Project

General

Profile

ipsec » History » Version 8

« Previous - Version 8/30 (diff) - Next » - Current version
Martin Willi, 29.09.2007 17:21
added whack and stroke details to the list, reread, and purge commands


= ipsec =

'''ipsec''' is actually an umbrella command comprising a collection of individual sub commands of the form

'''ipsec ''<command>'' [ ''<argument>'' ]  [ ''<options>'' ]'''

that can be used to control and monitor IPsec connections as well as the IKE daemons.

Control Commands

'''ipsec start [ ''<starter options>'' ]'''
calls [wiki:IpsecStarter ipsec starter] [ ''<starter options>'' ] which in turn parses
[wiki:IpsecConf ipsec.conf] and starts the IKEv1 pluto and IKEv2 charon daemons.

'''ipsec stop'''
terminates all IPsec connection and stops the IKEv1 pluto and IKEv2 charon daemons by sending
a ''TERM'' signal to [wiki:IpsecStarter ipsec starter].

'''ipsec restart [ ''<starter options>'' ]'''
is equivalent to '''ipsec stop''' followed by '''ipsec start [ ''<starter options>'' ]''' after a
guard period of 2 seconds.

'''ipsec update'''
sends a ''HUP'' signal to [wiki:IpsecStarter ipsec starter] which in turn determines any changes
in [wiki:IpsecConf ipsec.conf] and updates the configuration on the running IKEv1 pluto and IKEv2
charon daemons, correspondingly.

'''ipsec reload'''
sends a ''USR1'' signal to [wiki:IpsecStarter ipsec starter] which in turn reloads the
whole configuration on the running IKEv1 pluto and IKEv2 charon daemons based on the actual
[wiki:IpsecConf ipsec.conf].

'''ipsec up ''<name>'' '''
tells the responsible IKE daemon to start up connection ''<name>''. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --name ''<name>'' --initiate and/or [wiki:IpsecStroke ipsec stroke]
up ''<name>'' commands.

'''ipsec down ''<name>'' '''
tells the responsible IKE daemon to terminate connection ''<name>''. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --name ''<name>'' --terminate and/or [wiki:IpsecStroke ipsec stroke]
down ''<name>'' commands.

'''ipsec route ''<name>'' '''
tells the responsible IKE daemon to insert an [wiki:IpsecPolicy IPsec policy] in the kernel for
connection ''<name>''. The first payload packet matching the [wiki:IpsecPolicy IPsec policy]
will automatically trigger an IKE connection setup. Implemented by calling the
[wiki:IpsecWhack ipsec whack] --name ''<name>'' --route and/or
[wiki:IpsecStroke ipsec stroke] route ''<name>'' commands.

'''ipsec unroute ''<name>'' '''
remove the [wiki:IpsecPolicy IPsec policy] in the kernel for connection ''<name>''. Implemented
by calling the [wiki:IpsecWhack ipsec whack] --name ''<name>'' --unroute and/or
[wiki:IpsecStroke ipsec stroke] unroute ''<name>'' commands.

'''ipsec status [ ''<name>'' ] '''
returns concise status information either on connection ''<name>'' or if the argument is lacking,
on all connections. Implemented by calling the [wiki:IpsecWhack ipsec whack] [ --name ''<name>'' ]
--status and/or [wiki:IpsecStroke ipsec stroke] status [ ''<name>'' ] commands.

'''ipsec statusall [ ''<name>'' ] '''
returns detailed status information either on connection ''<name>'' or if the argument is lacking,
on all connections. Implemented by calling the [wiki:IpsecWhack ipsec whack] [ --name ''<name>'' ]
statusall and/or [wiki:IpsecStroke ipsec stroke] statusall [ ''<name>'' ] commands.

Info Commands

'''ipsec version'''
returns the ipsec version in the form of '''Linux strongSwan
U'''''<strongSwan userland version>'''''/K'''''<Linux kernel version>''
if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.

'''ipsec copyright'''
returns the copyright information.

'''ipsec --confdir'''
returns the ''SYSCONFDIR'' directory as defined by the [wiki:InstallationDocumentation ./configure]
options.

'''ipsec --directory'''
returns the ''LIBEXECDIR'' directory as defined by the [wiki:InstallationDocumentation ./configure]
options.

'''ipsec --help'''
returns the usage information for the ipsec command.

'''ipsec --versioncode'''
returns the ipsec version number in the form of
''''U'''''<strongSwan userland version>'''''/K'''''<Linux kernel version>''
if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.

List Commands

'''ipsec listaacerts [ --utc ]'''
Implemented by calling the [wiki:IpsecWhack ipsec whack] --listaacerts and/or
[wiki:IpsecStroke ipsec stroke] listaacerts commands.

