Project

General

Profile

ipsec » History » Version 15

Daniel Mentz, 19.05.2010 08:57
fixed paragraph formatting

1 12 Martin Willi
h1. ipsec
2 1 Martin Willi
3 1 Martin Willi
4 12 Martin Willi
*ipsec* is actually an umbrella command comprising a collection of individual sub commands of the form 
5 1 Martin Willi
6 13 Tobias Brunner
p((. *ipsec _<command>_ [ _<argument>_ ]  [ _<options>_ ]*
7 12 Martin Willi
8 1 Martin Willi
that can be used to control and monitor IPsec connections as well as the IKE daemons.
9 1 Martin Willi
10 1 Martin Willi
11 12 Martin Willi
h2. Control Commands
12 1 Martin Willi
13 1 Martin Willi
14 1 Martin Willi
*ipsec start [ _<starter options>_ ]*
15 15 Daniel Mentz
16 13 Tobias Brunner
p((. calls [[IpsecStarter|ipsec starter]] [ _<starter options>_ ]] which in turn parses [[IpsecConf|ipsec.conf]] and starts the IKEv1 pluto and IKEv2 charon daemons.
17 12 Martin Willi
18 12 Martin Willi
*ipsec stop*
19 15 Daniel Mentz
20 13 Tobias Brunner
p((. terminates all IPsec connection and stops the IKEv1 pluto and IKEv2 charon daemons by sending a _TERM_ signal to [[IpsecStarter|ipsec starter]].
21 1 Martin Willi
22 12 Martin Willi
*ipsec restart [ _<starter options>_ ]*
23 15 Daniel Mentz
24 13 Tobias Brunner
p((. is equivalent to *ipsec stop* followed by *ipsec start [ _<starter options>_ ]* after a guard period of 2 seconds.
25 1 Martin Willi
   
26 1 Martin Willi
*ipsec update*
27 15 Daniel Mentz
28 13 Tobias Brunner
p((. sends a _HUP_ signal to [[IpsecStarter|ipsec starter]] which in turn determines any changes in [[IpsecConf|ipsec.conf]] and updates the configuration on the running IKEv1 pluto and IKEv2 charon daemons, correspondingly.
29 1 Martin Willi
30 12 Martin Willi
*ipsec reload*
31 15 Daniel Mentz
32 13 Tobias Brunner
p((. sends a _USR1_ signal to [[IpsecStarter|ipsec starter]] which in turn reloads the whole configuration on the running IKEv1 pluto and IKEv2 charon daemons based on the actual [[IpsecConf|ipsec.conf]].
33 1 Martin Willi
34 13 Tobias Brunner
*ipsec up  _<name>_*
35 15 Daniel Mentz
36 13 Tobias Brunner
p((. tells the responsible IKE daemon to start up connection _<name>_. Implemented by calling the [[IpsecWhack|ipsec whack]] --name _<name>_ --initiate and/or [[IpsecStroke|ipsec stroke]] up _<name>_ commands.
37 12 Martin Willi
38 13 Tobias Brunner
*ipsec down  _<name>_*
39 15 Daniel Mentz
40 13 Tobias Brunner
p((.  tells the responsible IKE daemon to terminate connection _<name>_. Implemented by calling the [[IpsecWhack|ipsec whack]] --name _<name>_ --terminate and/or [[IpsecStroke|ipsec stroke]] down _<name>_ commands.
41 12 Martin Willi
42 13 Tobias Brunner
*ipsec route  _<name>_*
43 15 Daniel Mentz
44 13 Tobias Brunner
p((. tells the responsible IKE daemon to insert an [[IpsecPolicy|IPsec policy]] in the kernel for connection _<name>_. The first payload packet matching the [[IpsecPolicy|IPsec policy]] will automatically trigger an IKE connection setup. Implemented by calling the [[IpsecWhack|ipsec whack]] --name _<name>_ --route and/or [[IpsecStroke|ipsec stroke]] route _<name>_ commands.
45 1 Martin Willi
46 13 Tobias Brunner
*ipsec unroute  _<name>_*
47 15 Daniel Mentz
48 13 Tobias Brunner
p((. remove the [[IpsecPolicy|IPsec policy]] in the kernel for connection _<name>_. Implemented by calling the [[IpsecWhack|ipsec whack]] --name _<name>_ --unroute and/or [[IpsecStroke|ipsec stroke]] unroute _<name>_ commands.
49 5 Martin Willi
 
