Project

General

Profile

ipsec » History » Version 29

Tobias Brunner, 14.04.2016 18:38

1 12 Martin Willi
h1. ipsec
2 1 Martin Willi
3 24 Tobias Brunner
{{>toc}}
4 1 Martin Willi
5 12 Martin Willi
*ipsec* is actually an umbrella command comprising a collection of individual sub commands of the form 
6 1 Martin Willi
7 13 Tobias Brunner
p((. *ipsec _<command>_ [ _<argument>_ ]  [ _<options>_ ]*
8 12 Martin Willi
9 1 Martin Willi
that can be used to control and monitor IPsec connections as well as the IKE daemons.
10 1 Martin Willi
11 27 Tobias Brunner
> *Note*: Some distributions (e.g. Fedora and its offsprings) rename the @ipsec@ command to *@strongswan@*
12 1 Martin Willi
13 12 Martin Willi
h2. Control Commands
14 1 Martin Willi
15 1 Martin Willi
16 1 Martin Willi
*ipsec start [ _<starter options>_ ]*
17 15 Daniel Mentz
18 19 Tobias Brunner
p((. calls [[IpsecStarter|ipsec starter]] [ _<starter options>_ ] which in turn parses [[IpsecConf|ipsec.conf]] and starts the IKE daemon charon.
19 12 Martin Willi
20 12 Martin Willi
*ipsec stop*
21 15 Daniel Mentz
22 19 Tobias Brunner
p((. terminates all IPsec connection and stops the IKE daemon charon by sending a _TERM_ signal to [[IpsecStarter|ipsec starter]].
23 1 Martin Willi
24 12 Martin Willi
*ipsec restart [ _<starter options>_ ]*
25 15 Daniel Mentz
26 13 Tobias Brunner
p((. is equivalent to *ipsec stop* followed by *ipsec start [ _<starter options>_ ]* after a guard period of 2 seconds.
27 1 Martin Willi
   
28 1 Martin Willi
*ipsec update*
29 15 Daniel Mentz
30 19 Tobias Brunner
p((. sends a _HUP_ signal to [[IpsecStarter|ipsec starter]] which in turn determines any changes in [[IpsecConf|ipsec.conf]] and updates the configuration on the running IKE daemon charon. Currently established connections are not affected by configuration changes.
31 1 Martin Willi
32 12 Martin Willi
*ipsec reload*
33 15 Daniel Mentz
34 19 Tobias Brunner
p((. sends a _USR1_ signal to [[IpsecStarter|ipsec starter]] which in turn reloads the whole configuration on the running IKE daemon charon based on the actual [[IpsecConf|ipsec.conf]]. Currently established connections are not affected by configuration changes.
35 1 Martin Willi
36 13 Tobias Brunner
*ipsec up  _<name>_*
37 15 Daniel Mentz
38 19 Tobias Brunner
p((. tells the IKE daemon to start up connection _<name>_. Implemented by calling the [[IpsecStroke|ipsec stroke]] up _<name>_ command.
39 12 Martin Willi
40 13 Tobias Brunner
*ipsec down  _<name>_*
41 15 Daniel Mentz
42 19 Tobias Brunner
p((.  tells the IKE daemon to terminate connection _<name>_. Implemented by calling the [[IpsecStroke|ipsec stroke]] down _<name>_ command.
43 12 Martin Willi
44 16 Daniel Mentz
*ipsec down  _<name>{n}_*
45 16 Daniel Mentz
46 22 Tobias Brunner
p((. terminates CHILD_SA instance n of connection <name>. Since _{n}_ uniquely identifis a CHILD_SA the name is optional.
47 16 Daniel Mentz
48 16 Daniel Mentz
*ipsec down  _<name>{<notextile>*</notextile>}_*
49 16 Daniel Mentz
50 19 Tobias Brunner
p((. terminates all CHILD_SA instances of connection <name>.
51 16 Daniel Mentz
52 16 Daniel Mentz
*ipsec down _<name>[n]_*
53 1 Martin Willi
54 22 Tobias Brunner
p((. terminates IKE_SA instance n of connection <name> plus dependent CHILD_SAs.  Since _[n]_ uniquely identifis an IKE_SA the name is optional.
55 22 Tobias Brunner
56 16 Daniel Mentz
57 16 Daniel Mentz
*ipsec down _<name>[<notextile>*</notextile>]_*
58 16 Daniel Mentz
59 19 Tobias Brunner
p((. terminates all IKE_SA instances of connection <name>.
60 16 Daniel Mentz
61 13 Tobias Brunner
*ipsec route  _<name>_*
62 15 Daniel Mentz
63 19 Tobias Brunner
p((. tells the IKE daemon to insert [[IpsecPolicy|IPsec policies]] in the kernel for connection _<name>_. The first payload packet matching the [[IpsecPolicy|IPsec policies]] will automatically trigger an IKE connection setup. Implemented by calling the [[IpsecStroke|ipsec stroke]] route _<name>_ command.
64 1 Martin Willi
65 13 Tobias Brunner
*ipsec unroute  _<name>_*
66 15 Daniel Mentz
67 19 Tobias Brunner
p((. remove the [[IpsecPolicy|IPsec policies]] in the kernel for connection _<name>_. Implemented by calling the [[IpsecStroke|ipsec stroke]] unroute _<name>_ command.
68 5 Martin Willi
 
