1RACOONCTL(8)              BSD System Manager's Manual             RACOONCTL(8)
2

NAME

4     racoonctl — racoon administrative control tool
5

SYNOPSIS

7     racoonctl [opts] reload-config
8     racoonctl [opts] show-schedule
9     racoonctl [opts] show-sa [isakmp|esp|ah|ipsec]
10     racoonctl [opts] get-sa-cert [inet|inet6] src dst
11     racoonctl [opts] flush-sa [isakmp|esp|ah|ipsec]
12     racoonctl [opts] delete-sa saopts
13     racoonctl [opts] establish-sa [-w] [-n remoteconf] [-u identity] saopts
14     racoonctl [opts] vpn-connect [-u identity] vpn_gateway
15     racoonctl [opts] vpn-disconnect vpn_gateway
16     racoonctl [opts] show-event
17     racoonctl [opts] logout-user login
18

DESCRIPTION

20     racoonctl is used to control racoon(8) operation, if ipsec-tools was con‐
21     figured with adminport support.  Communication between racoonctl and
22     racoon(8) is done through a UNIX socket.  By changing the default mode
23     and ownership of the socket, you can allow non-root users to alter
24     racoon(8) behavior, so do that with caution.
25
26     The following general options are available:
27
28     -d      Debug mode.  Hexdump sent admin port commands.
29
30     -l      Increase verbosity.  Mainly for show-sa command.
31
32     -s socket
33             Specify unix socket name used to connecting racoon.
34
35     The following commands are available:
36
37     reload-config
38             This should cause racoon(8) to reload its configuration file.
39
40     show-schedule
41             Unknown command.
42
43     show-sa [isakmp|esp|ah|ipsec]
44             Dump the SA: All the SAs if no SA class is provided, or either
45             ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.  Use
46             -l to increase verbosity.
47
48     get-sa-cert [inet|inet6] src dst
49             Output the raw certificate that was used to authenticate the
50             phase 1 matching src and dst.
51
52     flush-sa [isakmp|esp|ah|ipsec]
53             is used to flush all SAs if no SA class is provided, or a class
54             of SAs, either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all
55             IPsec SAs.
56
57     establish-sa [-w] [-n remoteconf] [-u username] saopts
58             Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH
59             SA.  The optional -u username can be used when establishing an
60             ISAKMP SA while hybrid auth is in use.  The exact remote block to
61             use can be specified with -n remoteconf.  racoonctl will prompt
62             you for the password associated with username and these creden‐
63             tials will be used in the Xauth exchange.
64
65             Specifying -w will make racoonctl wait until the SA is actually
66             established or an error occurs.
67
68             saopts has the following format:
69
70             isakmp {inet|inet6} src dst
71
72             {esp|ah} {inet|inet6} src/prefixlen/port dst/prefixlen/port
73               {icmp|tcp|udp|gre|any}
74
75     vpn-connect [-u username] vpn_gateway
76             This is a particular case of the previous command.  It will
77             establish an ISAKMP SA with vpn_gateway.
78
79     delete-sa saopts
80             Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
81
82     vpn-disconnect vpn_gateway
83             This is a particular case of the previous command.  It will kill
84             all SAs associated with vpn_gateway.
85
86     show-event
87             Listen for all events reported by racoon(8).
88
89     logout-user login
90             Delete all SA established on behalf of the Xauth user login.
91
92     Command shortcuts are available:
93           rc   reload-config
94           ss   show-sa
95           sc   show-schedule
96           fs   flush-sa
97           ds   delete-sa
98           es   establish-sa
99           vc   vpn-connect
100           vd   vpn-disconnect
101           se   show-event
102           lu   logout-user
103

RETURN VALUES

105     The command should exit with 0 on success, and non-zero on errors.
106

FILES

108     /var/racoon/racoon.sock or
109     /var/run/racoon.sock            racoon(8) control socket.
110

SEE ALSO

112     ipsec(4), racoon(8)
113

HISTORY

115     Once was kmpstat in the KAME project.  It turned into racoonctl but
116     remained undocumented for a while.  Emmanuel Dreyfus <manu@NetBSD.org>
117     wrote this man page.
118
119BSD                             March 12, 2009                             BSD
Impressum