ipsec » History » Version 19
Version 18 (Tobias Brunner, 29.05.2010 16:25) → Version 19/32 (Tobias Brunner, 22.10.2012 14:40)
h1. ipsec
*ipsec* is actually an umbrella command comprising a collection of individual sub commands of the form
p((. *ipsec _<command>_ [ _<argument>_ ] [ _<options>_ ]*
that can be used to control and monitor IPsec connections as well as the IKE daemons.
h2. Control Commands
*ipsec start [ _<starter options>_ ]*
p((. calls [[IpsecStarter|ipsec starter]] [ _<starter options>_ ] which in turn parses [[IpsecConf|ipsec.conf]] and starts the IKE daemon charon. IKEv1 pluto and IKEv2 charon daemons.
*ipsec stop*
p((. terminates all IPsec connection and stops the IKE daemon IKEv1 pluto and IKEv2 charon daemons by sending a _TERM_ signal to [[IpsecStarter|ipsec starter]].
*ipsec restart [ _<starter options>_ ]*
p((. is equivalent to *ipsec stop* followed by *ipsec start [ _<starter options>_ ]* after a guard period of 2 seconds.
*ipsec update*
p((. sends a _HUP_ signal to [[IpsecStarter|ipsec starter]] which in turn determines any changes in [[IpsecConf|ipsec.conf]] and updates the configuration on the running IKE daemon charon. Currently established connections are not affected by configuration changes. IKEv1 pluto and IKEv2 charon daemons, correspondingly.
*ipsec reload*
p((. sends a _USR1_ signal to [[IpsecStarter|ipsec starter]] which in turn reloads the whole configuration on the running IKE daemon IKEv1 pluto and IKEv2 charon daemons based on the actual [[IpsecConf|ipsec.conf]]. Currently established connections are not affected by configuration changes.
*ipsec up _<name>_*
p((. tells the responsible IKE daemon to start up connection _<name>_. Implemented by calling the [[IpsecWhack|ipsec whack]] --name _<name>_ --initiate and/or [[IpsecStroke|ipsec stroke]] up _<name>_ command. commands.
*ipsec down _<name>_*
p((. tells the responsible IKE daemon to terminate connection _<name>_. Implemented by calling the [[IpsecWhack|ipsec whack]] --name _<name>_ --terminate and/or [[IpsecStroke|ipsec stroke]] down _<name>_ command. commands.
*ipsec down _<name>{n}_*
p((. terminates CHILD_SA IKEv2 CHILD SA instance n of connection <name>.
*ipsec down _<name>{<notextile>*</notextile>}_*
p((. terminates all CHILD_SA IKEv2 CHILD SA instances of connection <name>.
*ipsec down _<name>[n]_*
p((. terminates IKE_SA IKEv2 IKE SA instance n of connection <name> plus dependent CHILD_SAs. CHILD SAs.
*ipsec down _<name>[<notextile>*</notextile>]_*
p((. terminates all IKE_SA IKEv2 IKE SA instances of connection <name>.
*ipsec route _<name>_*
p((. tells the responsible IKE daemon to insert an [[IpsecPolicy|IPsec policies]] policy]] in the kernel for connection _<name>_. The first payload packet matching the [[IpsecPolicy|IPsec policies]] policy]] will automatically trigger an IKE connection setup. Implemented by calling the [[IpsecWhack|ipsec whack]] --name _<name>_ --route and/or [[IpsecStroke|ipsec stroke]] route _<name>_ command. commands.
*ipsec unroute _<name>_*
p((. remove the [[IpsecPolicy|IPsec policies]] policy]] in the kernel for connection _<name>_. Implemented by calling the [[IpsecWhack|ipsec whack]] --name _<name>_ --unroute and/or [[IpsecStroke|ipsec stroke]] unroute _<name>_ command. commands.
