ipsec » History » Version 31
Version 30 (Tobias Brunner, 14.11.2019 17:19) → Version 31/32 (Tobias Brunner, 14.01.2022 09:37)
h1. ipsec
{{>toc}}
@ipsec@ is an umbrella command comprising a collection of individual sub commands that can be used to control and monitor IPsec connections as well as the IKE daemon.
> *Important:* The @ipsec@ command controls the legacy [[Ipsecstarter|starter]] daemon and [[Ipsecstroke|stroke]] plugin. A more modern and flexible interface is provided via [[vici]] plugin and [[swanctl]] command since version:5.2.0.
h2. Synopsis
<pre>
ipsec <command> [ <argument> ] [ <options> ]
</pre>
*Note*: Some distributions (e.g. Fedora and its offsprings) rename the @ipsec@ command to *@strongswan@*
h2. Control Commands
*ipsec start [ _<starter options>_ ]*
p((. calls [[IpsecStarter|ipsec starter]] [ _<starter options>_ ] which in turn parses [[IpsecConf|ipsec.conf]] and starts the IKE daemon charon.
*ipsec stop*
p((. terminates all IPsec connection and stops the IKE daemon charon by sending a _TERM_ signal to [[IpsecStarter|ipsec starter]].
*ipsec restart [ _<starter options>_ ]*
p((. is equivalent to *ipsec stop* followed by *ipsec start [ _<starter options>_ ]* after a guard period of 2 seconds.
*ipsec update*
p((. sends a _HUP_ signal to [[IpsecStarter|ipsec starter]] which in turn determines any changes in [[IpsecConf|ipsec.conf]] and updates the configuration on the running IKE daemon charon. This generally does Currently established connections are not affect established connections, except those for which the affected by configuration has changed (see #129). Such connections should be restarted manually. changes.
*ipsec reload*
p((. sends a _USR1_ signal to [[IpsecStarter|ipsec starter]] which in turn reloads the whole configuration on the running IKE daemon charon based on the actual [[IpsecConf|ipsec.conf]]. All currently Currently established connections could be are not affected by this (see #129), so using *ipsec update* is generally preferred. configuration changes.
*ipsec up _<name>_*
p((. tells the IKE daemon to start up connection _<name>_. Implemented by calling the [[IpsecStroke|ipsec stroke]] up _<name>_ command.
*ipsec down _<name>_*
p((. tells the IKE daemon to terminate connection _<name>_. Implemented by calling the [[IpsecStroke|ipsec stroke]] down _<name>_ command.
*ipsec down _<name>{n}_*
p((. terminates CHILD_SA instance n of connection <name>. Since _{n}_ uniquely identifis a CHILD_SA the name is optional.
*ipsec down _<name>{<notextile>*</notextile>}_*
p((. terminates all CHILD_SA instances of connection <name>.
*ipsec down _<name>[n]_*
p((. terminates IKE_SA instance n of connection <name> plus dependent CHILD_SAs. Since _[n]_ uniquely identifis an IKE_SA the name is optional.
*ipsec down _<name>[<notextile>*</notextile>]_*
p((. terminates all IKE_SA instances of connection <name>.
*ipsec route _<name>_*
p((. tells the IKE daemon to insert [[IpsecPolicy|IPsec policies]] in the kernel for connection _<name>_. The first payload packet matching the [[IpsecPolicy|IPsec policies]] will automatically trigger an IKE connection setup. Implemented by calling the [[IpsecStroke|ipsec stroke]] route _<name>_ command.
*ipsec unroute _<name>_*
p((. remove the [[IpsecPolicy|IPsec policies]] in the kernel for connection _<name>_. Implemented by calling the [[IpsecStroke|ipsec stroke]] unroute _<name>_ command.
*ipsec status [ _<name>_ ]*
p((. returns concise status information either on connection _<name>_ or if the argument is lacking, on all connections. Implemented by calling the [[IpsecStroke|ipsec stroke]] status [ _<name>_ ] command.
*ipsec statusall [ _<name>_ ]*
p((. returns detailed status information either on connection _<name>_ or if the argument is lacking, on all connections. Implemented by calling the [[IpsecStroke|ipsec stroke]] statusall [ _<name>_ ] command.
h2. Info Commands
*ipsec version*
p((. returns the ipsec version in the form of *Linux strongSwan U<strongSwan userland version>/K<Linux kernel version>* if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
*ipsec copyright*
p((. returns the copyright information.