50 13 Tobias Brunner
*ipsec status [ _<name>_ ]*
51 15 Daniel Mentz
52 13 Tobias Brunner
p((.  returns concise status information either on connection _<name>_ or if the argument is lacking, on all connections. Implemented by calling the [[IpsecWhack|ipsec whack]] [ --name _<name>_ ] --status and/or [[IpsecStroke|ipsec stroke]] status [ _<name>_ ] commands.
53 13 Tobias Brunner
54 12 Martin Willi
*ipsec statusall [ _<name>_ ]*
55 15 Daniel Mentz
56 1 Martin Willi
p((. returns detailed status information either on connection _<name>_ or if the argument is lacking, on all connections. Implemented by calling the [[IpsecWhack|ipsec whack]] [ --name _<name>_ ] statusall and/or [[IpsecStroke|ipsec stroke]] statusall [ _<name>_ ] commands.
57 12 Martin Willi
58 1 Martin Willi
59 1 Martin Willi
h2. Info Commands
60 12 Martin Willi
61 1 Martin Willi
*ipsec version*
62 15 Daniel Mentz
63 1 Martin Willi
p((. returns the ipsec version in the form of *Linux strongSwan U<strongSwan userland version>/K<Linux kernel version>* if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
64 1 Martin Willi
65 1 Martin Willi
*ipsec copyright*
66 15 Daniel Mentz
67 13 Tobias Brunner
p((. returns the copyright information.
68 1 Martin Willi
69 12 Martin Willi
*ipsec --confdir*
70 15 Daniel Mentz
71 13 Tobias Brunner
p((. returns the _SYSCONFDIR_ directory as defined by the [[InstallationDocumentation|configure]] options.
72 1 Martin Willi
73 1 Martin Willi
*ipsec --directory*
74 15 Daniel Mentz
75 13 Tobias Brunner
p((. returns the _LIBEXECDIR_ directory as defined by the [[InstallationDocumentation|configure]] options.
76 1 Martin Willi
77 1 Martin Willi
*ipsec --help*
78 15 Daniel Mentz
79 13 Tobias Brunner
p((. returns the usage information for the ipsec command.
80 1 Martin Willi
81 12 Martin Willi
*ipsec --versioncode*
82 15 Daniel Mentz
83 13 Tobias Brunner
p((. returns the ipsec version number in the form of *U<strongSwan userland version>/K<Linux kernel version>* if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
84 1 Martin Willi
85 10 Martin Willi
86 12 Martin Willi
h2. List Commands
87 1 Martin Willi
88 1 Martin Willi
89 10 Martin Willi
*ipsec listaacerts [ --utc ]*
90 15 Daniel Mentz
91 13 Tobias Brunner
p((. returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryAacerts|/etc/ipsec.d/aacerts]] directory. Implemented by calling the [[IpsecWhack|ipsec whack]] --listaacerts and/or [[IpsecStroke|ipsec stroke]] listaacerts commands.
92 1 Martin Willi
93 1 Martin Willi
*ipsec listacerts [ --utc ]*
94 15 Daniel Mentz
95 13 Tobias Brunner
p((. returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryAcerts|/etc/ipsec.d/acerts]] directory. Implemented by calling the [[IpsecWhack|ipsec whack] --listacerts andor [wikiIpsecStroke ipsec stroke]] listacerts commands.
96 1 Martin Willi
97 12 Martin Willi
*ipsec listalgs*
98 15 Daniel Mentz
99 13 Tobias Brunner
p((. returns a list of all supported IKE encryption and hash algorithms, the available Diffie-Hellman groups, as well as all ESP encryption and authentication algorithms registered via the Linux kernel's Crypto API. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listalgs command.
100 1 Martin Willi
101 10 Martin Willi
*ipsec listcacerts [ --utc ]*
102 15 Daniel Mentz
103 13 Tobias Brunner
p((. returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] directory or received in PKCS#7-wrapped certificate payloads via the IKE protocol. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcacerts and/or [[IpsecStroke|ipsec stroke]] listcacerts commands.
104 1 Martin Willi
105 8 Martin Willi
*ipsec listcainfos [ --utc ]*
106 15 Daniel Mentz
107 13 Tobias Brunner
p((. returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers) that were defined by [[CaSection|ca sections]] in [[IpsecConf|ipsec.conf]]. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcainfos and/or [[IpsecStroke|ipsec stroke]] listcainfos commands.
108 1 Martin Willi
109 11 Martin Willi
*ipsec listcards [ --utc ]*
110 15 Daniel Mentz
111 13 Tobias Brunner
p((. lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcards command.
112 1 Martin Willi
113 8 Martin Willi
*ipsec listcrls [ --utc ]*
114 15 Daniel Mentz
115 13 Tobias Brunner