69 13 Tobias Brunner
*ipsec status [ _<name>_ ]*
70 15 Daniel Mentz
71 19 Tobias Brunner
p((.  returns concise status information either on connection _<name>_ or if the argument is lacking, on all connections. Implemented by calling the [[IpsecStroke|ipsec stroke]] status [ _<name>_ ] command.
72 13 Tobias Brunner
73 12 Martin Willi
*ipsec statusall [ _<name>_ ]*
74 15 Daniel Mentz
75 19 Tobias Brunner
p((. returns detailed status information either on connection _<name>_ or if the argument is lacking, on all connections. Implemented by calling the [[IpsecStroke|ipsec stroke]] statusall [ _<name>_ ] command.
76 12 Martin Willi
77 1 Martin Willi
78 1 Martin Willi
h2. Info Commands
79 12 Martin Willi
80 1 Martin Willi
*ipsec version*
81 15 Daniel Mentz
82 1 Martin Willi
p((. returns the ipsec version in the form of *Linux strongSwan U<strongSwan userland version>/K<Linux kernel version>* if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
83 1 Martin Willi
84 1 Martin Willi
*ipsec copyright*
85 15 Daniel Mentz
86 13 Tobias Brunner
p((. returns the copyright information.
87 1 Martin Willi
88 12 Martin Willi
*ipsec --confdir*
89 15 Daniel Mentz
90 13 Tobias Brunner
p((. returns the _SYSCONFDIR_ directory as defined by the [[InstallationDocumentation|configure]] options.
91 1 Martin Willi
92 1 Martin Willi
*ipsec --directory*
93 15 Daniel Mentz
94 13 Tobias Brunner
p((. returns the _LIBEXECDIR_ directory as defined by the [[InstallationDocumentation|configure]] options.
95 1 Martin Willi
96 1 Martin Willi
*ipsec --help*
97 15 Daniel Mentz
98 13 Tobias Brunner
p((. returns the usage information for the ipsec command.
99 1 Martin Willi
100 1 Martin Willi
*ipsec --versioncode*
101 10 Martin Willi
102 12 Martin Willi
p((. returns the ipsec version number in the form of *U<strongSwan userland version>/K<Linux kernel version>* if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
103 1 Martin Willi
104 10 Martin Willi
h2. List Commands
105 1 Martin Willi
106 26 Tobias Brunner
*ipsec leases [ [ <poolname> [ <address> ] ]*
107 26 Tobias Brunner
108 26 Tobias Brunner
p((. returns the status of all or the selected IP address pools (or even a single virtual IP address).
109 26 Tobias Brunner
110 13 Tobias Brunner
*ipsec listaacerts [ --utc ]*
111 1 Martin Willi
112 19 Tobias Brunner
p((. returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryAacerts|/etc/ipsec.d/aacerts]] directory. Implemented by calling the [[IpsecStroke|ipsec stroke]] listaacerts command.
113 15 Daniel Mentz
114 13 Tobias Brunner
*ipsec listacerts [ --utc ]*
115 1 Martin Willi
116 21 Tobias Brunner
p((. returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryAcerts|/etc/ipsec.d/acerts]] directory. Implemented by calling the [[IpsecStroke|ipsec stroke]] listacerts command.
117 1 Martin Willi
118 21 Tobias Brunner
*ipsec listalgs*
119 21 Tobias Brunner
120 21 Tobias Brunner
p((. returns a list of all supported IKE encryption and hash algorithms, and the available Diffie-Hellman groups. Implemented by calling the [[IpsecStroke|ipsec stroke]] listalgs command.
121 21 Tobias Brunner
122 13 Tobias Brunner
*ipsec listcacerts [ --utc ]*
123 1 Martin Willi
124 19 Tobias Brunner
p((. returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] directory or received via the IKE protocol. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcacerts command.
125 15 Daniel Mentz
126 13 Tobias Brunner
*ipsec listcainfos [ --utc ]*
127 1 Martin Willi
128 19 Tobias Brunner
p((. returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers) that were defined by [[CaSection|ca sections]] in [[IpsecConf|ipsec.conf]]. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcainfos command.
129 13 Tobias Brunner
130 1 Martin Willi
*ipsec listcerts [ --utc ]*
131 1 Martin Willi
132 1 Martin Willi
p((. returns a list of X.509 and/or OpenPGP certificates that were either loaded locally by the IKE daemon or received via the IKE protocol. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcerts command.
133 1 Martin Willi
134 25 Tobias Brunner
*ipsec listcounters [ <name> ]*
135 25 Tobias Brunner
136 25 Tobias Brunner
