Project

General

Profile

ipsec » History » Version 22

Tobias Brunner, 08.11.2012 09:13

1 12 Martin Willi
h1. ipsec
2 1 Martin Willi
3 1 Martin Willi
4 12 Martin Willi
*ipsec* is actually an umbrella command comprising a collection of individual sub commands of the form 
5 1 Martin Willi
6 13 Tobias Brunner
p((. *ipsec _<command>_ [ _<argument>_ ]  [ _<options>_ ]*
7 12 Martin Willi
8 1 Martin Willi
that can be used to control and monitor IPsec connections as well as the IKE daemons.
9 1 Martin Willi
10 1 Martin Willi
11 12 Martin Willi
h2. Control Commands
12 1 Martin Willi
13 1 Martin Willi
14 1 Martin Willi
*ipsec start [ _<starter options>_ ]*
15 15 Daniel Mentz
16 19 Tobias Brunner
p((. calls [[IpsecStarter|ipsec starter]] [ _<starter options>_ ] which in turn parses [[IpsecConf|ipsec.conf]] and starts the IKE daemon charon.
17 12 Martin Willi
18 12 Martin Willi
*ipsec stop*
19 15 Daniel Mentz
20 19 Tobias Brunner
p((. terminates all IPsec connection and stops the IKE daemon charon by sending a _TERM_ signal to [[IpsecStarter|ipsec starter]].
21 1 Martin Willi
22 12 Martin Willi
*ipsec restart [ _<starter options>_ ]*
23 15 Daniel Mentz
24 13 Tobias Brunner
p((. is equivalent to *ipsec stop* followed by *ipsec start [ _<starter options>_ ]* after a guard period of 2 seconds.
25 1 Martin Willi
   
26 1 Martin Willi
*ipsec update*
27 15 Daniel Mentz
28 19 Tobias Brunner
p((. sends a _HUP_ signal to [[IpsecStarter|ipsec starter]] which in turn determines any changes in [[IpsecConf|ipsec.conf]] and updates the configuration on the running IKE daemon charon. Currently established connections are not affected by configuration changes.
29 1 Martin Willi
30 12 Martin Willi
*ipsec reload*
31 15 Daniel Mentz
32 19 Tobias Brunner
p((. sends a _USR1_ signal to [[IpsecStarter|ipsec starter]] which in turn reloads the whole configuration on the running IKE daemon charon based on the actual [[IpsecConf|ipsec.conf]]. Currently established connections are not affected by configuration changes.
33 1 Martin Willi
34 13 Tobias Brunner
*ipsec up  _<name>_*
35 15 Daniel Mentz
36 19 Tobias Brunner
p((. tells the IKE daemon to start up connection _<name>_. Implemented by calling the [[IpsecStroke|ipsec stroke]] up _<name>_ command.
37 12 Martin Willi
38 13 Tobias Brunner
*ipsec down  _<name>_*
39 15 Daniel Mentz
40 19 Tobias Brunner
p((.  tells the IKE daemon to terminate connection _<name>_. Implemented by calling the [[IpsecStroke|ipsec stroke]] down _<name>_ command.
41 12 Martin Willi
42 16 Daniel Mentz
*ipsec down  _<name>{n}_*
43 16 Daniel Mentz
44 22 Tobias Brunner
p((. terminates CHILD_SA instance n of connection <name>. Since _{n}_ uniquely identifis a CHILD_SA the name is optional.
45 16 Daniel Mentz
46 16 Daniel Mentz
*ipsec down  _<name>{<notextile>*</notextile>}_*
47 16 Daniel Mentz
48 19 Tobias Brunner
p((. terminates all CHILD_SA instances of connection <name>.
49 16 Daniel Mentz
50 16 Daniel Mentz
*ipsec down _<name>[n]_*
51 1 Martin Willi
52 22 Tobias Brunner
p((. terminates IKE_SA instance n of connection <name> plus dependent CHILD_SAs.  Since _[n]_ uniquely identifis an IKE_SA the name is optional.
53 22 Tobias Brunner
54 16 Daniel Mentz
55 16 Daniel Mentz
*ipsec down _<name>[<notextile>*</notextile>]_*
56 16 Daniel Mentz
57 19 Tobias Brunner
p((. terminates all IKE_SA instances of connection <name>.
58 16 Daniel Mentz
59 13 Tobias Brunner
*ipsec route  _<name>_*
60 15 Daniel Mentz
61 19 Tobias Brunner
p((. tells the IKE daemon to insert [[IpsecPolicy|IPsec policies]] in the kernel for connection _<name>_. The first payload packet matching the [[IpsecPolicy|IPsec policies]] will automatically trigger an IKE connection setup. Implemented by calling the [[IpsecStroke|ipsec stroke]] route _<name>_ command.
62 1 Martin Willi
63 13 Tobias Brunner
*ipsec unroute  _<name>_*
64 15 Daniel Mentz
65 19 Tobias Brunner
p((. remove the [[IpsecPolicy|IPsec policies]] in the kernel for connection _<name>_. Implemented by calling the [[IpsecStroke|ipsec stroke]] unroute _<name>_ command.
66 5 Martin Willi
 
