Project

General

Profile

ipsec » History » Version 9

Martin Willi, 30.09.2007 22:28
added details to the list commands

1 1 Martin Willi
= ipsec =
2 2 Martin Willi
3 2 Martin Willi
'''ipsec''' is actually an umbrella command comprising a collection of individual sub commands of the form 
4 2 Martin Willi
5 3 Martin Willi
  '''ipsec ''<command>'' [ ''<argument>'' ]  [ ''<options>'' ]'''
6 2 Martin Willi
7 2 Martin Willi
that can be used to control and monitor IPsec connections as well as the IKE daemons.
8 2 Martin Willi
9 2 Martin Willi
== Control Commands ==
10 2 Martin Willi
11 1 Martin Willi
'''ipsec start [ ''<starter options>'' ]'''
12 6 Martin Willi
   calls [wiki:IpsecStarter ipsec starter] [ ''<starter options>'' ] which in turn parses
13 6 Martin Willi
   [wiki:IpsecConf ipsec.conf] and starts the IKEv1 pluto and IKEv2 charon daemons.
14 2 Martin Willi
15 1 Martin Willi
'''ipsec stop'''
16 3 Martin Willi
   terminates all IPsec connection and stops the IKEv1 pluto and IKEv2 charon daemons by sending
17 3 Martin Willi
   a ''TERM'' signal to [wiki:IpsecStarter ipsec starter].
18 1 Martin Willi
19 1 Martin Willi
'''ipsec restart [ ''<starter options>'' ]'''
20 3 Martin Willi
   is equivalent to '''ipsec stop''' followed by '''ipsec start [ ''<starter options>'' ]''' after a
21 3 Martin Willi
   guard period of 2 seconds.
22 1 Martin Willi
   
23 1 Martin Willi
'''ipsec update'''
24 3 Martin Willi
   sends a ''HUP'' signal to [wiki:IpsecStarter ipsec starter] which in turn determines any changes
25 4 Martin Willi
   in [wiki:IpsecConf ipsec.conf] and updates the configuration on the running IKEv1 pluto and IKEv2 
26 3 Martin Willi
   charon daemons, correspondingly.
27 1 Martin Willi
28 1 Martin Willi
'''ipsec reload'''
29 3 Martin Willi
   sends a ''USR1'' signal to [wiki:IpsecStarter ipsec starter] which in turn reloads the
30 3 Martin Willi
   whole configuration on the running IKEv1 pluto and IKEv2 charon daemons based on the actual
31 3 Martin Willi
   [wiki:IpsecConf ipsec.conf].
32 1 Martin Willi
33 1 Martin Willi
'''ipsec up  ''<name>'' '''
34 4 Martin Willi
   tells the responsible IKE daemon to start up connection ''<name>''. Implemented by calling the 
35 5 Martin Willi
   [wiki:IpsecWhack ipsec whack] --name ''<name>'' --initiate and/or [wiki:IpsecStroke ipsec stroke]
36 5 Martin Willi
   up ''<name>'' commands.
37 1 Martin Willi
38 1 Martin Willi
'''ipsec down  ''<name>'' '''
39 1 Martin Willi
   tells the responsible IKE daemon to terminate connection ''<name>''. Implemented by calling the 
40 5 Martin Willi
   [wiki:IpsecWhack ipsec whack] --name ''<name>'' --terminate and/or [wiki:IpsecStroke ipsec stroke]
41 5 Martin Willi
   down ''<name>'' commands.
42 1 Martin Willi
43 1 Martin Willi
'''ipsec route  ''<name>'' '''
44 7 Martin Willi
   tells the responsible IKE daemon to insert an [wiki:IpsecPolicy IPsec policy] in the kernel for 
45 7 Martin Willi
   connection ''<name>''. The first payload packet matching the [wiki:IpsecPolicy IPsec policy]
46 7 Martin Willi
   will automatically trigger an IKE connection setup. Implemented by calling the
47 7 Martin Willi
   [wiki:IpsecWhack ipsec whack] --name ''<name>'' --route and/or
48 5 Martin Willi
   [wiki:IpsecStroke ipsec stroke] route ''<name>'' commands.
49 1 Martin Willi
50 4 Martin Willi
'''ipsec unroute  ''<name>'' '''
51 7 Martin Willi
   remove the [wiki:IpsecPolicy IPsec policy] in the kernel for connection ''<name>''. Implemented
52 7 Martin Willi
   by calling the [wiki:IpsecWhack ipsec whack] --name ''<name>'' --unroute and/or
53 7 Martin Willi
   [wiki:IpsecStroke ipsec stroke] unroute ''<name>'' commands.
54 1 Martin Willi
 