*ipsec --confdir*
p((. returns the _SYSCONFDIR_ directory as defined by the [[InstallationDocumentation|configure]] options.
*ipsec --directory*
p((. returns the _LIBEXECDIR_ directory as defined by the [[InstallationDocumentation|configure]] options.
*ipsec --help*
p((. returns the usage information for the ipsec command.
*ipsec --versioncode*
p((. returns the ipsec version number in the form of *U<strongSwan userland version>/K<Linux kernel version>* if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
h2. List Commands
*ipsec leases [ [ <poolname> [ <address> ] ]*
p((. returns the status of all or the selected IP address pools (or even a single virtual IP address).
*ipsec listaacerts [ --utc ]*
p((. returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryAacerts|/etc/ipsec.d/aacerts]] directory. Implemented by calling the [[IpsecStroke|ipsec stroke]] listaacerts command.
*ipsec listacerts [ --utc ]*
p((. returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryAcerts|/etc/ipsec.d/acerts]] directory. Implemented by calling the [[IpsecStroke|ipsec stroke]] listacerts command.
*ipsec listalgs*
p((. returns a list of all supported IKE encryption and hash algorithms, and the available Diffie-Hellman groups. Implemented by calling the [[IpsecStroke|ipsec stroke]] listalgs command.
*ipsec listcacerts [ --utc ]*
p((. returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] directory or received via the IKE protocol. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcacerts command.
*ipsec listcainfos [ --utc ]*
p((. returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers) that were defined by [[CaSection|ca sections]] in [[IpsecConf|ipsec.conf]]. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcainfos command.
*ipsec listcerts [ --utc ]*
p((. returns a list of X.509 and/or OpenPGP certificates that were either loaded locally by the IKE daemon or received via the IKE protocol. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcerts command.
*ipsec listcounters [ <name> ]*
p((. returns a list of global or connection specific counter values about received and sent IKE messages and rekeyings. Connection specific ounters are available since [[5.0.3]]. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcounters command.
*ipsec listcrls [ --utc ]*
p((. returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon from the [[IpsecDirectoryCrls|/etc/ipsec.d/crls]] directory or fetched from an HTTP- or LDAP-based CRL distribution point. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcrls command. Note that X.509 Authority Key Identifier extension is used to associate CRL with a particular CA, otherwise CRL is listed but not applied.
*ipsec listgroups [ --utc ]*
p((. returns a list of all groups that are used to define user authorization profiles. Currently not supported.
*ipsec listocsp [ --utc ]*
p((. returns cached revocation information fetched from OCSP servers. Implemented by calling the [[IpsecStroke|ipsec stroke]] listocsp command.
*ipsec listocspcerts [ --utc ]*
p((. returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE daemon from the [[IpsecDirectoryOcspcerts|/etc/ipsec.d/ocspcerts]] directory or were sent by an OCSP server. Implemented by calling the [[IpsecStroke|ipsec stroke]] listocspcerts command.
*ipsec listplugins*
p((. returns a list of all loaded plugin features. Implemented by calling the [[IpsecStroke|ipsec stroke]] listplugins command.
*ipsec listpubkeys [ --utc ]*
p((. returns a list of public keys that were loaded in raw key format. Implemented by calling the [[IpsecStroke|ipsec stroke]] listpubkeys command.
*ipsec listall [ --utc ]*
p((. returns all information generated by the list commands above. Each list command can be called with the @--utc@ option which displays all dates in UTC instead of local time. Implemented by calling the [[IpsecStroke|ipsec stroke]] listall command.
h2. Reread Commands
*ipsec rereadaacerts*
p((. reads all certificate files contained in the [[IpsecDirectoryAacerts|/etc/ipsec.d/aacerts]] directory and adds them to the list of Authorization Authority (AA) certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadaacerts command.
*ipsec rereadacerts*
p((. reads all certificate files contained in the [[IpsecDirectoryAcerts|/etc/ipsec.d/acerts]] directory and adds them to the list of attribute certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadacerts command.
