swanctl » History » Version 11

Version 10 (Tobias Brunner, 15.11.2017 15:14) → Version 11/12 (Tobias Brunner, 20.12.2018 15:10)

h1. swanctl

swanctl is a new, portable command line utility to configure, control and monitor the IKE daemon charon using the [[vici]] interface. It has been introduced with strongSwan version:5.2.0.

swanctl works independently from [[IpsecStarter|starter]], [[ipsec.conf]] or the [[IpsecCommand|ipsec]] script, and is a lightweight alternative available on all platforms.

h2. Synopsis

swanctl --initiate (-i) initiate a connection
--terminate (-t) terminate a connection
--rekey (-R) rekey an IKE or CHILD_SA
--uninstall (-u) uninstall a trap or shunt policy
--install (-p) install a trap or shunt policy
--redirect (-d) redirect an IKE_SA
--list-sas (-l) list currently active IKE_SAs
--list-pols (-P) list currently installed policies
--list-conns (-L) list loaded configurations
--list-authorities (-B) list loaded certification authorities information
--list-certs (-x) list stored certificates
--list-pools (-A) list loaded pool configurations
--list-algs (-g) list loaded algorithms and their implementation
--load-all (-q) (re-)load credentials, pools authorities and connections
--load-authorities (-b) (re-)load certification authorities information
--load-conns (-c) (re-)load connection configuration
--load-creds (-s) (re-)load credentials
--load-pools (-a) (re-)load pool configuration
--log (-T) trace logging output
--flush-certs (-f) flush cached certificates
--reload-settings (-r) reload strongswan.conf(5) configuration
--stats (-S) show daemon infos and statistics
--counters (-C) list or reset IKE event counters
--version (-v) show version information
--help (-h) show usage information

Each subcommand has additional options. Pass _--help_ to a subcommand to get additional information.

The @--list|load-authorities@ commands were added with version:5.3.3.
The @--list-algs@ and @--redirect@ commands were added with version:5.4.0.
The @--flush-certs@ command was added with version:5.5.1.
The @--rekey@ command was added with version:5.5.2.
The @--counters@ command was added with version:5.6.1.

h2. swanctl.conf

The swanctl @--load*@ commands read connections, secrets and IP address pools from [[swanctl.conf]], located in the [[swanctlDirectory|swanctl configuration directory]], usually _/etc/swanctl_.

Since version:5.7.0 the loaded file may be specified for each command explicitly via the @--file@ argument, and since version:5.7.2 the [[swanctlDirectory|credential directories]] are accessed relative to the actually loaded file and the default directory may be set via @SWANCTL_DIR@ environment variable.

h2. Credential directories

The @--load-creds@ command also reads file based credentials, such as private keys and certificates, from a set of pre-defined sub-directories of the [[swanctlDirectory|swanctl configuration directory]].