1IPSEC(8)                          strongSwan                          IPSEC(8)
2
3
4

NAME

6       ipsec - invoke IPsec utilities
7

SYNOPSIS

9       ipsec command [arguments] [options]
10

DESCRIPTION

12       The ipsec utility invokes any of several utilities involved in control‐
13       ling and monitoring the IPsec encryption/authentication system, running
14       the specified command with the specified arguments and options as if it
15       had been invoked directly. This largely eliminates possible name colli‐
16       sions with other software, and also permits some centralized services.
17
18       All  the  commands  described  in this manual page are built-in and are
19       used to control and monitor IPsec connections as well as the  IKE  dae‐
20       mon.
21
22       For  other  commands ipsec supplies the invoked command with a suitable
23       PATH environment variable, and also provides the environment  variables
24       listed under ENVIRONMENT.
25
26   CONTROL COMMANDS
27       start [starter options]
28              calls starter which in turn parses ipsec.conf and starts the IKE
29              daemon charon.
30
31       update sends a HUP signal to  starter  which  in  turn  determines  any
32              changes  in ipsec.conf and updates the configuration on the run‐
33              ning IKE daemon charon.
34
35       reload sends a USR1 signal to starter which in turn reloads  the  whole
36              configuration  of  the  running  IKE  daemon charon based on the
37              actual ipsec.conf.
38
39       restart
40              is equivalent to stop followed by start after a guard of 2  sec‐
41              onds.
42
43       stop   terminates all IPsec connections and stops the IKE daemon charon
44              by sending a TERM signal to starter.
45
46       up name
47              tells the IKE daemon to start up connection name.
48
49       down name
50              tells the IKE daemon to terminate connection name.
51
52       down name{n}
53              terminates IKEv1 Quick Mode and IKEv2 CHILD  SA  instance  n  of
54              connection name.
55
56       down name{*}
57              terminates all IKEv1 Quick Mode and  IKEv2 CHILD SA instances of
58              connection name.
59
60       down name[n]
61              terminates IKE SA instance n of connection name.
62
63       down name[*]
64              terminates all IKE SA instances of connection name.
65
66       down-srcip <start> [<end>]
67              terminates all IKE SA instances with clients having virtual  IPs
68              in the range start-end.
69
70       route name
71              tells the IKE daemon to insert an IPsec policy in the kernel for
72              connection name. The first payload  packet  matching  the  IPsec
73              policy will automatically trigger an IKE connection setup.
74
75       unroute name
76              remove the IPsec policy in the kernel for connection name.
77
78       status [name]
79              returns  concise status information either on connection name or
80              if the argument is lacking, on all connections.
81
82       statusall [name]
83              returns detailed status information either on connection name or
84              if the argument is lacking, on all connections.
85
86   LIST COMMANDS
87       leases [<poolname> [<address>]]
88              returns  the  status  of all or the selected IP address pool (or
89              even a single virtual IP address).
90
91       listalgs
92              returns a list supported  cryptographic  algorithms  usable  for
93              IKE, and their corresponding plugin.
94
95       listpubkeys [--utc]
96              returns a list of RSA public keys that were either loaded in raw
97              key format or extracted from X.509 and|or OpenPGP certificates.
98
99       listcerts [--utc]
100              returns a list of X.509 and|or OpenPGP  certificates  that  were
101              either  loaded locally by the IKE daemon or received via the IKE
102              protocol.
103
104       listcacerts [--utc]
105              returns a list of X.509 Certification  Authority  (CA)  certifi‐
106              cates  that  were  loaded  locally  by  the  IKE daemon from the
107              /etc/ipsec.d/cacerts/ directory or received via the  IKE  proto‐
108              col.
109
110       listaacerts [--utc]
111              returns  a  list  of X.509 Authorization Authority (AA) certifi‐
112              cates that were loaded  locally  by  the  IKE  daemon  from  the
113              /etc/ipsec.d/aacerts/ directory.
114
115       listocspcerts [--utc]
116              returns  a  list  of  X.509  OCSP  Signer certificates that were
117              either   loaded   locally   by   the   IKE   daemon   from   the
118              /etc/ipsec.d/ocspcerts/  directory  or  were  sent  by  an  OCSP
119              server.
120
121       listacerts [--utc]
122              returns a list of X.509 Attribute certificates that were  loaded
123              locally  by  the IKE daemon from the /etc/ipsec.d/acerts/ direc‐
124              tory.
125
126       listgroups [--utc]
127              returns a list of groups that are used to define user authoriza‐
128              tion profiles.
129
130       listcainfos [--utc]
131              returns  certification  authority  information (CRL distribution