*ipsec rereadcacerts*
p((. reads all certificate files contained in the [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] directory and adds them to the list of Certification Authority (CA) certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadcacerts command.
*ipsec rereadcrls*
p((. reads all Certificate Revocation Lists (CRLs) contained in the [[IpsecDirectoryCrls|/etc/ipsec.d/crls]] directory and adds them to the list of CRLs. Older CRLs are replaced by newer ones. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadcrls command.
*ipsec rereadocspcerts*
p((. reads all certificate files contained in the [[IpsecDirectoryOcspcerts|/etc/ipsec.d/ocspcerts]] directory and adds them to the list of OCSP signer certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadocspcerts command.
*ipsec rereadsecrets*
p((. flushes and rereads all secrets defined in [[IpsecSecrets|ipsec.secrets]]. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadsecrets command.
*ipsec secrets*
p((. is equivalent to *ipsec rereadsecrets*.
*ipsec rereadall*
p((. executes all reread commands listed above. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadall command.
h2. Reset Commands
*ipsec resetcounters [ <name> ]*
p((. resets global or connection specific counters. Since [[5.0.3]]. Implemented by calling the [[IpsecStroke|ipsec stroke]] resetcounters command.
h2. Purge Commands
*ipsec purgecerts*
p((. purges all cached certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgecerts command.
*ipsec purgecrls*
p((. purges all cached CRLs. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgecrls command.
*ipsec purgeike*
p((. purges IKE_SAs that don't have a CHILD_SA. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgeike command.
*ipsec purgeocsp*
p((. purges all cached OCSP information records. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgeocsp command.
h2. Before 5.0.0
In releases before [[5.0.0]] IKEv1 connections were handled by the separate [[pluto]] keying daemon. The ipsec command then used the [[IpsecWhack|ipsec whack]] command in addition to the [[IpsecStroke|ipsec stroke]] command to communicate with pluto.
h3. List Commands
*ipsec listcards [ --utc ]*
p((. lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcards command.
h3. PKCS11 Proxy Commands
*ipsec scencrypt _<value>_ [ --inbase _<base>_ ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*
p((. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --scencrypt command.
*ipsec scdecrypt _<value>_ [ --inbase <base> ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*
p((. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --scdecrypt command.
{{>toc}}
@ipsec@ is an umbrella command comprising a collection of individual sub commands that can be used to control and monitor IPsec connections as well as the IKE daemon.
> *Important:* The @ipsec@ command controls the legacy [[Ipsecstarter|starter]] daemon and [[Ipsecstroke|stroke]] plugin. A more modern and flexible interface is provided via [[vici]] plugin and [[swanctl]] command since version:5.2.0.
h2. Synopsis
<pre>
ipsec <command> [ <argument> ] [ <options> ]
</pre>
*Note*: Some distributions (e.g. Fedora and its offsprings) rename the @ipsec@ command to *@strongswan@*
h2. Control Commands
*ipsec start [ _<starter options>_ ]*
p((. calls [[IpsecStarter|ipsec starter]] [ _<starter options>_ ] which in turn parses [[IpsecConf|ipsec.conf]] and starts the IKE daemon charon.
*ipsec stop*
p((. terminates all IPsec connection and stops the IKE daemon charon by sending a _TERM_ signal to [[IpsecStarter|ipsec starter]].
*ipsec restart [ _<starter options>_ ]*
p((. is equivalent to *ipsec stop* followed by *ipsec start [ _<starter options>_ ]* after a guard period of 2 seconds.
*ipsec update*
p((. sends a _HUP_ signal to [[IpsecStarter|ipsec starter]] which in turn determines any changes in [[IpsecConf|ipsec.conf]] and updates the configuration on the running IKE daemon charon. This generally does Currently established connections are not affect established connections, except those for which the affected by configuration has changed (see #129). Such connections should be restarted manually. changes.
*ipsec reload*
p((. sends a _USR1_ signal to [[IpsecStarter|ipsec starter]] which in turn reloads the whole configuration on the running IKE daemon charon based on the actual [[IpsecConf|ipsec.conf]]. All currently Currently established connections could be are not affected by this (see #129), so using *ipsec update* is generally preferred. configuration changes.
