Project

General

Profile

swanctl

swanctl is a new, portable command line utility to configure, control and monitor the IKE daemon charon using the vici interface. It has been introduced with strongSwan 5.2.0.

swanctl works independently from starter, ipsec.conf or the ipsec script, and is a lightweight alternative available on all platforms.

Synopsis

swanctl --initiate         (-i)  initiate a connection
        --terminate        (-t)  terminate a connection
        --rekey            (-R)  rekey an IKE or CHILD_SA
        --uninstall        (-u)  uninstall a trap or shunt policy
        --install          (-p)  install a trap or shunt policy
        --redirect         (-d)  redirect an IKE_SA
        --list-sas         (-l)  list currently active IKE_SAs
        --list-pols        (-P)  list currently installed policies
        --list-conns       (-L)  list loaded configurations
        --list-authorities (-B)  list loaded certification authorities information
        --list-certs       (-x)  list stored certificates
        --list-pools       (-A)  list loaded pool configurations
        --list-algs        (-g)  list loaded algorithms and their implementation
        --load-all         (-q)  (re-)load credentials, pools authorities and connections
        --load-authorities (-b)  (re-)load certification authorities information
        --load-conns       (-c)  (re-)load connection configuration
        --load-creds       (-s)  (re-)load credentials
        --load-pools       (-a)  (re-)load pool configuration
        --log              (-T)  trace logging output
        --flush-certs      (-f)  flush cached certificates
        --reload-settings  (-r)  reload strongswan.conf(5) configuration
        --stats            (-S)  show daemon infos and statistics
        --version          (-v)  show version information
        --help             (-h)  show usage information

Each subcommand has additional options. Pass --help to a subcommand to get additional information.

The --list|load-authorities commands were added with 5.3.3.
The --list-algs and --redirect commands were added with 5.4.0.
The --flush-certs command was added with 5.5.1.
The --rekey command was added with 5.5.2.

swanctl.conf

The swanctl --load* commands read connections, secrets and IP address pools from swanctl.conf, located in the swanctl configuration directory, usually /etc/swanctl.

Credential directories

The --load-creds command also reads file based credentials, such as private keys and certificates, from a set of pre-defined sub-directories of the swanctl configuration directory.