p((. returns a list of global or connection specific counter values about received and sent IKE messages and rekeyings.  Connection specific ounters are available since [[5.0.3]]. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcounters command.
137 25 Tobias Brunner
138 25 Tobias Brunner
*ipsec listcrls [ --utc ]*
139 25 Tobias Brunner
140 28 Lauri Võsandi
p((. returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon from the [[IpsecDirectoryCrls|/etc/ipsec.d/crls]] directory or fetched from an HTTP- or LDAP-based CRL distribution point. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcrls command. Note that X.509 Authority Key Identifier extension is used to associate CRL with a particular CA, otherwise CRL is listed but not applied.
141 25 Tobias Brunner
142 13 Tobias Brunner
*ipsec listgroups [ --utc ]*
143 1 Martin Willi
144 19 Tobias Brunner
p((. returns a list of all groups that are used to define user authorization profiles. Currently not supported.
145 15 Daniel Mentz
146 13 Tobias Brunner
*ipsec listocsp [ --utc ]*
147 1 Martin Willi
148 19 Tobias Brunner
p((. returns cached revocation information fetched from OCSP servers. Implemented by calling the [[IpsecStroke|ipsec stroke]] listocsp command.
149 15 Daniel Mentz
150 18 Tobias Brunner
*ipsec listocspcerts [ --utc ]*
151 1 Martin Willi
152 1 Martin Willi
p((. returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE daemon from the [[IpsecDirectoryOcspcerts|/etc/ipsec.d/ocspcerts]] directory or were sent by an OCSP server. Implemented by calling the [[IpsecStroke|ipsec stroke]] listocspcerts command.
153 1 Martin Willi
154 21 Tobias Brunner
*ipsec listplugins*
155 21 Tobias Brunner
156 21 Tobias Brunner
p((. returns a list of all loaded plugin features. Implemented by calling the [[IpsecStroke|ipsec stroke]] listplugins command.
157 21 Tobias Brunner
158 13 Tobias Brunner
*ipsec listpubkeys [ --utc ]*
159 2 Martin Willi
160 25 Tobias Brunner
p((. returns a list of public keys that were loaded in raw key format. Implemented by calling the [[IpsecStroke|ipsec stroke]] listpubkeys command.
161 1 Martin Willi
162 12 Martin Willi
*ipsec listall [ --utc ]*
163 19 Tobias Brunner
164 18 Tobias Brunner
p((. returns  all information generated by the list commands above. Each list command can be called with the @--utc@ option which displays all dates in UTC instead of local time. Implemented by calling the [[IpsecStroke|ipsec stroke]] listall command.
165 1 Martin Willi
166 1 Martin Willi
h2. Reread Commands
167 12 Martin Willi
168 1 Martin Willi
*ipsec rereadaacerts*
169 1 Martin Willi
170 19 Tobias Brunner
p((. reads all certificate files contained in the [[IpsecDirectoryAacerts|/etc/ipsec.d/aacerts]] directory and adds them to the list of Authorization Authority (AA) certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadaacerts command.
171 1 Martin Willi
172 13 Tobias Brunner
*ipsec rereadacerts*
173 1 Martin Willi
174 19 Tobias Brunner
p((. reads all certificate files contained in the [[IpsecDirectoryAcerts|/etc/ipsec.d/acerts]] directory and adds them to the list of attribute certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadacerts command.
175 1 Martin Willi
176 1 Martin Willi
*ipsec rereadcacerts*
177 1 Martin Willi
178 19 Tobias Brunner
p((. reads all certificate files contained in  the [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] directory  and adds them to the list of Certification Authority (CA) certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadcacerts command.
179 1 Martin Willi
180 1 Martin Willi
*ipsec rereadcrls*
181 1 Martin Willi
182 19 Tobias Brunner
p((. reads all Certificate Revocation Lists (CRLs) contained in the [[IpsecDirectoryCrls|/etc/ipsec.d/crls]] directory and adds them to the list of CRLs. Older CRLs are replaced by newer ones. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadcrls command.
183 1 Martin Willi
184 1 Martin Willi
*ipsec rereadocspcerts*
185 15 Daniel Mentz
186 19 Tobias Brunner
p((. reads all certificate files contained in the [[IpsecDirectoryOcspcerts|/etc/ipsec.d/ocspcerts]] directory and adds them to the list of OCSP signer certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadocspcerts command.
187 1 Martin Willi
 