*ipsec status [ _<name>_ ]*
p((. returns concise status information either on connection _<name>_ or if the argument is lacking, on all connections. Implemented by calling the [[IpsecWhack|ipsec whack]] [ --name _<name>_ ] --status and/or [[IpsecStroke|ipsec stroke]] status [ _<name>_ ] command. commands.
*ipsec statusall [ _<name>_ ]*
p((. returns detailed status information either on connection _<name>_ or if the argument is lacking, on all connections. Implemented by calling the [[IpsecWhack|ipsec whack]] [ --name _<name>_ ] statusall and/or [[IpsecStroke|ipsec stroke]] statusall [ _<name>_ ] command. commands.
h2. Info Commands
*ipsec version*
p((. returns the ipsec version in the form of *Linux strongSwan U<strongSwan userland version>/K<Linux kernel version>* if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
*ipsec copyright*
p((. returns the copyright information.
*ipsec --confdir*
p((. returns the _SYSCONFDIR_ directory as defined by the [[InstallationDocumentation|configure]] options.
*ipsec --directory*
p((. returns the _LIBEXECDIR_ directory as defined by the [[InstallationDocumentation|configure]] options.
*ipsec --help*
p((. returns the usage information for the ipsec command.
*ipsec --versioncode*
p((. returns the ipsec version number in the form of *U<strongSwan userland version>/K<Linux kernel version>* if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
h2. List Commands
*ipsec listaacerts [ --utc ]*
p((. returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryAacerts|/etc/ipsec.d/aacerts]] directory. Implemented by calling the [[IpsecWhack|ipsec whack]] --listaacerts and/or [[IpsecStroke|ipsec stroke]] listaacerts command. commands.
*ipsec listacerts [ --utc ]*
p((. returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryAcerts|/etc/ipsec.d/acerts]] directory. Implemented by calling the [[IpsecStroke|ipsec [[IpsecWhack|ipsec whack] --listacerts andor [wikiIpsecStroke ipsec stroke]] listacerts comman. commands.
*ipsec listalgs*
p((. returns a list of all supported IKE encryption and hash algorithms, the available Diffie-Hellman groups, as well as all ESP encryption and authentication algorithms registered via the Linux kernel's Crypto API. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listalgs command.
*ipsec listcacerts [ --utc ]*
p((. returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] directory or received in PKCS#7-wrapped certificate payloads via the IKE protocol. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcacerts and/or [[IpsecStroke|ipsec stroke]] listcacerts command. commands.
*ipsec listcainfos [ --utc ]*
p((. returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers) that were defined by [[CaSection|ca sections]] in [[IpsecConf|ipsec.conf]]. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcainfos and/or [[IpsecStroke|ipsec stroke]] listcainfos commands.
*ipsec listcards [ --utc ]*
p((. lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcards command.
*ipsec listcrls [ --utc ]*
p((. returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon from the [[IpsecDirectoryCrls|/etc/ipsec.d/crls]] directory or fetched from an HTTP- or LDAP-based CRL distribution point. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcrls and/or [[IpsecStroke|ipsec stroke]] listcrls command. commands.
*ipsec listcerts [ --utc ]*
p((. returns a list of X.509 and/or OpenPGP certificates that were either loaded locally by the IKE daemon or received via the IKE IKEv2 protocol. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcerts and/or [[IpsecStroke|ipsec stroke]] listcerts command. commands.
*ipsec listgroups [ --utc ]*
p((. returns a list of all groups that are used to define user authorization profiles. Currently not supported. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listgroups command.
*ipsec listocsp [ --utc ]*
p((. returns cached revocation information fetched from OCSP servers. Implemented by calling the [[IpsecWhack|ipsec whack]] --listocps and/or [[IpsecStroke|ipsec stroke]] listocsp command. commands.
*ipsec listocspcerts [ --utc ]*
p((. returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE daemon from the [[IpsecDirectoryOcspcerts|/etc/ipsec.d/ocspcerts]] directory or were sent by an OCSP server. Implemented by calling the [[IpsecWhack|ipsec whack]] --listocspcerts and/or [[IpsecStroke|ipsec stroke]] listocspcerts command. commands.