67 13 Tobias Brunner
*ipsec status [ _<name>_ ]*
68 15 Daniel Mentz
69 19 Tobias Brunner
p((.  returns concise status information either on connection _<name>_ or if the argument is lacking, on all connections. Implemented by calling the [[IpsecStroke|ipsec stroke]] status [ _<name>_ ] command.
70 13 Tobias Brunner
71 12 Martin Willi
*ipsec statusall [ _<name>_ ]*
72 15 Daniel Mentz
73 19 Tobias Brunner
p((. returns detailed status information either on connection _<name>_ or if the argument is lacking, on all connections. Implemented by calling the [[IpsecStroke|ipsec stroke]] statusall [ _<name>_ ] command.
74 12 Martin Willi
75 1 Martin Willi
76 1 Martin Willi
h2. Info Commands
77 12 Martin Willi
78 1 Martin Willi
*ipsec version*
79 15 Daniel Mentz
80 1 Martin Willi
p((. returns the ipsec version in the form of *Linux strongSwan U<strongSwan userland version>/K<Linux kernel version>* if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
81 1 Martin Willi
82 1 Martin Willi
*ipsec copyright*
83 15 Daniel Mentz
84 13 Tobias Brunner
p((. returns the copyright information.
85 1 Martin Willi
86 12 Martin Willi
*ipsec --confdir*
87 15 Daniel Mentz
88 13 Tobias Brunner
p((. returns the _SYSCONFDIR_ directory as defined by the [[InstallationDocumentation|configure]] options.
89 1 Martin Willi
90 1 Martin Willi
*ipsec --directory*
91 15 Daniel Mentz
92 13 Tobias Brunner
p((. returns the _LIBEXECDIR_ directory as defined by the [[InstallationDocumentation|configure]] options.
93 1 Martin Willi
94 1 Martin Willi
*ipsec --help*
95 15 Daniel Mentz
96 13 Tobias Brunner
p((. returns the usage information for the ipsec command.
97 1 Martin Willi
98 1 Martin Willi
*ipsec --versioncode*
99 10 Martin Willi
100 12 Martin Willi
p((. returns the ipsec version number in the form of *U<strongSwan userland version>/K<Linux kernel version>* if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
101 1 Martin Willi
102 1 Martin Willi
103 10 Martin Willi
h2. List Commands
104 1 Martin Willi
105 13 Tobias Brunner
*ipsec listaacerts [ --utc ]*
106 1 Martin Willi
107 19 Tobias Brunner
p((. returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryAacerts|/etc/ipsec.d/aacerts]] directory. Implemented by calling the [[IpsecStroke|ipsec stroke]] listaacerts command.
108 15 Daniel Mentz
109 13 Tobias Brunner
*ipsec listacerts [ --utc ]*
110 1 Martin Willi
111 21 Tobias Brunner
p((. returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryAcerts|/etc/ipsec.d/acerts]] directory. Implemented by calling the [[IpsecStroke|ipsec stroke]] listacerts command.
112 1 Martin Willi
113 21 Tobias Brunner
*ipsec listalgs*
114 21 Tobias Brunner
115 21 Tobias Brunner
p((. returns a list of all supported IKE encryption and hash algorithms, and the available Diffie-Hellman groups. Implemented by calling the [[IpsecStroke|ipsec stroke]] listalgs command.
116 21 Tobias Brunner
117 13 Tobias Brunner
*ipsec listcacerts [ --utc ]*
118 1 Martin Willi
119 19 Tobias Brunner
p((. returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] directory or received via the IKE protocol. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcacerts command.
120 15 Daniel Mentz
121 13 Tobias Brunner
*ipsec listcainfos [ --utc ]*
122 1 Martin Willi
123 19 Tobias Brunner
p((. returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers) that were defined by [[CaSection|ca sections]] in [[IpsecConf|ipsec.conf]]. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcainfos command.
124 13 Tobias Brunner
125 1 Martin Willi
*ipsec listcrls [ --utc ]*
126 8 Martin Willi
127 19 Tobias Brunner
p((. returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon from the [[IpsecDirectoryCrls|/etc/ipsec.d/crls]] directory or fetched from an HTTP- or LDAP-based CRL distribution point. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcrls command.
