Project

General

Profile

ipsec pool

Synopsis

ipsec pool --status|--add|--del|--replace|--resize|--leases|--purge|--batch [options]

ipsec pool --showattr|--statusattr|--addattr|--delattr [options]

Description

The ipsec pool utility manages virtual IP address pools and attributes stored in an SQL database and provided to peers by the attr-sql plugin.

It is available since 4.4.1.

Options

--status

Show a list of installed pools with statistics plus nameserver info.

--showattr

Show a keyword list of the major attribute types.

--statusattr [--hexout]

Show a list of all attributes stored in the database with the values displayed in the native format if the type is known by --showattr, or in hex format otherwise.

hexout: Output all values in hex format

--add <name> --start <start> --end <end> [--timeout <timeout>]

Add a new pool to the database.

name: Name of the pool, as used in ipsec.conf rightsourceip=%name

start: Start address of the pool

end: End address of the pool

timeout: Lease time in hours, 0 for static leases

--add <name> --addresses <file> [--timeout <timeout>]

Add a list of pool addresses to the database.

name: Name of the pool, as used in ipsec.conf rightsourceip=%name

file: File where newline-separated pool addresses for are read from

Optionally each address can be pre-assigned to a roadwarrior identity, e.g. 10.231.14.2=.
If a '-' (hyphen) is given instead of a file name, the addresses are read from STDIN.
Reading addresses stops at the end of file or an empty line.
Pools created with this command can not be resized.

timeout: Lease time in hours, 0 for static leases

--addattr <type> --addr|--mask|--server|--subnet|--string|--hex <value>

Add a new attribute to the database.

type: A keyword from --showattr or a number from the range 1..32767

addr: IPv4 or IPv6 address

mask: IPv4 or IPv6 netmask (synonym for --addr)

server: IPv4 or IPv6 address of a server (synonym for --addr)

subnet: IPv4 subnet[s] given by network/mask[,network/mask,...]

string: Value of a string-type attribute

hex: Hex value of any attribute

--del <name>

Delete a pool from the database.

name: Name of the pool to delete

--delattr <type> [--addr|--mask|--server|--subnet|--string|--hex <value>]

Delete a specific or all attributes of a given type from the database.

type: A keyword from --showattr or a number from the range 1..32767

addr: IPv4 or IPv6 address

mask: IPv4 or IPv6 netmask (synonym for --addr)

server: IPv4 or IPv6 address of a server (synonym for --addr)

subnet: IPv4 subnet[s] given by network/mask[,network/mask,...]

string: Value of a string-type attribute

hex: Hex value of any attribute

--replace <name> --start <start> --end <end> [--timeout <timeout>]

Replace an existing pool in the database.

name: Name of the pool, as used in ipsec.conf rightsourceip=%name

start: Start address of the new pool

end: End address of the new pool

timeout: Lease time in hours, 0 for static leases

--replace <name> --addresses <file> [--timeout <timeout>]

Replace a list of pool addresses in the database.

name: Name of the pool, as used in ipsec.conf rightsourceip=%name

file: File where newline-separated pool addresses for are read from

Optionally each address can be pre-assigned to a roadwarrior identity, e.g. 10.231.14.2=.
If a '-' (hyphen) is given instead of a file name, the addresses are read from STDIN.
Reading addresses stops at the end of file or an empty line.
Pools created with this command can not be resized.

timeout: Lease time in hours, 0 for static leases

--resize <name> --end <end>

Grow or shrink an existing pool.

name: Name of the pool to resize

end: New end address for the pool

--leases <name> [--filter <filter>] [--utc]

Show lease information using filters.

name: Name of the pool to show leases from

filter: Filter string containing comma separated key=value filters,

pool: name of the pool

id: assigned identity of the lease

addr: lease IP address

tstamp: UNIX timestamp when lease was valid, as integer

status: status of the lease: online|valid|expired

utc: Show times in UTC instead of local time

--purge <name>

Delete expired leases of a pool.

name: Name of the pool to purge

--batch <file>

Read commands from a file and execute them atomically.

file: File to read the newline separated commands from

Commands appear as they are written on the command line, e.g.
--replace mypool --start 10.0.0.1 --end 10.0.0.254
--del dns
--add dns --server 10.1.0.1
--add dns --server 10.1.1.1
If a '-' (hyphen) is given as a file name, the commands are read from STDIN.
Reading commands stops at the end of file. Empty lines are ignored.
In order to avoid recursion the file may not contain a --batch command.