*ipsec listpubkeys [ --utc ]*
p((. returns a list of RSA public keys that were either loaded in raw key format. format or extracted from X.509 and/or OpenPGP certificates. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecStroke|ipsec stroke]] listpubkeys [[IpsecWhack|ipsec whack]] --listpubkeys command.
*ipsec listall [ --utc ]*
p((. returns all information generated by the list commands above. Each list command can be called with the @--utc@ option which displays all dates in UTC instead of local time. Implemented by calling the [[IpsecWhack|ipsec whack]] --listall and/or [[IpsecStroke|ipsec stroke]] listall command. commands.
h2. Reread Commands
*ipsec rereadaacerts*
p((. reads all certificate files contained in the [[IpsecDirectoryAacerts|/etc/ipsec.d/aacerts]] directory and adds them to the list of Authorization Authority (AA) certificates. Implemented by calling the [[IpsecWhack|ipsec whack]] --readaacerts and/or [[IpsecStroke|ipsec stroke]] rereadaacerts command. commands.
*ipsec rereadacerts*
p((. reads all certificate files contained in the [[IpsecDirectoryAcerts|/etc/ipsec.d/acerts]] directory and adds them to the list of attribute certificates. Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadacerts and/or [[IpsecStroke|ipsec stroke]] rereadacerts command. commands.
*ipsec rereadcacerts*
p((. reads all certificate files contained in the [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] directory and adds them to the list of Certification Authority (CA) certificates. Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadcacerts and/or [[IpsecStroke|ipsec stroke]] rereadcacerts command. commands.
*ipsec rereadcrls*
p((. reads all Certificate Revocation Lists (CRLs) contained in the [[IpsecDirectoryCrls|/etc/ipsec.d/crls]] directory and adds them to the list of CRLs. Older CRLs are replaced by newer ones. Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadcrls and/or [[IpsecStroke|ipsec stroke]] rereadcrls command. commands.
*ipsec rereadocspcerts*
p((. reads all certificate files contained in the [[IpsecDirectoryOcspcerts|/etc/ipsec.d/ocspcerts]] directory and adds them to the list of OCSP signer certificates. Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadocspcerts and/or [[IpsecStroke|ipsec stroke]] rereadocspcerts command. commands.
*ipsec rereadsecrets*
p((. flushes and rereads all secrets defined in [[IpsecSecrets|ipsec.secrets]]. Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadsecrets and/or [[IpsecStroke|ipsec stroke]] rereadsecrets command. commands.
*ipsec secrets*
p((. is equivalent to *ipsec rereadsecrets*.
*ipsec rereadall*
p((. executes all reread commands listed above. Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadall and/or [[IpsecStroke|ipsec stroke]] rereadall command. commands.
h2. Purge Commands
*ipsec purgeike*
p((. purges IKE_SAs IKEv2 SAs that don't have a CHILD_SA. CHILD SA.
*ipsec purgeocsp*
p((. purges all cached OCSP information records. Implemented by calling the [[IpsecWhack|ipsec whack]] --purgeocsp and/or [[IpsecStroke|ipsec stroke]] purgeocsp command. commands.
h2. Before 5.0.0
In releases before [[5.0.0]] IKEv1 connections were handled by the separate [[pluto]] keying daemon. The ipsec command then used the [[IpsecWhack|ipsec whack]] in addition to the [[IpsecStroke|ipsec stroke]] command to communicate with pluto.
h3. List Commands
*ipsec listalgs*
p((. returns a list of all supported IKE encryption and hash algorithms, the available Diffie-Hellman groups, as well as all ESP encryption and authentication algorithms registered via the Linux kernel's Crypto API. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listalgs command.
*ipsec listcards [ --utc ]*
p((. lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcards command.
h3. PKCS11 Proxy Commands
*ipsec scencrypt _<value>_ [ --inbase _<base>_ ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*
p((. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --scencrypt command.