128 18 Tobias Brunner
129 1 Martin Willi
*ipsec listcerts [ --utc ]*
130 1 Martin Willi
131 19 Tobias Brunner
p((. returns a list of X.509 and/or OpenPGP certificates that were either loaded locally by the IKE daemon or received via the IKE protocol. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcerts command.
132 15 Daniel Mentz
133 13 Tobias Brunner
*ipsec listgroups [ --utc ]*
134 1 Martin Willi
135 19 Tobias Brunner
p((. returns a list of all groups that are used to define user authorization profiles. Currently not supported.
136 15 Daniel Mentz
137 13 Tobias Brunner
*ipsec listocsp [ --utc ]*
138 1 Martin Willi
139 19 Tobias Brunner
p((. returns cached revocation information fetched from OCSP servers. Implemented by calling the [[IpsecStroke|ipsec stroke]] listocsp command.
140 15 Daniel Mentz
141 18 Tobias Brunner
*ipsec listocspcerts [ --utc ]*
142 1 Martin Willi
143 1 Martin Willi
p((. returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE daemon from the [[IpsecDirectoryOcspcerts|/etc/ipsec.d/ocspcerts]] directory or were sent by an OCSP server. Implemented by calling the [[IpsecStroke|ipsec stroke]] listocspcerts command.
144 1 Martin Willi
145 21 Tobias Brunner
*ipsec listplugins*
146 21 Tobias Brunner
147 21 Tobias Brunner
p((. returns a list of all loaded plugin features. Implemented by calling the [[IpsecStroke|ipsec stroke]] listplugins command.
148 21 Tobias Brunner
149 13 Tobias Brunner
*ipsec listpubkeys [ --utc ]*
150 2 Martin Willi
151 19 Tobias Brunner
p((. returns a list of RSA public keys that were loaded in raw key format. Implemented by calling the [[IpsecStroke|ipsec stroke]] listpubkeys command.
152 13 Tobias Brunner
153 1 Martin Willi
*ipsec listall [ --utc ]*
154 12 Martin Willi
155 19 Tobias Brunner
p((. returns  all information generated by the list commands above. Each list command can be called with the @--utc@ option which displays all dates in UTC instead of local time. Implemented by calling the [[IpsecStroke|ipsec stroke]] listall command.
156 18 Tobias Brunner
157 12 Martin Willi
158 1 Martin Willi
h2. Reread Commands
159 1 Martin Willi
160 12 Martin Willi
161 1 Martin Willi
*ipsec rereadaacerts*
162 1 Martin Willi
163 19 Tobias Brunner
p((. reads all certificate files contained in the [[IpsecDirectoryAacerts|/etc/ipsec.d/aacerts]] directory and adds them to the list of Authorization Authority (AA) certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadaacerts command.
164 1 Martin Willi
165 13 Tobias Brunner
*ipsec rereadacerts*
166 1 Martin Willi
167 19 Tobias Brunner
p((. reads all certificate files contained in the [[IpsecDirectoryAcerts|/etc/ipsec.d/acerts]] directory and adds them to the list of attribute certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadacerts command.
168 1 Martin Willi
169 1 Martin Willi
*ipsec rereadcacerts*
170 1 Martin Willi
171 19 Tobias Brunner
p((. reads all certificate files contained in  the [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] directory  and adds them to the list of Certification Authority (CA) certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadcacerts command.
172 1 Martin Willi
173 1 Martin Willi
*ipsec rereadcrls*
174 1 Martin Willi
175 19 Tobias Brunner
p((. reads all Certificate Revocation Lists (CRLs) contained in the [[IpsecDirectoryCrls|/etc/ipsec.d/crls]] directory and adds them to the list of CRLs. Older CRLs are replaced by newer ones. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadcrls command.
176 1 Martin Willi
177 1 Martin Willi
*ipsec rereadocspcerts*
178 15 Daniel Mentz
179 19 Tobias Brunner
p((. reads all certificate files contained in the [[IpsecDirectoryOcspcerts|/etc/ipsec.d/ocspcerts]] directory and adds them to the list of OCSP signer certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadocspcerts command.
180 1 Martin Willi
 