188 12 Martin Willi
*ipsec rereadsecrets*
189 15 Daniel Mentz
190 19 Tobias Brunner
p((. flushes and rereads all secrets defined in [[IpsecSecrets|ipsec.secrets]]. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadsecrets command.
191 1 Martin Willi
192 12 Martin Willi
*ipsec secrets*
193 15 Daniel Mentz
194 13 Tobias Brunner
p((. is equivalent to *ipsec rereadsecrets*.
195 1 Martin Willi
196 1 Martin Willi
*ipsec rereadall*
197 1 Martin Willi
198 1 Martin Willi
p((. executes all reread commands listed above. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadall command.
199 1 Martin Willi
200 24 Tobias Brunner
h2. Reset Commands
201 24 Tobias Brunner
202 24 Tobias Brunner
*ipsec resetcounters [ <name> ]*
203 24 Tobias Brunner
204 24 Tobias Brunner
p((. resets global or connection specific counters. Since [[5.0.3]]. Implemented by calling the [[IpsecStroke|ipsec stroke]] resetcounters command.
205 1 Martin Willi
206 15 Daniel Mentz
h2. Purge Commands
207 13 Tobias Brunner
208 20 Tobias Brunner
*ipsec purgecerts*
209 20 Tobias Brunner
210 20 Tobias Brunner
p((. purges all cached certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgecerts command.
211 20 Tobias Brunner
212 29 Tobias Brunner
*ipsec purgecrls*
213 20 Tobias Brunner
214 29 Tobias Brunner
p((. purges all cached CRLs. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgecrls command.
215 20 Tobias Brunner
216 12 Martin Willi
*ipsec purgeike*
217 1 Martin Willi
218 20 Tobias Brunner
p((. purges IKE_SAs that don't have a CHILD_SA. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgeike command.
219 13 Tobias Brunner
220 1 Martin Willi
*ipsec purgeocsp*
221 1 Martin Willi
222 19 Tobias Brunner
p((. purges all cached OCSP information records. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgeocsp command.
223 19 Tobias Brunner
224 19 Tobias Brunner
h2. Before 5.0.0
225 19 Tobias Brunner
226 19 Tobias Brunner
In releases before [[5.0.0]] IKEv1 connections were handled by the separate [[pluto]] keying daemon. The ipsec command then used the [[IpsecWhack|ipsec whack]] in addition to the [[IpsecStroke|ipsec stroke]] command to communicate with pluto.
227 19 Tobias Brunner
228 19 Tobias Brunner
h3. List Commands
229 19 Tobias Brunner
230 19 Tobias Brunner
*ipsec listcards [ --utc ]*
231 19 Tobias Brunner
232 19 Tobias Brunner
p((. lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcards command.
233 19 Tobias Brunner
234 19 Tobias Brunner
h3. PKCS11 Proxy Commands
235 1 Martin Willi
236 12 Martin Willi
*ipsec scencrypt _<value>_ [ --inbase _<base>_ ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*
237 15 Daniel Mentz
238 13 Tobias Brunner
p((. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --scencrypt command.
239 1 Martin Willi
240 12 Martin Willi
*ipsec scdecrypt _<value>_ [ --inbase <base> ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*
241 15 Daniel Mentz
242 13 Tobias Brunner
p((. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --scdecrypt command.