*ipsec scdecrypt _<value>_ [ --inbase <base> ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*
p((. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --scdecrypt command.
*ipsec* is actually an umbrella command comprising a collection of individual sub commands of the form
p((. *ipsec _<command>_ [ _<argument>_ ] [ _<options>_ ]*
that can be used to control and monitor IPsec connections as well as the IKE daemons.
h2. Control Commands
*ipsec start [ _<starter options>_ ]*
p((. calls [[IpsecStarter|ipsec starter]] [ _<starter options>_ ] which in turn parses [[IpsecConf|ipsec.conf]] and starts the IKE daemon charon. IKEv1 pluto and IKEv2 charon daemons.
*ipsec stop*
p((. terminates all IPsec connection and stops the IKE daemon IKEv1 pluto and IKEv2 charon daemons by sending a _TERM_ signal to [[IpsecStarter|ipsec starter]].
*ipsec restart [ _<starter options>_ ]*
p((. is equivalent to *ipsec stop* followed by *ipsec start [ _<starter options>_ ]* after a guard period of 2 seconds.
*ipsec update*
p((. sends a _HUP_ signal to [[IpsecStarter|ipsec starter]] which in turn determines any changes in [[IpsecConf|ipsec.conf]] and updates the configuration on the running IKE daemon charon. Currently established connections are not affected by configuration changes. IKEv1 pluto and IKEv2 charon daemons, correspondingly.
*ipsec reload*
p((. sends a _USR1_ signal to [[IpsecStarter|ipsec starter]] which in turn reloads the whole configuration on the running IKE daemon IKEv1 pluto and IKEv2 charon daemons based on the actual [[IpsecConf|ipsec.conf]]. Currently established connections are not affected by configuration changes.
*ipsec up _<name>_*
p((. tells the responsible IKE daemon to start up connection _<name>_. Implemented by calling the [[IpsecWhack|ipsec whack]] --name _<name>_ --initiate and/or [[IpsecStroke|ipsec stroke]] up _<name>_ command. commands.
*ipsec down _<name>_*
p((. tells the responsible IKE daemon to terminate connection _<name>_. Implemented by calling the [[IpsecWhack|ipsec whack]] --name _<name>_ --terminate and/or [[IpsecStroke|ipsec stroke]] down _<name>_ command. commands.
*ipsec down _<name>{n}_*
p((. terminates CHILD_SA IKEv2 CHILD SA instance n of connection <name>.
*ipsec down _<name>{<notextile>*</notextile>}_*
p((. terminates all CHILD_SA IKEv2 CHILD SA instances of connection <name>.
*ipsec down _<name>[n]_*
p((. terminates IKE_SA IKEv2 IKE SA instance n of connection <name> plus dependent CHILD_SAs. CHILD SAs.
*ipsec down _<name>[<notextile>*</notextile>]_*
p((. terminates all IKE_SA IKEv2 IKE SA instances of connection <name>.
*ipsec route _<name>_*
p((. tells the responsible IKE daemon to insert an [[IpsecPolicy|IPsec policies]] policy]] in the kernel for connection _<name>_. The first payload packet matching the [[IpsecPolicy|IPsec policies]] policy]] will automatically trigger an IKE connection setup. Implemented by calling the [[IpsecWhack|ipsec whack]] --name _<name>_ --route and/or [[IpsecStroke|ipsec stroke]] route _<name>_ command. commands.
*ipsec unroute _<name>_*
p((. remove the [[IpsecPolicy|IPsec policies]] policy]] in the kernel for connection _<name>_. Implemented by calling the [[IpsecWhack|ipsec whack]] --name _<name>_ --unroute and/or [[IpsecStroke|ipsec stroke]] unroute _<name>_ command. commands.
*ipsec status [ _<name>_ ]*
p((. returns concise status information either on connection _<name>_ or if the argument is lacking, on all connections. Implemented by calling the [[IpsecWhack|ipsec whack]] [ --name _<name>_ ] --status and/or [[IpsecStroke|ipsec stroke]] status [ _<name>_ ] command. commands.