55 1 Martin Willi
'''ipsec status [ ''<name>'' ] '''
56 1 Martin Willi
   returns concise status information either on connection ''<name>'' or if the argument is lacking,
57 5 Martin Willi
   on all connections. Implemented by calling the [wiki:IpsecWhack ipsec whack] [ --name ''<name>'' ]
58 5 Martin Willi
   --status and/or [wiki:IpsecStroke ipsec stroke] status [ ''<name>'' ] commands.
59 2 Martin Willi
60 1 Martin Willi
'''ipsec statusall [ ''<name>'' ] '''
61 3 Martin Willi
   returns detailed status information either on connection ''<name>'' or if the argument is lacking,
62 5 Martin Willi
   on all connections. Implemented by calling the [wiki:IpsecWhack ipsec whack] [ --name ''<name>'' ]
63 5 Martin Willi
   statusall and/or [wiki:IpsecStroke ipsec stroke] statusall [ ''<name>'' ] commands.
64 1 Martin Willi
65 2 Martin Willi
== Info Commands ==
66 1 Martin Willi
67 1 Martin Willi
'''ipsec version'''
68 6 Martin Willi
   returns the ipsec version in the form of '''Linux strongSwan
69 6 Martin Willi
   U'''''<strongSwan userland version>'''''/K'''''<Linux kernel version>''
70 6 Martin Willi
   if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
71 6 Martin Willi
  
