Project

General

Profile

ipsec » History » Version 6

Martin Willi, 29.09.2007 16:56
added details to the info commands

1 1 Martin Willi
= ipsec =
2 2 Martin Willi
3 2 Martin Willi
'''ipsec''' is actually an umbrella command comprising a collection of individual sub commands of the form 
4 2 Martin Willi
5 3 Martin Willi
  '''ipsec ''<command>'' [ ''<argument>'' ]  [ ''<options>'' ]'''
6 2 Martin Willi
7 2 Martin Willi
that can be used to control and monitor IPsec connections as well as the IKE daemons.
8 2 Martin Willi
9 2 Martin Willi
== Control Commands ==
10 2 Martin Willi
11 1 Martin Willi
'''ipsec start [ ''<starter options>'' ]'''
12 6 Martin Willi
   calls [wiki:IpsecStarter ipsec starter] [ ''<starter options>'' ] which in turn parses
13 6 Martin Willi
   [wiki:IpsecConf ipsec.conf] and starts the IKEv1 pluto and IKEv2 charon daemons.
14 2 Martin Willi
15 1 Martin Willi
'''ipsec stop'''
16 3 Martin Willi
   terminates all IPsec connection and stops the IKEv1 pluto and IKEv2 charon daemons by sending
17 3 Martin Willi
   a ''TERM'' signal to [wiki:IpsecStarter ipsec starter].
18 1 Martin Willi
19 1 Martin Willi
'''ipsec restart [ ''<starter options>'' ]'''
20 3 Martin Willi
   is equivalent to '''ipsec stop''' followed by '''ipsec start [ ''<starter options>'' ]''' after a
21 3 Martin Willi
   guard period of 2 seconds.
22 1 Martin Willi
   
23 1 Martin Willi
'''ipsec update'''
24 3 Martin Willi
   sends a ''HUP'' signal to [wiki:IpsecStarter ipsec starter] which in turn determines any changes
25 4 Martin Willi
   in [wiki:IpsecConf ipsec.conf] and updates the configuration on the running IKEv1 pluto and IKEv2 
26 3 Martin Willi
   charon daemons, correspondingly.
27 1 Martin Willi
28 1 Martin Willi
'''ipsec reload'''
29 3 Martin Willi
   sends a ''USR1'' signal to [wiki:IpsecStarter ipsec starter] which in turn reloads the
30 3 Martin Willi
   whole configuration on the running IKEv1 pluto and IKEv2 charon daemons based on the actual
31 3 Martin Willi
   [wiki:IpsecConf ipsec.conf].
32 1 Martin Willi
33 1 Martin Willi
'''ipsec up  ''<name>'' '''
34 4 Martin Willi
   tells the responsible IKE daemon to start up connection ''<name>''. Implemented by calling the 
35 5 Martin Willi
   [wiki:IpsecWhack ipsec whack] --name ''<name>'' --initiate and/or [wiki:IpsecStroke ipsec stroke]
36 5 Martin Willi
   up ''<name>'' commands.
37 1 Martin Willi
38 1 Martin Willi
'''ipsec down  ''<name>'' '''
39 1 Martin Willi
   tells the responsible IKE daemon to terminate connection ''<name>''. Implemented by calling the 
40 5 Martin Willi
   [wiki:IpsecWhack ipsec whack] --name ''<name>'' --terminate and/or [wiki:IpsecStroke ipsec stroke]
41 5 Martin Willi
   down ''<name>'' commands.
42 1 Martin Willi
43 1 Martin Willi
'''ipsec route  ''<name>'' '''
44 1 Martin Willi
   tells the responsible IKE daemon to insert an IPsec policy in the kernel for connection ''<name>''.
45 1 Martin Willi
   The first payload packet matching the IPsec policy will automatically trigger an IKE connection setup.
46 5 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] --name ''<name>'' --route and/or
47 5 Martin Willi
   [wiki:IpsecStroke ipsec stroke] route ''<name>'' commands.
48 1 Martin Willi
49 4 Martin Willi
'''ipsec unroute  ''<name>'' '''
50 1 Martin Willi
   remove the IPsec policy in the kernel for connection ''<name>''. Implemented by calling the 
51 5 Martin Willi
   [wiki:IpsecWhack ipsec whack] --name ''<name>'' --unroute and/or [wiki:IpsecStroke ipsec stroke]
52 5 Martin Willi
   unroute ''<name>'' commands.
53 1 Martin Willi
 