*ipsec statusall [ _<name>_ ]*
p((. returns detailed status information either on connection _<name>_ or if the argument is lacking, on all connections. Implemented by calling the [[IpsecWhack|ipsec whack]] [ --name _<name>_ ] statusall and/or [[IpsecStroke|ipsec stroke]] statusall [ _<name>_ ] command. commands.
h2. Info Commands
*ipsec version*
p((. returns the ipsec version in the form of *Linux strongSwan U<strongSwan userland version>/K<Linux kernel version>* if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
*ipsec copyright*
p((. returns the copyright information.
*ipsec --confdir*
p((. returns the _SYSCONFDIR_ directory as defined by the [[InstallationDocumentation|configure]] options.
*ipsec --directory*
p((. returns the _LIBEXECDIR_ directory as defined by the [[InstallationDocumentation|configure]] options.
*ipsec --help*
p((. returns the usage information for the ipsec command.
*ipsec --versioncode*
p((. returns the ipsec version number in the form of *U<strongSwan userland version>/K<Linux kernel version>* if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
h2. List Commands
*ipsec listaacerts [ --utc ]*
p((. returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryAacerts|/etc/ipsec.d/aacerts]] directory. Implemented by calling the [[IpsecWhack|ipsec whack]] --listaacerts and/or [[IpsecStroke|ipsec stroke]] listaacerts command. commands.
*ipsec listacerts [ --utc ]*
p((. returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryAcerts|/etc/ipsec.d/acerts]] directory. Implemented by calling the [[IpsecStroke|ipsec [[IpsecWhack|ipsec whack] --listacerts andor [wikiIpsecStroke ipsec stroke]] listacerts comman. commands.
*ipsec listalgs*
p((. returns a list of all supported IKE encryption and hash algorithms, the available Diffie-Hellman groups, as well as all ESP encryption and authentication algorithms registered via the Linux kernel's Crypto API. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listalgs command.
*ipsec listcacerts [ --utc ]*
p((. returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] directory or received in PKCS#7-wrapped certificate payloads via the IKE protocol. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcacerts and/or [[IpsecStroke|ipsec stroke]] listcacerts command. commands.
*ipsec listcainfos [ --utc ]*
p((. returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers) that were defined by [[CaSection|ca sections]] in [[IpsecConf|ipsec.conf]]. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcainfos and/or [[IpsecStroke|ipsec stroke]] listcainfos commands.
*ipsec listcards [ --utc ]*
p((. lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcards command.
*ipsec listcrls [ --utc ]*
p((. returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon from the [[IpsecDirectoryCrls|/etc/ipsec.d/crls]] directory or fetched from an HTTP- or LDAP-based CRL distribution point. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcrls and/or [[IpsecStroke|ipsec stroke]] listcrls command. commands.
*ipsec listcerts [ --utc ]*
p((. returns a list of X.509 and/or OpenPGP certificates that were either loaded locally by the IKE daemon or received via the IKE IKEv2 protocol. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcerts and/or [[IpsecStroke|ipsec stroke]] listcerts command. commands.
*ipsec listgroups [ --utc ]*
p((. returns a list of all groups that are used to define user authorization profiles. Currently not supported. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listgroups command.
*ipsec listocsp [ --utc ]*
p((. returns cached revocation information fetched from OCSP servers. Implemented by calling the [[IpsecWhack|ipsec whack]] --listocps and/or [[IpsecStroke|ipsec stroke]] listocsp command. commands.
*ipsec listocspcerts [ --utc ]*
p((. returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE daemon from the [[IpsecDirectoryOcspcerts|/etc/ipsec.d/ocspcerts]] directory or were sent by an OCSP server. Implemented by calling the [[IpsecWhack|ipsec whack]] --listocspcerts and/or [[IpsecStroke|ipsec stroke]] listocspcerts command. commands.
