Project

General

Profile

ipsec » History » Version 3

« Previous - Version 3/30 (diff) - Next » - Current version
Martin Willi, 29.09.2007 13:55
added explanations for the control commands


= ipsec =

'''ipsec''' is actually an umbrella command comprising a collection of individual sub commands of the form

'''ipsec ''<command>'' [ ''<argument>'' ]  [ ''<options>'' ]'''

that can be used to control and monitor IPsec connections as well as the IKE daemons.

Control Commands

'''ipsec start [ ''<starter options>'' ]'''
calls [wiki:IpsecStarter ipsec starter] which in turn parses [wiki:IpsecConf ipsec.conf] and starts
the IKEv1 pluto and IKEv2 charon daemons.

'''ipsec stop'''
terminates all IPsec connection and stops the IKEv1 pluto and IKEv2 charon daemons by sending
a ''TERM'' signal to [wiki:IpsecStarter ipsec starter].

'''ipsec restart [ ''<starter options>'' ]'''
is equivalent to '''ipsec stop''' followed by '''ipsec start [ ''<starter options>'' ]''' after a
guard period of 2 seconds.

'''ipsec update'''
sends a ''HUP'' signal to [wiki:IpsecStarter ipsec starter] which in turn determines any changes
in[wiki:IpsecConf ipsec.conf] and updates the configuration on the running IKEv1 pluto and IKEv2
charon daemons, correspondingly.

'''ipsec reload'''
sends a ''USR1'' signal to [wiki:IpsecStarter ipsec starter] which in turn reloads the
whole configuration on the running IKEv1 pluto and IKEv2 charon daemons based on the actual
[wiki:IpsecConf ipsec.conf].

'''ipsec up ''<name>'' '''
tells the responsible IKE daemon to start up connection ''<name>''.

'''ipsec down ''<name>'' '''
tells the responsible IKE daemon to terminate connection ''<name>''.

'''ipsec route ''<name>'' '''
tells the responsible IKE daemon to insert an IPsec policy in the kernel for connection ''<name>''.
The first payload packet matching the IPsec policy will automatically trigger an IKE connection setup.

'''ipsec unroute ''<name>'' '''
remove the IPsec policy in the kernel for connection ''<name>''.

'''ipsec status [ ''<name>'' ] '''
returns concise status information either on connection ''<name>'' or if the argument is lacking,
on all connections.

'''ipsec statusall [ ''<name>'' ] '''
returns detailed status information either on connection ''<name>'' or if the argument is lacking,
on all connections.

Info Commands

'''ipsec version'''

'''ipsec copyright'''

'''ipsec --versioncode'''

'''ipsec --directory'''

'''ipsec --confdir'''

List Commands

'''ipsec listaacerts [ --utc ]'''

'''ipsec listacerts [ --utc ]'''

'''ipsec listalgs'''
lists all registered IKE and ESP encryption and authentication algorithms as well as the supported Diffie-Hellman groups.
Supported by the IKEv1 pluto daemon only.

'''ipsec listcacerts [ --utc ]'''

'''ipsec listcainfos [ --utc ]'''

'''ipsec listcards [ --utc ]'''
lists all certificates found on attached smart cards.
Supported by the IKEv1 pluto daemon only.

'''ipsec listcrls [ --utc ]'''

'''ipsec listcerts [ --utc ]'''

'''ipsec listgroups [ --utc ]'''

'''ipsec listocsp [ --utc ]'''

'''ipsec listocspcerts [ --utc ]'''

'''ipsec listpubkeys [ --utc ]'''
lists the cached RSA public keys.
Supported by the IKEv1 pluto daemon only.

'''ipsec listall [ --utc ]'''

Reread Commands

'''ipsec rereadaacerts'''

'''ipsec rereadacerts'''

'''ipsec rereadcacerts'''

'''ipsec rereadcrls'''

'''ipsec rereadocspcerts'''

'''ipsec rereadsecrets'''

'''ipsec secrets'''
is equivalent to '''ipsec rereadsecrets'''.

'''ipsec rereadall'''

Purge Commands

'''ipsec purgeocsp'''

PKCS11 Proxy Commands

'''ipsec scencrypt'''

'''ipsec scdecrypt'''