72 1 Martin Willi
73 1 Martin Willi
'''ipsec copyright'''
74 1 Martin Willi
   returns the copyright information.
75 1 Martin Willi
76 5 Martin Willi
'''ipsec --confdir'''
77 6 Martin Willi
   returns the ''SYSCONFDIR'' directory as defined by the [wiki:InstallationDocumentation ./configure]
78 6 Martin Willi
   options.
79 1 Martin Willi
80 2 Martin Willi
'''ipsec --directory'''
81 6 Martin Willi
   returns the ''LIBEXECDIR'' directory as defined by the [wiki:InstallationDocumentation ./configure]
82 6 Martin Willi
   options.
83 5 Martin Willi
84 1 Martin Willi
'''ipsec --help'''
85 1 Martin Willi
   returns the usage information for the ipsec command.
86 1 Martin Willi
87 5 Martin Willi
'''ipsec --versioncode'''
88 6 Martin Willi
   returns the ipsec version number in the form of
89 6 Martin Willi
   ''''U'''''<strongSwan userland version>'''''/K'''''<Linux kernel version>''
90 6 Martin Willi
   if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
91 5 Martin Willi
92 1 Martin Willi
== List Commands ==
93 1 Martin Willi
94 1 Martin Willi
'''ipsec listaacerts [ --utc ]'''
95 9 Martin Willi
   returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by the IKE
96 9 Martin Willi
   daemon from the [wiki:IpsecDirectoryAacerts /etc/ipsec.d/aacerts/] directory. Implemented by calling the
97 9 Martin Willi
   [wiki:IpsecWhack ipsec whack] --listaacerts and/or [wiki:IpsecStroke ipsec stroke] listaacerts commands.
98 1 Martin Willi
99 1 Martin Willi
'''ipsec listacerts [ --utc ]'''
100 9 Martin Willi
   returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the
101 9 Martin Willi
   [wiki:IpsecDirectoryAcerts /etc/ipsec.d/acerts/] directory. Implemented by calling the
102 9 Martin Willi
   [wiki:IpsecWhack ipsec whack] --listacerts and/or [wiki:IpsecStroke ipsec stroke] listacerts commands.
103 1 Martin Willi
104 2 Martin Willi
'''ipsec listalgs'''
105 1 Martin Willi
   returns a list of all supported IKE encryption and hash algorithms, the available Diffie-Hellman groups,
106 1 Martin Willi
   as well as all ESP encryption and authentication algorithms registered via the Linux kernel's Crypto API.
107 1 Martin Willi
   Supported by the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack]
108 1 Martin Willi
   --listalgs command.
109 1 Martin Willi
110 1 Martin Willi
'''ipsec listcacerts [ --utc ]'''
111 9 Martin Willi
   returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by the IKE daemon
112 9 Martin Willi
   from the [wiki:IpsecDirectoryCacerts /etc/ipsec.d/cacerts/] directory or received in PKCS#7-wrapped
113 9 Martin Willi
   certificate payloads via the IKE protocol. Implemented by calling the [wiki:IpsecWhack ipsec whack]
114 9 Martin Willi
   --listcacerts and/or [wiki:IpsecStroke ipsec stroke] listcacerts commands.
115 2 Martin Willi
116 8 Martin Willi
'''ipsec listcainfos [ --utc ]'''
117 9 Martin Willi
   returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers) that were
118 9 Martin Willi
   defined by [wiki:CaSection ca sections] in [wiki:IpsecConf ipsec.conf]. Implemented by calling the
119 9 Martin Willi
   [wiki:IpsecWhack ipsec whack] --listcainfos and/or [wiki:IpsecStroke ipsec stroke] listcainfos commands.
120 1 Martin Willi
121 1 Martin Willi
'''ipsec listcards [ --utc ]'''
122 1 Martin Willi
   lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only.
123 1 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] --listcards command.
124 1 Martin Willi
125 1 Martin Willi
'''ipsec listcrls [ --utc ]'''
126 9 Martin Willi
   returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon from
127 9 Martin Willi
   the [wiki:IpsecDirectoryCrls /etc/ipsec.d/crls/] directory or fetched from an HTTP- or LDAP-based
128 9 Martin Willi
   CRL distribution point. Implemented by calling the [wiki:IpsecWhack ipsec whack] --listcrls and/or
129 8 Martin Willi
   [wiki:IpsecStroke ipsec stroke] listcrls commands.
130 1 Martin Willi
131 1 Martin Willi
'''ipsec listcerts [ --utc ]'''
132 9 Martin Willi
   returns a list of X.509 and|or OpenPGP certificates that were either loaded locally by the IKE daemon
133 9 Martin Willi
   or received via the IKEv2 protocol. Implemented by calling the [wiki:IpsecWhack ipsec whack] --listcerts
134 9 Martin Willi
   and/or [wiki:IpsecStroke ipsec stroke] listcerts commands.
135 1 Martin Willi
136 1 Martin Willi
'''ipsec listgroups [ --utc ]'''
137 9 Martin Willi
   returns a list of all groups that are used to define user authorization profiles. Supported by the
138 9 Martin Willi
   IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack] --listgroups command.
139 1 Martin Willi
140 1 Martin Willi
'''ipsec listocsp [ --utc ]'''
141 9 Martin Willi
   returns cached revocation information fetched from OCSP servers. Implemented by calling the
142 9 Martin Willi
   [wiki:IpsecWhack ipsec whack] --listocps and/or [wiki:IpsecStroke ipsec stroke] listocsp commands.
143 4 Martin Willi
144 8 Martin Willi
'''ipsec listocspcerts [ --utc ]'''
145 9 Martin Willi
   returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE daemon
146 9 Martin Willi
   from the [wiki:IpsecDirectoryOcspcerts /etc/ipsec.d/ocspcerts/] directory or were sent by an OCSP server.
147 1 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] --listocspcerts and/or
148 8 Martin Willi
   [wiki:IpsecStroke ipsec stroke] listocspcerts commands.
149 8 Martin Willi
150 1 Martin Willi
'''ipsec listpubkeys [ --utc ]'''
151 4 Martin Willi
   returns  a  list  of  RSA  public keys that were either loaded in raw key format or extracted from
152 8 Martin Willi
   X.509 and|or OpenPGP certificates. Supported by the IKEv1 pluto daemon only.
153 8 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] --listpubkeys command.
154 8 Martin Willi
155 1 Martin Willi
'''ipsec listall [ --utc ]'''
156 9 Martin Willi
    returns  all information generated by the list commands above. Each list command can be called with the
157 9 Martin Willi
    ''--url'' option which displays all dates in UTC instead of local time. Implemented by calling the
158 9 Martin Willi
   [wiki:IpsecWhack ipsec whack] --listall and/or [wiki:IpsecStroke ipsec stroke] listall commands.
159 1 Martin Willi
160 2 Martin Willi
== Reread Commands ==
161 1 Martin Willi
162 1 Martin Willi
'''ipsec rereadaacerts'''
163 8 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] --readaacerts and/or
164 8 Martin Willi
   [wiki:IpsecStroke ipsec stroke] rereadaacerts commands.
165 4 Martin Willi
166 2 Martin Willi
'''ipsec rereadacerts'''
167 8 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] --rereadacerts and/or
168 8 Martin Willi
   [wiki:IpsecStroke ipsec stroke] rereadacerts commands.
169 1 Martin Willi
170 4 Martin Willi
'''ipsec rereadcacerts'''
171 8 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] --rereadcacerts and/or
172 8 Martin Willi
   [wiki:IpsecStroke ipsec stroke] rereadcacerts commands.
173 1 Martin Willi
174 2 Martin Willi
'''ipsec rereadcrls'''
175 8 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] --rereadcrls and/or
176 8 Martin Willi
   [wiki:IpsecStroke ipsec stroke] rereadcrls commands.
177 1 Martin Willi
178 1 Martin Willi
'''ipsec rereadocspcerts'''
179 8 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] --rereadocspcerts and/or
180 8 Martin Willi
   [wiki:IpsecStroke ipsec stroke] rereadocspcerts commands.
181 1 Martin Willi
 