54 1 Martin Willi
'''ipsec status [ ''<name>'' ] '''
55 1 Martin Willi
   returns concise status information either on connection ''<name>'' or if the argument is lacking,
56 5 Martin Willi
   on all connections. Implemented by calling the [wiki:IpsecWhack ipsec whack] [ --name ''<name>'' ]
57 5 Martin Willi
   --status and/or [wiki:IpsecStroke ipsec stroke] status [ ''<name>'' ] commands.
58 2 Martin Willi
59 1 Martin Willi
'''ipsec statusall [ ''<name>'' ] '''
60 3 Martin Willi
   returns detailed status information either on connection ''<name>'' or if the argument is lacking,
61 5 Martin Willi
   on all connections. Implemented by calling the [wiki:IpsecWhack ipsec whack] [ --name ''<name>'' ]
62 5 Martin Willi
   statusall and/or [wiki:IpsecStroke ipsec stroke] statusall [ ''<name>'' ] commands.
63 1 Martin Willi
64 2 Martin Willi
== Info Commands ==
65 1 Martin Willi
66 1 Martin Willi
'''ipsec version'''
67 6 Martin Willi
   returns the ipsec version in the form of '''Linux strongSwan
68 6 Martin Willi
   U'''''<strongSwan userland version>'''''/K'''''<Linux kernel version>''
69 6 Martin Willi
   if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
70 6 Martin Willi
  