*ipsec listpubkeys [ --utc ]*
p((. returns a list of RSA public keys that were either loaded in raw key format. format or extracted from X.509 and/or OpenPGP certificates. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecStroke|ipsec stroke]] listpubkeys [[IpsecWhack|ipsec whack]] --listpubkeys command.
*ipsec listall [ --utc ]*
p((. returns all information generated by the list commands above. Each list command can be called with the @--utc@ option which displays all dates in UTC instead of local time. Implemented by calling the [[IpsecWhack|ipsec whack]] --listall and/or [[IpsecStroke|ipsec stroke]] listall command. commands.
h2. Reread Commands
*ipsec rereadaacerts*
p((. reads all certificate files contained in the [[IpsecDirectoryAacerts|/etc/ipsec.d/aacerts]] directory and adds them to the list of Authorization Authority (AA) certificates. Implemented by calling the [[IpsecWhack|ipsec whack]] --readaacerts and/or [[IpsecStroke|ipsec stroke]] rereadaacerts command. commands.
*ipsec rereadacerts*
p((. reads all certificate files contained in the [[IpsecDirectoryAcerts|/etc/ipsec.d/acerts]] directory and adds them to the list of attribute certificates. Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadacerts and/or [[IpsecStroke|ipsec stroke]] rereadacerts command. commands.
*ipsec rereadcacerts*
p((. reads all certificate files contained in the [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] directory and adds them to the list of Certification Authority (CA) certificates. Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadcacerts and/or [[IpsecStroke|ipsec stroke]] rereadcacerts command. commands.
*ipsec rereadcrls*
p((. reads all Certificate Revocation Lists (CRLs) contained in the [[IpsecDirectoryCrls|/etc/ipsec.d/crls]] directory and adds them to the list of CRLs. Older CRLs are replaced by newer ones. Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadcrls and/or [[IpsecStroke|ipsec stroke]] rereadcrls command. commands.
*ipsec rereadocspcerts*
p((. reads all certificate files contained in the [[IpsecDirectoryOcspcerts|/etc/ipsec.d/ocspcerts]] directory and adds them to the list of OCSP signer certificates. Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadocspcerts and/or [[IpsecStroke|ipsec stroke]] rereadocspcerts command. commands.
*ipsec rereadsecrets*
p((. flushes and rereads all secrets defined in [[IpsecSecrets|ipsec.secrets]]. Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadsecrets and/or [[IpsecStroke|ipsec stroke]] rereadsecrets command. commands.
*ipsec secrets*
p((. is equivalent to *ipsec rereadsecrets*.
*ipsec rereadall*
p((. executes all reread commands listed above. Implemented by calling the [[IpsecWhack|ipsec whack]] --rereadall and/or [[IpsecStroke|ipsec stroke]] rereadall command. commands.
h2. Purge Commands
*ipsec purgeike*
p((. purges IKE_SAs IKEv2 SAs that don't have a CHILD_SA. CHILD SA.
*ipsec purgeocsp*
p((. purges all cached OCSP information records. Implemented by calling the [[IpsecWhack|ipsec whack]] --purgeocsp and/or [[IpsecStroke|ipsec stroke]] purgeocsp command. commands.
h2. Before 5.0.0
In releases before [[5.0.0]] IKEv1 connections were handled by the separate [[pluto]] keying daemon. The ipsec command then used the [[IpsecWhack|ipsec whack]] in addition to the [[IpsecStroke|ipsec stroke]] command to communicate with pluto.
h3. List Commands
*ipsec listalgs*
p((. returns a list of all supported IKE encryption and hash algorithms, the available Diffie-Hellman groups, as well as all ESP encryption and authentication algorithms registered via the Linux kernel's Crypto API. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listalgs command.
*ipsec listcards [ --utc ]*
p((. lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcards command.
h3. PKCS11 Proxy Commands
*ipsec scencrypt _<value>_ [ --inbase _<base>_ ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*
p((. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --scencrypt command.
*ipsec scdecrypt _<value>_ [ --inbase <base> ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*
p((. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --scdecrypt command.