ipsec » History » Version 3
Version 2 (Martin Willi, 29.09.2007 12:54) → Version 3/32 (Martin Willi, 29.09.2007 13:55)
= ipsec =
'''ipsec''' is actually an umbrella command comprising a collection of individual sub commands of the form
'''ipsec ''<command>'' [ ''<argument>'' ] [ ''<options>'' ]''' ''ipsec <command> [<argument>] [<options>]''
that can be used to control and monitor IPsec connections as well as the IKE daemons.
== Control Commands ==
'''ipsec start [ ''<starter options>'' ]'''
calls [wiki:IpsecStarter ipsec starter] which in turn parses [wiki:IpsecConf ipsec.conf] and starts
the IKEv1 pluto and IKEv2 charon daemons.
'''ipsec stop'''
terminates all IPsec connection and stops the IKEv1 pluto and IKEv2 charon daemons by sending
a ''TERM'' signal to [wiki:IpsecStarter ipsec starter].
'''ipsec restart [ ''<starter options>'' ]'''
is equivalent to '''ipsec stop''' followed by '''ipsec start [ ''<starter options>'' ]''' after a
guard sleep period of 2 seconds.
'''ipsec update'''
sends a ''HUP'' signal to [wiki:IpsecStarter ipsec starter] which in turn determines any changes
in[wiki:IpsecConf ipsec.conf] and updates the configuration on the running IKEv1 pluto and IKEv2
charon daemons, correspondingly.
'''ipsec reload'''
sends a ''USR1'' signal to [wiki:IpsecStarter ipsec starter] which in turn reloads the
whole configuration on the running IKEv1 pluto and IKEv2 charon daemons based on the actual
[wiki:IpsecConf ipsec.conf].
'''ipsec up ''<name>'' ''<conn name>'' '''
tells the responsible IKE daemon to start up connection ''<name>''.
'''ipsec down ''<name>'' ''<conn name>'' '''
tells the responsible IKE daemon to terminate connection ''<name>''.
'''ipsec route ''<name>'' ''<conn name>'' '''
tells the responsible IKE daemon to insert an IPsec policy in the kernel for connection ''<name>''.
The first payload packet matching the IPsec policy will automatically trigger an IKE connection setup.
'''ipsec unroute ''<name>'' ''<conn name>'' '''
remove the IPsec policy in the kernel for connection ''<name>''.
'''ipsec status [ ''<name>'' ''<conn name>'' ] '''
returns concise status information either on connection ''<name>'' or if the argument is lacking,
on all connections.
'''ipsec statusall [ ''<name>'' ''<conn name>'' ] '''
returns detailed status information either on connection ''<name>'' or if the argument is lacking,
on all connections.
== Info Commands ==
'''ipsec version'''
'''ipsec copyright'''
'''ipsec --versioncode'''
'''ipsec --directory'''
'''ipsec --confdir'''
== List Commands ==
'''ipsec listaacerts [ --utc ]'''
'''ipsec listacerts [ --utc ]'''
'''ipsec listalgs'''
lists all registered IKE and ESP encryption and authentication algorithms as well as the supported Diffie-Hellman groups.
Supported by the IKEv1 pluto daemon only.
'''ipsec listcacerts [ --utc ]'''
'''ipsec listcainfos [ --utc ]'''
'''ipsec listcards [ --utc ]'''
lists all certificates found on attached smart cards.
Supported by the IKEv1 pluto daemon only.
'''ipsec listcrls [ --utc ]'''
'''ipsec listcerts [ --utc ]'''
'''ipsec listgroups [ --utc ]'''
'''ipsec listocsp [ --utc ]'''
'''ipsec listocspcerts [ --utc ]'''
'''ipsec listpubkeys [ --utc ]'''
lists the cached RSA public keys.
Supported by the IKEv1 pluto daemon only.
'''ipsec listall [ --utc ]'''
== Reread Commands ==
'''ipsec rereadaacerts'''
'''ipsec rereadacerts'''
'''ipsec rereadcacerts'''
'''ipsec rereadcrls'''
'''ipsec rereadocspcerts'''
'''ipsec rereadsecrets'''
'''ipsec secrets'''
is equivalent to '''ipsec rereadsecrets'''.