71 1 Martin Willi
72 1 Martin Willi
'''ipsec copyright'''
73 1 Martin Willi
   returns the copyright information.
74 1 Martin Willi
75 5 Martin Willi
'''ipsec --confdir'''
76 6 Martin Willi
   returns the ''SYSCONFDIR'' directory as defined by the [wiki:InstallationDocumentation ./configure]
77 6 Martin Willi
   options.
78 1 Martin Willi
79 2 Martin Willi
'''ipsec --directory'''
80 6 Martin Willi
   returns the ''LIBEXECDIR'' directory as defined by the [wiki:InstallationDocumentation ./configure]
81 6 Martin Willi
   options.
82 5 Martin Willi
83 1 Martin Willi
'''ipsec --help'''
84 1 Martin Willi
   returns the usage information for the ipsec command.
85 1 Martin Willi
86 5 Martin Willi
'''ipsec --versioncode'''
87 6 Martin Willi
   returns the ipsec version number in the form of
88 6 Martin Willi
   ''''U'''''<strongSwan userland version>'''''/K'''''<Linux kernel version>''
89 6 Martin Willi
   if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
90 5 Martin Willi
91 1 Martin Willi
== List Commands ==
92 1 Martin Willi
93 1 Martin Willi
'''ipsec listaacerts [ --utc ]'''
94 4 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] and [wiki:IpsecStroke ipsec stroke] commands.
95 2 Martin Willi
96 2 Martin Willi
'''ipsec listacerts [ --utc ]'''
97 4 Martin Willi
  Implemented by calling the [wiki:IpsecWhack ipsec whack] and [wiki:IpsecStroke ipsec stroke] commands.
98 2 Martin Willi
99 2 Martin Willi
'''ipsec listalgs'''
100 4 Martin Willi
   lists all registered IKE and ESP encryption and authentication algorithms as well as the supported
101 4 Martin Willi
   Diffie-Hellman groups. Supported by the IKEv1 pluto daemon only. Implemented by calling the
102 4 Martin Willi
   [wiki:IpsecWhack ipsec whack] command.
103 2 Martin Willi
104 2 Martin Willi
'''ipsec listcacerts [ --utc ]'''
105 4 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] and [wiki:IpsecStroke ipsec stroke] commands.
106 2 Martin Willi
107 2 Martin Willi
'''ipsec listcainfos [ --utc ]'''
108 4 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] and [wiki:IpsecStroke ipsec stroke] commands.
109 2 Martin Willi
110 2 Martin Willi
'''ipsec listcards [ --utc ]'''
111 4 Martin Willi
   lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only.
112 4 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] command.
113 2 Martin Willi
114 1 Martin Willi
'''ipsec listcrls [ --utc ]'''
115 4 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] and [wiki:IpsecStroke ipsec stroke] commands.
116 2 Martin Willi
117 1 Martin Willi
'''ipsec listcerts [ --utc ]'''
118 4 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] and [wiki:IpsecStroke ipsec stroke] commands.
119 1 Martin Willi
120 2 Martin Willi
'''ipsec listgroups [ --utc ]'''
121 4 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] and [wiki:IpsecStroke ipsec stroke] commands.
122 1 Martin Willi
123 2 Martin Willi
'''ipsec listocsp [ --utc ]'''
124 4 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] and [wiki:IpsecStroke ipsec stroke] commands.
125 2 Martin Willi
126 2 Martin Willi
'''ipsec listocspcerts [ --utc ]'''
127 4 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] and [wiki:IpsecStroke ipsec stroke] commands.
128 2 Martin Willi
129 2 Martin Willi
'''ipsec listpubkeys [ --utc ]'''
130 4 Martin Willi
   lists the cached RSA public keys. Supported by the IKEv1 pluto daemon only. Implemented by calling the
131 4 Martin Willi
   [wiki:IpsecWhack ipsec whack] command.
132 2 Martin Willi
133 1 Martin Willi
'''ipsec listall [ --utc ]'''
134 4 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] and [wiki:IpsecStroke ipsec stroke] commands.
135 2 Martin Willi
136 1 Martin Willi
== Reread Commands ==
137 2 Martin Willi
138 1 Martin Willi
'''ipsec rereadaacerts'''
139 4 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] and [wiki:IpsecStroke ipsec stroke] commands.
140 2 Martin Willi
141 1 Martin Willi
'''ipsec rereadacerts'''
142 4 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] and [wiki:IpsecStroke ipsec stroke] commands.
143 2 Martin Willi
144 2 Martin Willi
'''ipsec rereadcacerts'''
145 4 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] and [wiki:IpsecStroke ipsec stroke] commands.
146 2 Martin Willi
147 1 Martin Willi
'''ipsec rereadcrls'''
148 4 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] and [wiki:IpsecStroke ipsec stroke] commands.
149 2 Martin Willi
150 2 Martin Willi
'''ipsec rereadocspcerts'''
151 4 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] and [wiki:IpsecStroke ipsec stroke] commands.
152 4 Martin Willi
 
153 2 Martin Willi
'''ipsec rereadsecrets'''
154 4 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] and [wiki:IpsecStroke ipsec stroke] commands.
155 2 Martin Willi
156 2 Martin Willi
'''ipsec secrets'''
157 1 Martin Willi
   is equivalent to '''ipsec rereadsecrets'''.
158 1 Martin Willi
159 2 Martin Willi
'''ipsec rereadall'''
160 4 Martin Willi
  Implemented by calling the [wiki:IpsecWhack ipsec whack] and [wiki:IpsecStroke ipsec stroke] commands.
161 1 Martin Willi
162 1 Martin Willi
== Purge Commands ==
163 2 Martin Willi
164 2 Martin Willi
'''ipsec purgeocsp'''
165 4 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] and [wiki:IpsecStroke ipsec stroke] commands.
166 2 Martin Willi
167 2 Martin Willi
== PKCS11 Proxy Commands ==
168 2 Martin Willi
169 2 Martin Willi
'''ipsec scencrypt'''
170 4 Martin Willi
   Supported by the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack]
171 4 Martin Willi
   command.
172 2 Martin Willi
173 1 Martin Willi
'''ipsec scdecrypt'''
174 4 Martin Willi
   Supported by the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack]
175 4 Martin Willi
   command.