132              points, OCSP URIs, LDAP servers) that were defined  by  ca  sec‐
133              tions in ipsec.conf.
134
135       listcrls [--utc]
136              returns  a list of Certificate Revocation Lists (CRLs) that were
137              either loaded by  the  IKE  daemon  from  the  /etc/ipsec.d/crls
138              directory  or  fetched from an HTTP- or LDAP-based CRL distribu‐
139              tion point.
140
141       listocsp [--utc]
142              returns revocation information fetched from OCSP servers.
143
144       listplugins
145              returns a list of all loaded plugin features.
146
147       listcounters [name]
148              returns a list of global or connection specific IKE counter val‐
149              ues collected since daemon startup.
150
151       listall [--utc]
152              returns  all  information  generated by the list commands above.
153              Each list command can be called with the --utc option which dis‐
154              plays all dates in UTC instead of local time.
155
156   REREAD COMMANDS
157       rereadsecrets
158              flushes and rereads all secrets defined in ipsec.secrets.
159
160       rereadcacerts
161              removes previously loaded CA certificates, reads all certificate
162              files contained in the /etc/ipsec.d/cacerts directory  and  adds
163              them  to  the list of Certification Authority (CA) certificates.
164              This does  not  affect  certificates  explicitly  defined  in  a
165              ipsec.conf(5)  ca section, which may be separately updated using
166              the update command.
167
168       rereadaacerts
169              removes previously loaded AA certificates, reads all certificate
170              files  contained  in the /etc/ipsec.d/aacerts directory and adds
171              them to the list of Authorization Authority (AA) certificates.
172
173       rereadocspcerts
174              reads    all    certificate    files    contained     in     the
175              /etc/ipsec.d/ocspcerts/  directory  and adds them to the list of
176              OCSP signer certificates.
177
178       rereadacerts
179              reads    all    certificate    files    contained     in     the
180              /etc/ipsec.d/acerts/  directory  and  adds  them  to the list of
181              attribute certificates.
182
183       rereadcrls
184              reads  all Certificate  Revocation Lists (CRLs) contained in the
185              /etc/ipsec.d/crls/ directory and adds them to the list of CRLs.
186
187       rereadall
188              executes all reread commands listed above.
189
190   RESET COMMANDS
191       resetcounters [name]
192              resets global or connection specific counters.
193
194   PURGE COMMANDS
195       purgecerts
196              purges all cached certificates.
197
198       purgecrls
199              purges all cached CRLs.
200
201       purgeike
202              purges IKE SAs that don't have a Quick Mode or CHILD SA.
203
204       purgeocsp
205              purges all cached OCSP information records.
206
207   INFO COMMANDS
208       --help returns the usage information for the ipsec command.
209
210       --version
211              returns the version in the form of Linux strongSwan U<strongSwan
212              userland version>/K<Linux kernel version> if strongSwan uses the
213              native NETKEY IPsec stack of the Linux kernel it is running on.
214
215       --versioncode
216              returns  the version number in the form of U<strongSwan userland
217              version>/K<Linux kernel version> if strongSwan uses  the  native
218              NETKEY IPsec stack of the Linux kernel it is running on.
219
220       --copyright
221              returns the copyright information.
222
223       --directory
224              returns  the  LIBEXECDIR  directory  as defined by the configure
225              options.
226
227       --confdir
228              returns the SYSCONFDIR directory as  defined  by  the  configure
229              options.
230
231       --piddir
232              returns  the  PIDDIR  directory  as  defined  by  the  configure
233              options.
234

FILES

236       /usr/libexec/ipsec       utilities directory
237

ENVIRONMENT

239       When calling other commands the ipsec command  supplies  the  following
240       environment variables.
241
242       IPSEC_DIR               directory containing ipsec programs and utilities
243       IPSEC_BINDIR            directory containing pki command
244       IPSEC_SBINDIR           directory containing ipsec command
245       IPSEC_CONFDIR           directory containing configuration files
246       IPSEC_PIDDIR            directory containing PID/socket files
247       IPSEC_SCRIPT            name of the ipsec script
248       IPSEC_NAME              name of ipsec distribution
249       IPSEC_VERSION           version number of ipsec userland and kernel
250       IPSEC_STARTER_PID       PID file for ipsec starter
251       IPSEC_CHARON_PID        PID file for IKE keying daemon
252

SEE ALSO

254       ipsec.conf(5), ipsec.secrets(5)
255

HISTORY

257       Originally written for the FreeS/WAN project by Henry Spencer.  Updated
258       and extended for the strongSwan project <http://www.strongswan.org>  by
259       Tobias Brunner and Andreas Steffen.
260
261
262
2635.7.2dr1                          2013-10-29                          IPSEC(8)
Impressum