*ipsec up _<name>_*
p((. tells the IKE daemon to start up connection _<name>_. Implemented by calling the [[IpsecStroke|ipsec stroke]] up _<name>_ command.
*ipsec down _<name>_*
p((. tells the IKE daemon to terminate connection _<name>_. Implemented by calling the [[IpsecStroke|ipsec stroke]] down _<name>_ command.
*ipsec down _<name>{n}_*
p((. terminates CHILD_SA instance n of connection <name>. Since _{n}_ uniquely identifis a CHILD_SA the name is optional.
*ipsec down _<name>{<notextile>*</notextile>}_*
p((. terminates all CHILD_SA instances of connection <name>.
*ipsec down _<name>[n]_*
p((. terminates IKE_SA instance n of connection <name> plus dependent CHILD_SAs. Since _[n]_ uniquely identifis an IKE_SA the name is optional.
*ipsec down _<name>[<notextile>*</notextile>]_*
p((. terminates all IKE_SA instances of connection <name>.
*ipsec route _<name>_*
p((. tells the IKE daemon to insert [[IpsecPolicy|IPsec policies]] in the kernel for connection _<name>_. The first payload packet matching the [[IpsecPolicy|IPsec policies]] will automatically trigger an IKE connection setup. Implemented by calling the [[IpsecStroke|ipsec stroke]] route _<name>_ command.
*ipsec unroute _<name>_*
p((. remove the [[IpsecPolicy|IPsec policies]] in the kernel for connection _<name>_. Implemented by calling the [[IpsecStroke|ipsec stroke]] unroute _<name>_ command.
*ipsec status [ _<name>_ ]*
p((. returns concise status information either on connection _<name>_ or if the argument is lacking, on all connections. Implemented by calling the [[IpsecStroke|ipsec stroke]] status [ _<name>_ ] command.
*ipsec statusall [ _<name>_ ]*
p((. returns detailed status information either on connection _<name>_ or if the argument is lacking, on all connections. Implemented by calling the [[IpsecStroke|ipsec stroke]] statusall [ _<name>_ ] command.
h2. Info Commands
*ipsec version*
p((. returns the ipsec version in the form of *Linux strongSwan U<strongSwan userland version>/K<Linux kernel version>* if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
*ipsec copyright*
p((. returns the copyright information.
*ipsec --confdir*
p((. returns the _SYSCONFDIR_ directory as defined by the [[InstallationDocumentation|configure]] options.
*ipsec --directory*
p((. returns the _LIBEXECDIR_ directory as defined by the [[InstallationDocumentation|configure]] options.
*ipsec --help*
p((. returns the usage information for the ipsec command.
*ipsec --versioncode*
p((. returns the ipsec version number in the form of *U<strongSwan userland version>/K<Linux kernel version>* if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
h2. List Commands
*ipsec leases [ [ <poolname> [ <address> ] ]*
p((. returns the status of all or the selected IP address pools (or even a single virtual IP address).
*ipsec listaacerts [ --utc ]*
p((. returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryAacerts|/etc/ipsec.d/aacerts]] directory. Implemented by calling the [[IpsecStroke|ipsec stroke]] listaacerts command.
*ipsec listacerts [ --utc ]*
p((. returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryAcerts|/etc/ipsec.d/acerts]] directory. Implemented by calling the [[IpsecStroke|ipsec stroke]] listacerts command.
*ipsec listalgs*
p((. returns a list of all supported IKE encryption and hash algorithms, and the available Diffie-Hellman groups. Implemented by calling the [[IpsecStroke|ipsec stroke]] listalgs command.
*ipsec listcacerts [ --utc ]*
p((. returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] directory or received via the IKE protocol. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcacerts command.
*ipsec listcainfos [ --utc ]*
p((. returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers) that were defined by [[CaSection|ca sections]] in [[IpsecConf|ipsec.conf]]. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcainfos command.
*ipsec listcerts [ --utc ]*
p((. returns a list of X.509 and/or OpenPGP certificates that were either loaded locally by the IKE daemon or received via the IKE protocol. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcerts command.
*ipsec listcounters [ <name> ]*
p((. returns a list of global or connection specific counter values about received and sent IKE messages and rekeyings. Connection specific ounters are available since [[5.0.3]]. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcounters command.