'''ipsec listacerts [ --utc ]'''
Implemented by calling the [wiki:IpsecWhack ipsec whack] --listacerts and/or
[wiki:IpsecStroke ipsec stroke] listacerts commands.

'''ipsec listalgs'''
returns a list of all supported IKE encryption and hash algorithms, the available Diffie-Hellman groups,
as well as all ESP encryption and authentication algorithms registered via the Linux kernel's Crypto API.
Supported by the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack]
--listalgs command.

'''ipsec listcacerts [ --utc ]'''
Implemented by calling the [wiki:IpsecWhack ipsec whack] --listcacerts and/or
[wiki:IpsecStroke ipsec stroke] listcacerts commands.

'''ipsec listcainfos [ --utc ]'''
Implemented by calling the [wiki:IpsecWhack ipsec whack] --listcainfos and/or
[wiki:IpsecStroke ipsec stroke] listcainfos commands.

'''ipsec listcards [ --utc ]'''
lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only.
Implemented by calling the [wiki:IpsecWhack ipsec whack] --listcards command.

'''ipsec listcrls [ --utc ]'''
Implemented by calling the [wiki:IpsecWhack ipsec whack] --listcrls and/or
[wiki:IpsecStroke ipsec stroke] listcrls commands.

'''ipsec listcerts [ --utc ]'''
Implemented by calling the [wiki:IpsecWhack ipsec whack] --listcerts and/or
[wiki:IpsecStroke ipsec stroke] listcerts commands.

'''ipsec listgroups [ --utc ]'''
Supported by the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack]
--listgroups command.

'''ipsec listocsp [ --utc ]'''
Implemented by calling the [wiki:IpsecWhack ipsec whack] --listocps and/or
[wiki:IpsecStroke ipsec stroke] listocsp commands.

'''ipsec listocspcerts [ --utc ]'''
Implemented by calling the [wiki:IpsecWhack ipsec whack] --listocspcerts and/or
[wiki:IpsecStroke ipsec stroke] listocspcerts commands.

'''ipsec listpubkeys [ --utc ]'''
returns a list of RSA public keys that were either loaded in raw key format or extracted from
X.509 and|or OpenPGP certificates. Supported by the IKEv1 pluto daemon only.
Implemented by calling the [wiki:IpsecWhack ipsec whack] --listpubkeys command.

'''ipsec listall [ --utc ]'''
Implemented by calling the [wiki:IpsecWhack ipsec whack] --listall and/or
[wiki:IpsecStroke ipsec stroke] listall commands.

Reread Commands

'''ipsec rereadaacerts'''
Implemented by calling the [wiki:IpsecWhack ipsec whack] --readaacerts and/or
[wiki:IpsecStroke ipsec stroke] rereadaacerts commands.

'''ipsec rereadacerts'''
Implemented by calling the [wiki:IpsecWhack ipsec whack] --rereadacerts and/or
[wiki:IpsecStroke ipsec stroke] rereadacerts commands.

'''ipsec rereadcacerts'''
Implemented by calling the [wiki:IpsecWhack ipsec whack] --rereadcacerts and/or
[wiki:IpsecStroke ipsec stroke] rereadcacerts commands.

'''ipsec rereadcrls'''
Implemented by calling the [wiki:IpsecWhack ipsec whack] --rereadcrls and/or
[wiki:IpsecStroke ipsec stroke] rereadcrls commands.

'''ipsec rereadocspcerts'''
Implemented by calling the [wiki:IpsecWhack ipsec whack] --rereadocspcerts and/or
[wiki:IpsecStroke ipsec stroke] rereadocspcerts commands.

'''ipsec rereadsecrets'''
Implemented by calling the [wiki:IpsecWhack ipsec whack] --rereadsecrets and/or
[wiki:IpsecStroke ipsec stroke] rereadsecrets commands.

'''ipsec secrets'''
is equivalent to '''ipsec rereadsecrets'''.

'''ipsec rereadall'''
Implemented by calling the [wiki:IpsecWhack ipsec whack] --rereadall and/or
[wiki:IpsecStroke ipsec stroke] rereadall commands.

Purge Commands

'''ipsec purgeocsp'''
Implemented by calling the [wiki:IpsecWhack ipsec whack] --purgeocsp and/or
[wiki:IpsecStroke ipsec stroke] purgeocsp commands.

PKCS11 Proxy Commands

'''ipsec scencrypt'''
Supported by the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack]
--scencrypt command.

'''ipsec scdecrypt'''
Supported by the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack]
--scdecrypt command.