_*<Linux kernel version>* version>_
if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.



h2. List Commands



*ipsec listaacerts [ --utc ]*
p((.
returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by
the IKE daemon from the [[IpsecDirectoryAacerts|/etc/ipsec.d/aacerts]] [[IpsecDirectoryAacerts|etcipsecdaacerts]] directory.
Implemented by calling the [[IpsecWhack|ipsec whack]] --listaacerts and/or
[[IpsecStroke|ipsec stroke]] listaacerts commands.

*ipsec listacerts [ --utc ]*
p((.
returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryAcerts|/etc/ipsec.d/acerts]]
[[IpsecDirectoryAcerts|etcipsecdacerts]] directory. Implemented by calling the
[[IpsecWhack|ipsec whack] --listacerts andor [wikiIpsecStroke ipsec stroke]] listacerts
commands.

*ipsec listalgs*
p((.
returns a list of all supported IKE encryption and hash algorithms, the available Diffie-Hellman
groups, as well as all ESP encryption and authentication algorithms registered via the Linux
kernel's Crypto API. Supported by the IKEv1 pluto daemon only. Implemented by calling the
[[IpsecWhack|ipsec whack]] --listalgs command.

*ipsec listcacerts [ --utc ]*
p((.
returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by
the IKE daemon from the [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] [[IpsecDirectoryCacerts|etcipsecdcacerts]] directory or received
in PKCS#7-wrapped certificate payloads via the IKE protocol. Implemented by calling the
[[IpsecWhack|ipsec whack]] whack] --listcacerts and/or [[IpsecStroke|ipsec andor [wikiIpsecStroke ipsec stroke]] listcacerts
commands.

*ipsec listcainfos [ --utc ]*
p((.
returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers)
that were defined by [[CaSection|ca sections]] sections] in [[IpsecConf|ipsec.conf]]. [wikiIpsecConf ipsecconf]]. Implemented
by calling the [[IpsecWhack|ipsec whack]] whack] --listcainfos and/or [[IpsecStroke|ipsec andor [wikiIpsecStroke ipsec stroke]]
listcainfos commands.

*ipsec listcards [ --utc ]*
p((.
lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only.
Implemented by calling the [[IpsecWhack|ipsec whack]] --listcards command.

*ipsec listcrls [ --utc ]*
p((.
returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon
from the [[IpsecDirectoryCrls|etcipsecdcrls]] directory or fetched from an HTTP- or
LDAP-based CRL distribution point. Implemented by calling the [[IpsecWhack|ipsec whack]]
--listcrls and/or [[IpsecStroke|ipsec stroke]] wiki:IpsecStroke ipsec stroke] listcrls commands.

*ipsec listcerts [ --utc ]*
p((.
returns a list of X.509 and/or OpenPGP and|or [[OpenPGP]] certificates that were either loaded locally by the IKE
daemon or received via the IKEv2 protocol. Implemented by calling the [[IpsecWhack|ipsec whack]]
--listcerts and/or [[IpsecStroke|ipsec stroke]] listcerts commands.

*ipsec listgroups [ --utc ]*
p((.
returns a list of all groups that are used to define user authorization profiles. Supported by
the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listgroups
command.

*ipsec listocsp [ --utc ]*
p((.
returns cached revocation information fetched from OCSP servers. Implemented by calling the
[[IpsecWhack|ipsec whack] --listocps and/or [[IpsecStroke|ipsec andor [wikiIpsecStroke ipsec stroke]] listocsp commands.

*ipsec listocspcerts [ --utc ]*
p((.
returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE
daemon from the [[IpsecDirectoryOcspcerts|/etc/ipsec.d/ocspcerts]] [[IpsecDirectoryOcspcerts|etcipsecdocspcerts]] directory or were sent
by an OCSP server. Implemented by calling the [[IpsecWhack|ipsec whack]] --listocspcerts
and/or [[IpsecStroke|ipsec stroke]] listocspcerts commands.

