swanctl is a new, portable command line utility to configure, control and monitor the IKE daemon charon using the vici interface. It has been introduced with strongSwan 5.2.0.

swanctl works independently from starter, ipsec.conf or the ipsec script, and is a lightweight alternative available on all platforms.


swanctl --initiate         (-i)  initiate a connection
        --terminate        (-t)  terminate a connection
        --rekey            (-R)  rekey an IKE or CHILD_SA
        --uninstall        (-u)  uninstall a trap or shunt policy
        --install          (-p)  install a trap or shunt policy
        --redirect         (-d)  redirect an IKE_SA
        --list-sas         (-l)  list currently active IKE_SAs
        --list-pols        (-P)  list currently installed policies
        --list-conns       (-L)  list loaded configurations
        --list-authorities (-B)  list loaded certification authorities information
        --list-certs       (-x)  list stored certificates
        --list-pools       (-A)  list loaded pool configurations
        --list-algs        (-g)  list loaded algorithms and their implementation
        --load-all         (-q)  (re-)load credentials, pools authorities and connections
        --load-authorities (-b)  (re-)load certification authorities information
        --load-conns       (-c)  (re-)load connection configuration
        --load-creds       (-s)  (re-)load credentials
        --load-pools       (-a)  (re-)load pool configuration
        --log              (-T)  trace logging output
        --flush-certs      (-f)  flush cached certificates
        --reload-settings  (-r)  reload strongswan.conf(5) configuration
        --stats            (-S)  show daemon infos and statistics
        --counters         (-C)  list or reset IKE event counters
        --version          (-v)  show version information
        --help             (-h)  show usage information

Each subcommand has additional options. Pass --help to a subcommand to get additional information.

The --list|load-authorities commands were added with 5.3.3.
The --list-algs and --redirect commands were added with 5.4.0.
The --flush-certs command was added with 5.5.1.
The --rekey command was added with 5.5.2.
The --counters command was added with 5.6.1.


The swanctl --load* commands read connections, secrets and IP address pools from swanctl.conf, located in the swanctl configuration directory, usually /etc/swanctl.

Since 5.7.0 the loaded file may be specified for each command explicitly via --file argument (e.g. to use separate files for connections and credentials), and since 5.7.2 the default directory for the file and the credentials may be set via SWANCTL_DIR environment variable.

Credential directories

The --load-creds command also reads file based credentials, such as private keys and certificates, from a set of pre-defined sub-directories of the swanctl configuration directory.

Since 5.7.2 the credential directories are accessed relative to the actually loaded swanctl.conf file (see above) and the default directory may be changed at runtime via SWANCTL_DIR environment variable.