strongSwan

{{swanctl}}

h1. ipsec

{{>toc}}

@ipsec@ is an umbrella command comprising a collection of individual sub commands that can be used to control and monitor IPsec connections as well as the IKE daemon.

> *Important:* The @ipsec@ command controls the legacy [[Ipsecstarter|starter]] daemon and [[Ipsecstroke|stroke]] plugin. A more modern and flexible interface is provided via [[vici]] plugin and [[swanctl]] command since version:5.2.0.

h2. Synopsis

<pre>

ipsec <command> [ <argument> ]  [ <options> ]

</pre>

*Note*: Some distributions (e.g. Fedora and its offsprings) rename the @ipsec@ command to *@strongswan@*

h2. Control Commands

*ipsec start [ _<starter options>_ ]*

p((. calls [[IpsecStarter|ipsec starter]] [ _<starter options>_ ] which in turn parses [[IpsecConf|ipsec.conf]] and starts the IKE daemon charon.

*ipsec stop*

p((. terminates all IPsec connection and stops the IKE daemon charon by sending a _TERM_ signal to [[IpsecStarter|ipsec starter]].

*ipsec restart [ _<starter options>_ ]*

p((. is equivalent to *ipsec stop* followed by *ipsec start [ _<starter options>_ ]* after a guard period of 2 seconds.

*ipsec update*

p((. sends a _HUP_ signal to [[IpsecStarter|ipsec starter]] which in turn determines any changes in [[IpsecConf|ipsec.conf]] and updates the configuration on the running IKE daemon charon. This generally does not affect established connections, except those for which the configuration has changed (see #129). Such connections should be restarted manually.

*ipsec reload*

p((. sends a _USR1_ signal to [[IpsecStarter|ipsec starter]] which in turn reloads the whole configuration on the running IKE daemon charon based on the actual [[IpsecConf|ipsec.conf]]. All currently established connections could be affected by this (see #129), so using *ipsec update* is generally preferred.

*ipsec up  _<name>_*

p((. tells the IKE daemon to start up connection _<name>_. Implemented by calling the [[IpsecStroke|ipsec stroke]] up _<name>_ command.

*ipsec down  _<name>_*

p((.  tells the IKE daemon to terminate connection _<name>_. Implemented by calling the [[IpsecStroke|ipsec stroke]] down _<name>_ command.

*ipsec down  _<name>{n}_*

p((. terminates CHILD_SA instance n of connection <name>. Since _{n}_ uniquely identifis a CHILD_SA the name is optional.

*ipsec down  _<name>{<notextile>*</notextile>}_*

p((. terminates all CHILD_SA instances of connection <name>.

*ipsec down _<name>[n]_*

p((. terminates IKE_SA instance n of connection <name> plus dependent CHILD_SAs.  Since _[n]_ uniquely identifis an IKE_SA the name is optional.

*ipsec down _<name>[<notextile>*</notextile>]_*

p((. terminates all IKE_SA instances of connection <name>.

*ipsec route  _<name>_*

p((. tells the IKE daemon to insert [[IpsecPolicy|IPsec policies]] in the kernel for connection _<name>_. The first payload packet matching the [[IpsecPolicy|IPsec policies]] will automatically trigger an IKE connection setup. Implemented by calling the [[IpsecStroke|ipsec stroke]] route _<name>_ command.

*ipsec unroute  _<name>_*

p((. remove the [[IpsecPolicy|IPsec policies]] in the kernel for connection _<name>_. Implemented by calling the [[IpsecStroke|ipsec stroke]] unroute _<name>_ command.

*ipsec status [ _<name>_ ]*

p((.  returns concise status information either on connection _<name>_ or if the argument is lacking, on all connections. Implemented by calling the [[IpsecStroke|ipsec stroke]] status [ _<name>_ ] command.

*ipsec statusall [ _<name>_ ]*

p((. returns detailed status information either on connection _<name>_ or if the argument is lacking, on all connections. Implemented by calling the [[IpsecStroke|ipsec stroke]] statusall [ _<name>_ ] command.

h2. Info Commands

*ipsec version*

p((. returns the ipsec version in the form of *Linux strongSwan U<strongSwan userland version>/K<Linux kernel version>* if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.

*ipsec copyright*

p((. returns the copyright information.

*ipsec --confdir*

p((. returns the _SYSCONFDIR_ directory as defined by the [[InstallationDocumentation|configure]] options.

*ipsec --directory*

p((. returns the _LIBEXECDIR_ directory as defined by the [[InstallationDocumentation|configure]] options.

*ipsec --help*

p((. returns the usage information for the ipsec command.

*ipsec --versioncode*

p((. returns the ipsec version number in the form of *U<strongSwan userland version>/K<Linux kernel version>* if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.

h2. List Commands

*ipsec leases [ [ <poolname> [ <address> ] ]*

p((. returns the status of all or the selected IP address pools (or even a single virtual IP address).

*ipsec listaacerts [ --utc ]*

p((. returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryAacerts|/etc/ipsec.d/aacerts]] directory. Implemented by calling the [[IpsecStroke|ipsec stroke]] listaacerts command.

*ipsec listacerts [ --utc ]*

p((. returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryAcerts|/etc/ipsec.d/acerts]] directory. Implemented by calling the [[IpsecStroke|ipsec stroke]] listacerts command.