181 12 Martin Willi
*ipsec rereadsecrets*
182 15 Daniel Mentz
183 19 Tobias Brunner
p((. flushes and rereads all secrets defined in [[IpsecSecrets|ipsec.secrets]]. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadsecrets command.
184 1 Martin Willi
185 12 Martin Willi
*ipsec secrets*
186 15 Daniel Mentz
187 13 Tobias Brunner
p((. is equivalent to *ipsec rereadsecrets*.
188 1 Martin Willi
189 1 Martin Willi
*ipsec rereadall*
190 15 Daniel Mentz
191 19 Tobias Brunner
p((. executes all reread commands listed above. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadall command.
192 1 Martin Willi
193 1 Martin Willi
194 15 Daniel Mentz
h2. Purge Commands
195 13 Tobias Brunner
196 20 Tobias Brunner
*ipsec purgecerts*
197 20 Tobias Brunner
198 20 Tobias Brunner
p((. purges all cached certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgecerts command.
199 20 Tobias Brunner
200 20 Tobias Brunner
*ipsec purgecrl*
201 20 Tobias Brunner
202 20 Tobias Brunner
p((. purges all cached CRLs. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgecrl command.
203 20 Tobias Brunner
204 12 Martin Willi
*ipsec purgeike*
205 1 Martin Willi
206 20 Tobias Brunner
p((. purges IKE_SAs that don't have a CHILD_SA. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgeike command.
207 13 Tobias Brunner
208 1 Martin Willi
*ipsec purgeocsp*
209 1 Martin Willi
210 19 Tobias Brunner
p((. purges all cached OCSP information records. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgeocsp command.
211 1 Martin Willi
212 19 Tobias Brunner
213 19 Tobias Brunner
214 19 Tobias Brunner
h2. Before 5.0.0
215 19 Tobias Brunner
216 19 Tobias Brunner
In releases before [[5.0.0]] IKEv1 connections were handled by the separate [[pluto]] keying daemon. The ipsec command then used the [[IpsecWhack|ipsec whack]] in addition to the [[IpsecStroke|ipsec stroke]] command to communicate with pluto.
217 19 Tobias Brunner
218 19 Tobias Brunner
h3. List Commands
219 19 Tobias Brunner
220 19 Tobias Brunner
*ipsec listcards [ --utc ]*
221 19 Tobias Brunner
222 19 Tobias Brunner
p((. lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcards command.
223 19 Tobias Brunner
224 19 Tobias Brunner
h3. PKCS11 Proxy Commands
225 1 Martin Willi
226 12 Martin Willi
*ipsec scencrypt _<value>_ [ --inbase _<base>_ ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*
227 15 Daniel Mentz
228 13 Tobias Brunner
p((. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --scencrypt command.
229 1 Martin Willi
230 12 Martin Willi
*ipsec scdecrypt _<value>_ [ --inbase <base> ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*
231 15 Daniel Mentz
232 13 Tobias Brunner
p((. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --scdecrypt command.