p((. returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon from the [[IpsecDirectoryCrls|etcipsecdcrls]] directory or fetched from an HTTP- or LDAP-based CRL distribution point. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcrls and/or [[IpsecStroke|ipsec stroke]] listcrls commands.
116 1 Martin Willi
117 12 Martin Willi
*ipsec listcerts [ --utc ]*
118 15 Daniel Mentz
119 13 Tobias Brunner
p((. returns a list of X.509 and/or OpenPGP certificates that were either loaded locally by the IKE daemon or received via the IKEv2 protocol. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcerts and/or [[IpsecStroke|ipsec stroke]] listcerts commands.
120 1 Martin Willi
121 11 Martin Willi
*ipsec listgroups [ --utc ]*
122 15 Daniel Mentz
123 13 Tobias Brunner
p((. returns a list of all groups that are used to define user authorization profiles. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listgroups command.
124 1 Martin Willi
125 12 Martin Willi
*ipsec listocsp [ --utc ]*
126 15 Daniel Mentz
127 13 Tobias Brunner
p((. returns cached revocation information fetched from OCSP servers. Implemented by calling the [[IpsecWhack|ipsec whack] --listocps and/or [[IpsecStroke|ipsec stroke]] listocsp commands.
128 1 Martin Willi
129 1 Martin Willi
*ipsec listocspcerts [ --utc ]*
130 15 Daniel Mentz
131 13 Tobias Brunner
p((. returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE daemon from the [[IpsecDirectoryOcspcerts|/etc/ipsec.d/ocspcerts]] directory or were sent by an OCSP server. Implemented by calling the [[IpsecWhack|ipsec whack]] --listocspcerts and/or [[IpsecStroke|ipsec stroke]] listocspcerts commands.
132 1 Martin Willi
133 2 Martin Willi
*ipsec listpubkeys [ --utc ]*
134 15 Daniel Mentz
135 13 Tobias Brunner
p((. returns a list of RSA public keys that were either loaded in raw key format or extracted from X.509 and/or OpenPGP certificates. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listpubkeys command.
136 1 Martin Willi
137 12 Martin Willi
*ipsec listall [ --utc ]*
138 15 Daniel Mentz
139 13 Tobias Brunner
p((. returns  all information generated by the list commands above. Each list command can be called with the _--utc_ option which displays all dates in UTC instead of local time. Implemented by calling the [[IpsecWhack|ipsec whack]] --listall and/or [[IpsecStroke|ipsec stroke]] listall commands.
140 12 Martin Willi
141 1 Martin Willi
142 12 Martin Willi
h2. Reread Commands
143 12 Martin Willi
144 1 Martin Willi
145 12 Martin Willi
*ipsec rereadaacerts*
146 15 Daniel Mentz
147 13 Tobias Brunner
p((. reads all certificate files contained in the [[IpsecDirectoryAacerts|/etc/ipsec.d/aacerts]] directory and adds them to the list of Authorization Authority (AA) certificates. Implemented by calling the [[IpsecWhack|ipsec whack]] --readaacerts and/or [[IpsecStroke|ipsec stroke]] rereadaacerts commands.
148 1 Martin Willi
149 1 Martin Willi
*ipsec rereadacerts*
150 15 Daniel Mentz
151 13 Tobias Brunner
p((. reads all certificate files contained in the [[IpsecDirectoryAcerts|/etc/ipsec.d/acerts]] directory and adds them to the list of attribute certificates. Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadacerts and/or [[IpsecStroke|ipsec stroke]] rereadacerts commands.
152 1 Martin Willi
153 12 Martin Willi
*ipsec rereadcacerts*
154 15 Daniel Mentz
155 13 Tobias Brunner
p((. reads all certificate files contained in  the [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] directory  and adds them to the list of Certification Authority (CA) certificates. Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadcacerts and/or [[IpsecStroke|ipsec stroke]] rereadcacerts commands.
156 1 Martin Willi
157 12 Martin Willi
*ipsec rereadcrls*
158 15 Daniel Mentz
159 13 Tobias Brunner
p((. reads all Certificate Revocation Lists (CRLs) contained in the [[IpsecDirectoryCrls|/etc/ipsec.d/crls]] directory and adds them to the list of CRLs. Older CRLs are replaced by newer ones. Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadcrls and/or [[IpsecStroke|ipsec stroke]] rereadcrls commands.
160 1 Martin Willi
161 1 Martin Willi
*ipsec rereadocspcerts*
162 15 Daniel Mentz
163 13 Tobias Brunner
p((. reads all certificate files contained in the [[IpsecDirectoryOcspcerts|/etc/ipsec.d/ocspcerts]] directory and adds them to the list of OCSP signer certificates. Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadocspcerts and/or [[IpsecStroke|ipsec stroke]] rereadocspcerts commands.
164 1 Martin Willi
 