182 2 Martin Willi
'''ipsec rereadsecrets'''
183 8 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] --rereadsecrets and/or
184 8 Martin Willi
   [wiki:IpsecStroke ipsec stroke] rereadsecrets commands.
185 2 Martin Willi
186 4 Martin Willi
'''ipsec secrets'''
187 2 Martin Willi
   is equivalent to '''ipsec rereadsecrets'''.
188 2 Martin Willi
189 1 Martin Willi
'''ipsec rereadall'''
190 8 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] --rereadall and/or
191 8 Martin Willi
   [wiki:IpsecStroke ipsec stroke] rereadall commands.
192 4 Martin Willi
193 1 Martin Willi
== Purge Commands ==
194 1 Martin Willi
195 2 Martin Willi
'''ipsec purgeocsp'''
196 8 Martin Willi
   Implemented by calling the [wiki:IpsecWhack ipsec whack] --purgeocsp and/or
197 8 Martin Willi
   [wiki:IpsecStroke ipsec stroke] purgeocsp commands.
198 2 Martin Willi
199 2 Martin Willi
== PKCS11 Proxy Commands ==
200 2 Martin Willi
201 2 Martin Willi
'''ipsec scencrypt'''
202 4 Martin Willi
   Supported by the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack]
203 8 Martin Willi
   --scencrypt command.
204 2 Martin Willi
205 1 Martin Willi
'''ipsec scdecrypt'''
206 4 Martin Willi
   Supported by the IKEv1 pluto daemon only. Implemented by calling the [wiki:IpsecWhack ipsec whack]
207 8 Martin Willi
   --scdecrypt command.