*ipsec listpubkeys [ --utc ]*
p((.
returns a list of RSA public keys that were either loaded in raw key format or extracted
from X.509 and/or OpenPGP and|or [[OpenPGP]] certificates. Supported by the IKEv1 pluto daemon only. Implemented
by calling the [[IpsecWhack|ipsec whack]] --listpubkeys command.

*ipsec listall [ --utc ]*
p((.
returns all information generated by the list commands above. Each list command can be called
with the _--utc_ _--url_ option which displays all dates in UTC instead of local time. Implemented by
calling the [[IpsecWhack|ipsec whack]] whack] --listall and/or [[IpsecStroke|ipsec andor [wikiIpsecStroke ipsec stroke]]
listall commands.



h2. Reread Commands



*ipsec rereadaacerts*
p((.
reads all certificate files contained in the [[IpsecDirectoryAacerts|/etc/ipsec.d/aacerts]] [[IpsecDirectoryAacerts|etcipsecdaacerts]]
directory and adds them to the list of Authorization Authority (AA) certificates. Implemented
by calling the [[IpsecWhack|ipsec whack]] --readaacerts and/or
[[IpsecStroke|ipsec stroke]] rereadaacerts commands.

*ipsec rereadacerts*
p((.
reads all certificate files contained in the [[IpsecDirectoryAcerts|/etc/ipsec.d/acerts]] [[IpsecDirectoryAcerts|etcipsecdacerts]]
directory and adds them to the list of attribute certificates. Implemented by calling the
[[IpsecWhack|ipsec whack]] whack] --rereadacerts and/or [[IpsecStroke|ipsec andor [wikiIpsecStroke ipsec stroke]]
rereadacerts commands.

*ipsec rereadcacerts*
p((.
reads all certificate files contained in the [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] [[IpsecDirectoryCacerts|etcipsecdcacerts]]
directory and adds them to the list of Certification Authority (CA) certificates. Implemented
by calling the [[IpsecWhack|ipsec whack]] --rereadcacerts and/or
[[IpsecStroke|ipsec stroke]] rereadcacerts commands.

*ipsec rereadcrls*
p((.
reads all Certificate Revocation Lists (CRLs) contained in the [[IpsecDirectoryCrls|/etc/ipsec.d/crls]]
[[IpsecDirectoryCrls|etcipsecdcrls]] directory and adds them to the list of CRLs.
Older CRLs are replaced by newer ones. Implemented by calling the [[IpsecWhack|ipsec whack]]
--rereadcrls and/or [[IpsecStroke|ipsec stroke]] rereadcrls commands.

*ipsec rereadocspcerts*
p((.
reads all certificate files contained in the [[IpsecDirectoryOcspcerts|/etc/ipsec.d/ocspcerts]]
[[IpsecDirectoryOcspcerts|etcipsecdocspcerts]] directory and adds them to the list
of OCSP signer certificates. Implemented by calling the [[IpsecWhack|ipsec whack]]
--rereadocspcerts and/or [[IpsecStroke|ipsec stroke]] rereadocspcerts commands.

*ipsec rereadsecrets*
p((.
flushes and rereads all secrets defined in [[IpsecSecrets|ipsec.secrets]]. [[IpsecSecrets|ipsecsecrets]].
Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadsecrets and/or
[[IpsecStroke|ipsec stroke]] rereadsecrets commands.

*ipsec secrets*
p((.
is equivalent to *ipsec rereadsecrets*.

*ipsec rereadall*
p((.
executes all reread commands listed above. Implemented by calling the
[[IpsecWhack|ipsec whack]] --rereadall and/or
[[IpsecStroke|ipsec stroke]] rereadall commands.



h2. Purge Commands



*ipsec purgeocsp*
p((.
purges all cached OCSP information records. Implemented by calling the
[[IpsecWhack|ipsec whack]] --purgeocsp and/or
[[IpsecStroke|ipsec stroke]] purgeocsp commands.



h2. PKCS11 Proxy Commands



*ipsec scencrypt _<value>_ [ --inbase _<base>_ ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*
p((.
Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]]
--scencrypt command.

*ipsec scdecrypt _<value>_ [ --inbase <base> ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*
p((.
Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]]
--scdecrypt command.