165 1 Martin Willi
*ipsec rereadsecrets*
166 15 Daniel Mentz
167 13 Tobias Brunner
p((. flushes and rereads all secrets defined in [[IpsecSecrets|ipsec.secrets]]. Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadsecrets and/or [[IpsecStroke|ipsec stroke]] rereadsecrets commands.
168 1 Martin Willi
169 12 Martin Willi
*ipsec secrets*
170 15 Daniel Mentz
171 13 Tobias Brunner
p((. is equivalent to *ipsec rereadsecrets*.
172 1 Martin Willi
173 1 Martin Willi
*ipsec rereadall*
174 15 Daniel Mentz
175 13 Tobias Brunner
p((. executes all reread commands listed above. Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadall and/or [[IpsecStroke|ipsec stroke]] rereadall commands.
176 12 Martin Willi
177 12 Martin Willi
178 1 Martin Willi
h2. Purge Commands
179 12 Martin Willi
180 1 Martin Willi
181 12 Martin Willi
*ipsec purgeike*
182 15 Daniel Mentz
183 14 Andreas Steffen
p((. purges IKEv2 SAs that don't have a CHILD SA.
184 1 Martin Willi
185 14 Andreas Steffen
*ipsec purgeocsp*
186 15 Daniel Mentz
187 13 Tobias Brunner
p((. purges all cached OCSP information records. Implemented by calling the [[IpsecWhack|ipsec whack]] --purgeocsp and/or [[IpsecStroke|ipsec stroke]] purgeocsp commands.
188 12 Martin Willi
189 12 Martin Willi
190 12 Martin Willi
h2. PKCS11 Proxy Commands
191 12 Martin Willi
192 1 Martin Willi
193 12 Martin Willi
*ipsec scencrypt _<value>_ [ --inbase _<base>_ ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*
194 15 Daniel Mentz
195 13 Tobias Brunner
p((. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --scencrypt command.
196 1 Martin Willi
197 12 Martin Willi
*ipsec scdecrypt _<value>_ [ --inbase <base> ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*
198 15 Daniel Mentz
199 13 Tobias Brunner
p((. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --scdecrypt command.