*ipsec listalgs*

p((. returns a list of all supported IKE encryption and hash algorithms, and the available Diffie-Hellman groups. Implemented by calling the [[IpsecStroke|ipsec stroke]] listalgs command.

*ipsec listcacerts [ --utc ]*

p((. returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by the IKE daemon from the [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] directory or received via the IKE protocol. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcacerts command.

*ipsec listcainfos [ --utc ]*

p((. returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers) that were defined by [[CaSection|ca sections]] in [[IpsecConf|ipsec.conf]]. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcainfos command.

*ipsec listcerts [ --utc ]*

p((. returns a list of X.509 and/or OpenPGP certificates that were either loaded locally by the IKE daemon or received via the IKE protocol. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcerts command.

*ipsec listcounters [ <name> ]*

p((. returns a list of global or connection specific counter values about received and sent IKE messages and rekeyings.  Connection specific ounters are available since [[5.0.3]]. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcounters command.

*ipsec listcrls [ --utc ]*

p((. returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon from the [[IpsecDirectoryCrls|/etc/ipsec.d/crls]] directory or fetched from an HTTP- or LDAP-based CRL distribution point. Implemented by calling the [[IpsecStroke|ipsec stroke]] listcrls command. Note that X.509 Authority Key Identifier extension is used to associate CRL with a particular CA, otherwise CRL is listed but not applied.

*ipsec listgroups [ --utc ]*

p((. returns a list of all groups that are used to define user authorization profiles. Currently not supported.

*ipsec listocsp [ --utc ]*

p((. returns cached revocation information fetched from OCSP servers. Implemented by calling the [[IpsecStroke|ipsec stroke]] listocsp command.

*ipsec listocspcerts [ --utc ]*

p((. returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE daemon from the [[IpsecDirectoryOcspcerts|/etc/ipsec.d/ocspcerts]] directory or were sent by an OCSP server. Implemented by calling the [[IpsecStroke|ipsec stroke]] listocspcerts command.

*ipsec listplugins*

p((. returns a list of all loaded plugin features. Implemented by calling the [[IpsecStroke|ipsec stroke]] listplugins command.

*ipsec listpubkeys [ --utc ]*

p((. returns a list of public keys that were loaded in raw key format. Implemented by calling the [[IpsecStroke|ipsec stroke]] listpubkeys command.

*ipsec listall [ --utc ]*

p((. returns  all information generated by the list commands above. Each list command can be called with the @--utc@ option which displays all dates in UTC instead of local time. Implemented by calling the [[IpsecStroke|ipsec stroke]] listall command.

h2. Reread Commands

*ipsec rereadaacerts*

p((. reads all certificate files contained in the [[IpsecDirectoryAacerts|/etc/ipsec.d/aacerts]] directory and adds them to the list of Authorization Authority (AA) certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadaacerts command.

*ipsec rereadacerts*

p((. reads all certificate files contained in the [[IpsecDirectoryAcerts|/etc/ipsec.d/acerts]] directory and adds them to the list of attribute certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadacerts command.

*ipsec rereadcacerts*

p((. reads all certificate files contained in  the [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] directory  and adds them to the list of Certification Authority (CA) certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadcacerts command.

*ipsec rereadcrls*

p((. reads all Certificate Revocation Lists (CRLs) contained in the [[IpsecDirectoryCrls|/etc/ipsec.d/crls]] directory and adds them to the list of CRLs. Older CRLs are replaced by newer ones. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadcrls command.

*ipsec rereadocspcerts*

p((. reads all certificate files contained in the [[IpsecDirectoryOcspcerts|/etc/ipsec.d/ocspcerts]] directory and adds them to the list of OCSP signer certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadocspcerts command.

*ipsec rereadsecrets*

p((. flushes and rereads all secrets defined in [[IpsecSecrets|ipsec.secrets]]. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadsecrets command.

*ipsec secrets*

p((. is equivalent to *ipsec rereadsecrets*.

*ipsec rereadall*

p((. executes all reread commands listed above. Implemented by calling the [[IpsecStroke|ipsec stroke]] rereadall command.

h2. Reset Commands

*ipsec resetcounters [ <name> ]*

p((. resets global or connection specific counters. Since [[5.0.3]]. Implemented by calling the [[IpsecStroke|ipsec stroke]] resetcounters command.

h2. Purge Commands

*ipsec purgecerts*

p((. purges all cached certificates. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgecerts command.

*ipsec purgecrls*

p((. purges all cached CRLs. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgecrls command.

*ipsec purgeike*

p((. purges IKE_SAs that don't have a CHILD_SA. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgeike command.

*ipsec purgeocsp*

p((. purges all cached OCSP information records. Implemented by calling the [[IpsecStroke|ipsec stroke]] purgeocsp command.

h2. Before 5.0.0

In releases before [[5.0.0]] IKEv1 connections were handled by the separate [[pluto]] keying daemon. The ipsec command then used the [[IpsecWhack|ipsec whack]] command in addition to the [[IpsecStroke|ipsec stroke]] command to communicate with pluto.

h3. List Commands

*ipsec listcards [ --utc ]*

p((. lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --listcards command.

h3. PKCS11 Proxy Commands

*ipsec scencrypt _<value>_ [ --inbase _<base>_ ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*

p((. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --scencrypt command.

*ipsec scdecrypt _<value>_ [ --inbase <base> ] [ --outbase _<base>_ ] [ --keyid _<id>_ ]*

p((. Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] --scdecrypt command.