'''ipsec rereadall'''
== Purge Commands ==
'''ipsec purgeocsp'''
== PKCS11 Proxy Commands ==
'''ipsec scencrypt'''
'''ipsec scdecrypt'''
'''ipsec''' is actually an umbrella command comprising a collection of individual sub commands of the form
'''ipsec ''<command>'' [ ''<argument>'' ] [ ''<options>'' ]''' ''ipsec <command> [<argument>] [<options>]''
that can be used to control and monitor IPsec connections as well as the IKE daemons.
== Control Commands ==
'''ipsec start [ ''<starter options>'' ]'''
calls [wiki:IpsecStarter ipsec starter] which in turn parses [wiki:IpsecConf ipsec.conf] and starts
the IKEv1 pluto and IKEv2 charon daemons.
'''ipsec stop'''
terminates all IPsec connection and stops the IKEv1 pluto and IKEv2 charon daemons by sending
a ''TERM'' signal to [wiki:IpsecStarter ipsec starter].
'''ipsec restart [ ''<starter options>'' ]'''
is equivalent to '''ipsec stop''' followed by '''ipsec start [ ''<starter options>'' ]''' after a
guard sleep period of 2 seconds.
'''ipsec update'''
sends a ''HUP'' signal to [wiki:IpsecStarter ipsec starter] which in turn determines any changes
in[wiki:IpsecConf ipsec.conf] and updates the configuration on the running IKEv1 pluto and IKEv2
charon daemons, correspondingly.
'''ipsec reload'''
sends a ''USR1'' signal to [wiki:IpsecStarter ipsec starter] which in turn reloads the
whole configuration on the running IKEv1 pluto and IKEv2 charon daemons based on the actual
[wiki:IpsecConf ipsec.conf].
'''ipsec up ''<name>'' ''<conn name>'' '''
tells the responsible IKE daemon to start up connection ''<name>''.
'''ipsec down ''<name>'' ''<conn name>'' '''
tells the responsible IKE daemon to terminate connection ''<name>''.
'''ipsec route ''<name>'' ''<conn name>'' '''
tells the responsible IKE daemon to insert an IPsec policy in the kernel for connection ''<name>''.
The first payload packet matching the IPsec policy will automatically trigger an IKE connection setup.
'''ipsec unroute ''<name>'' ''<conn name>'' '''
remove the IPsec policy in the kernel for connection ''<name>''.
'''ipsec status [ ''<name>'' ''<conn name>'' ] '''
returns concise status information either on connection ''<name>'' or if the argument is lacking,
on all connections.
'''ipsec statusall [ ''<name>'' ''<conn name>'' ] '''
returns detailed status information either on connection ''<name>'' or if the argument is lacking,
on all connections.
== Info Commands ==
'''ipsec version'''
'''ipsec copyright'''
'''ipsec --versioncode'''
'''ipsec --directory'''
'''ipsec --confdir'''
== List Commands ==
'''ipsec listaacerts [ --utc ]'''
'''ipsec listacerts [ --utc ]'''
'''ipsec listalgs'''
lists all registered IKE and ESP encryption and authentication algorithms as well as the supported Diffie-Hellman groups.
Supported by the IKEv1 pluto daemon only.
'''ipsec listcacerts [ --utc ]'''
'''ipsec listcainfos [ --utc ]'''
'''ipsec listcards [ --utc ]'''
lists all certificates found on attached smart cards.
Supported by the IKEv1 pluto daemon only.
'''ipsec listcrls [ --utc ]'''
'''ipsec listcerts [ --utc ]'''
'''ipsec listgroups [ --utc ]'''
'''ipsec listocsp [ --utc ]'''
'''ipsec listocspcerts [ --utc ]'''
'''ipsec listpubkeys [ --utc ]'''
lists the cached RSA public keys.
Supported by the IKEv1 pluto daemon only.
'''ipsec listall [ --utc ]'''
== Reread Commands ==
'''ipsec rereadaacerts'''
'''ipsec rereadacerts'''
'''ipsec rereadcacerts'''
'''ipsec rereadcrls'''
'''ipsec rereadocspcerts'''
'''ipsec rereadsecrets'''
'''ipsec secrets'''
is equivalent to '''ipsec rereadsecrets'''.
'''ipsec rereadall'''
== Purge Commands ==
'''ipsec purgeocsp'''
== PKCS11 Proxy Commands ==
'''ipsec scencrypt'''
'''ipsec scdecrypt'''