*ipsec listcrls [ --utc ]*
p((. returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon from the [[IpsecDirectoryCrls|/etc/ipsec.d/crls]] directory or fetched from an HTTP- or LDAP-based CRL distribution point. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcrls command. Note that X.509 Authority Key Identifier extension is used to associate CRL with a particular CA, otherwise CRL is listed but not applied.
*ipsec listgroups [ --utc ]*
p((. returns a list of all groups that are used to define user authorization profiles. Currently not supported.
*ipsec listocsp [ --utc ]*
p((. returns cached revocation information fetched from OCSP servers. Implemented by calling the [[IpsecStroke|ipsec stroke]] listocsp command.
*ipsec listocspcerts [ --utc ]*
p((. returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE daemon from the [[IpsecDirectoryOcspcerts|/etc/ipsec.d/ocspcerts]] directory or were sent by an OCSP server. Implemented by calling the [[IpsecStroke|ipsec stroke]] listocspcerts command.
*ipsec listplugins*
p((. returns a list of all loaded plugin features. Implemented by calling the [[IpsecStroke|ipsec stroke]] listplugins command.
*ipsec listpubkeys [ --utc ]*
p((. returns a list of public keys that were loaded in raw key format. Implemented by calling the [[IpsecStroke|ipsec stroke]] listpubkeys command.
*ipsec listall [ --utc ]*
p((. returns all information generated by the list commands above. Each list command can be called with the @--utc@ option which displays all dates in UTC instead of local time. Implemented by calling the [[IpsecStroke|ipsec stroke]] listall command.
h2. Reread Commands
*ipsec rereadaacerts*
p((. reads all certificate files contained in the [[IpsecDirectoryAacerts|/etc/ipsec.d/aacerts]] directory and adds them to the list of Authorization Authority (AA) certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadaacerts command.
*ipsec rereadacerts*
p((. reads all certificate files contained in the [[IpsecDirectoryAcerts|/etc/ipsec.d/acerts]] directory and adds them to the list of attribute certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadacerts command.
*ipsec rereadcacerts*
p((. reads all certificate files contained in the [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] directory and adds them to the list of Certification Authority (CA) certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadcacerts command.
*ipsec rereadcrls*
p((. reads all Certificate Revocation Lists (CRLs) contained in the [[IpsecDirectoryCrls|/etc/ipsec.d/crls]] directory and adds them to the list of CRLs. Older CRLs are replaced by newer ones. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadcrls command.
*ipsec rereadocspcerts*
p((. reads all certificate files contained in the [[IpsecDirectoryOcspcerts|/etc/ipsec.d/ocspcerts]] directory and adds them to the list of OCSP signer certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadocspcerts command.
*ipsec rereadsecrets*
p((. flushes and rereads all secrets defined in [[IpsecSecrets|ipsec.secrets]]. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadsecrets command.
*ipsec secrets*
p((. is equivalent to *ipsec rereadsecrets*.
*ipsec rereadall*
p((. executes all reread commands listed above. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadall command.
h2. Reset Commands
*ipsec resetcounters [ <name> ]*
p((. resets global or connection specific counters. Since [[5.0.3]]. Implemented by calling the [[IpsecStroke|ipsec stroke]] resetcounters command.
h2. Purge Commands
*ipsec purgecerts*
p((. purges all cached certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgecerts command.
*ipsec purgecrls*
p((. purges all cached CRLs. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgecrls command.
*ipsec purgeike*
p((. purges IKE_SAs that don't have a CHILD_SA. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgeike command.
*ipsec purgeocsp*
p((. purges all cached OCSP information records. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgeocsp command.
h2. Before 5.0.0
In releases before [[5.0.0]] IKEv1 connections were handled by the separate [[pluto]] keying daemon. The ipsec command then used the [[IpsecWhack|ipsec whack]] command in addition to the [[IpsecStroke|ipsec stroke]] command to communicate with pluto.
h3. List Commands
*ipsec listcards [ --utc ]*
p((. lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcards command.
h3. PKCS11 Proxy Commands
*ipsec scencrypt _<value>_ [ --inbase _<base>_ ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*
p((. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --scencrypt command.
*ipsec scdecrypt _<value>_ [ --inbase <base> ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*
p((. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --scdecrypt command.