1IPSEC(8) strongSwan IPSEC(8)
2
6 ipsec - invoke IPsec utilities
7
9 ipsec command [arguments] [options]
10
12 The ipsec utility invokes any of several utilities involved in control‐
13 ling and monitoring the IPsec encryption/authentication system, running
14 the specified command with the specified arguments and options as if it
15 had been invoked directly. This largely eliminates possible name colli‐
16 sions with other software, and also permits some centralized services.
17 All the commands described in this manual page are built-in and are
19 used to control and monitor IPsec connections as well as the IKE dae‐
20 mon.
21 For other commands ipsec supplies the invoked command with a suitable
23 PATH environment variable, and also provides the environment variables
24 listed under ENVIRONMENT.
25 CONTROL COMMANDS
27 start [starter options]
28 calls starter which in turn parses ipsec.conf and starts the IKE
29 daemon charon.
30 update sends a HUP signal to starter which in turn determines any
32 changes in ipsec.conf and updates the configuration on the run‐
33 ning IKE daemon charon.
34 reload sends a USR1 signal to starter which in turn reloads the whole
36 configuration of the running IKE daemon charon based on the
37 actual ipsec.conf.
38 restart
40 is equivalent to stop followed by start after a guard of 2 sec‐
41 onds.
42 stop terminates all IPsec connections and stops the IKE daemon charon
44 by sending a TERM signal to starter.
45 up name
47 tells the IKE daemon to start up connection name.
48 down name
50 tells the IKE daemon to terminate connection name.
51 down name{n}
53 terminates IKEv1 Quick Mode and IKEv2 CHILD SA instance n of
54 connection name.
55 down name{*}
57 terminates all IKEv1 Quick Mode and IKEv2 CHILD SA instances of
58 connection name.
59 down name[n]
61 terminates IKE SA instance n of connection name.
62 down name[*]
64 terminates all IKE SA instances of connection name.
65 route name
67 tells the IKE daemon to insert an IPsec policy in the kernel for
68 connection name. The first payload packet matching the IPsec
69 policy will automatically trigger an IKE connection setup.
70 unroute name
72 remove the IPsec policy in the kernel for connection name.
73 status [name]
75 returns concise status information either on connection name or
76 if the argument is lacking, on all connections.
77 statusall [name]
79 returns detailed status information either on connection name or
80 if the argument is lacking, on all connections.
81 LIST COMMANDS
83 listalgs
84 returns a list supported cryptographic algorithms usable for
85 IKE, and their corresponding plugin.
86 listpubkeys [--utc]
88 returns a list of RSA public keys that were either loaded in raw
89 key format or extracted from X.509 and|or OpenPGP certificates.
90 listcerts [--utc]
92 returns a list of X.509 and|or OpenPGP certificates that were
93 either loaded locally by the IKE daemon or received via the IKE
94 protocol.
95 listcacerts [--utc]
97 returns a list of X.509 Certification Authority (CA) certifi‐
98 cates that were loaded locally by the IKE daemon from the
99 /etc/ipsec.d/cacerts/ directory or received via the IKE proto‐
100 col.
101 listaacerts [--utc]
103 returns a list of X.509 Authorization Authority (AA) certifi‐
104 cates that were loaded locally by the IKE daemon from the
105 /etc/ipsec.d/aacerts/ directory.
106 listocspcerts [--utc]
108 returns a list of X.509 OCSP Signer certificates that were
109 either loaded locally by the IKE daemon from the
110 /etc/ipsec.d/ocspcerts/ directory or were sent by an OCSP
111 server.
112 listacerts [--utc]
114 returns a list of X.509 Attribute certificates that were loaded
115 locally by the IKE daemon from the /etc/ipsec.d/acerts/ direc‐
116 tory.
117 listgroups [--utc]
119 returns a list of groups that are used to define user authoriza‐
120 tion profiles.
121 listcainfos [--utc]
123 returns certification authority information (CRL distribution
124 points, OCSP URIs, LDAP servers) that were defined by ca sec‐
125 tions in ipsec.conf.
126 listcrls [--utc]
128 returns a list of Certificate Revocation Lists (CRLs) that were
129 either loaded by the IKE daemon from the /etc/ipsec.d/crls
130 directory or fetched from an HTTP- or LDAP-based CRL distribu‐
131 tion point.
132 listocsp [--utc]
134 returns revocation information fetched from OCSP servers.
135 listplugins
137 returns a list of all loaded plugin features.
138 listcounters [name]
140 returns a list of global or connection specific IKE counter val‐
141 ues collected since daemon startup.
142 listall [--utc]
144 returns all information generated by the list commands above.
145 Each list command can be called with the --utc option which dis‐
146 plays all dates in UTC instead of local time.
147 REREAD COMMANDS
149 rereadsecrets
150 flushes and rereads all secrets defined in ipsec.secrets.
151 rereadcacerts
153 reads all certificate files contained in the /etc/ipsec.d/cac‐
154 erts directory and adds them to the list of Certification
155 Authority (CA) certificates.
156 rereadaacerts
158 reads all certificate files contained in the /etc/ipsec.d/aac‐
159 erts directory and adds them to the list of Authorization
160 Authority (AA) certificates.
161 rereadocspcerts
163 reads all certificate files contained in the
164 /etc/ipsec.d/ocspcerts/ directory and adds them to the list of
165 OCSP signer certificates.
166 rereadacerts
168 reads all certificate files contained in the
169 /etc/ipsec.d/acerts/ directory and adds them to the list of
170 attribute certificates.
171 rereadcrls
173 reads all Certificate Revocation Lists (CRLs) contained in the
174 /etc/ipsec.d/crls/ directory and adds them to the list of CRLs.
175 rereadall
177 executes all reread commands listed above.
178 RESET COMMANDS
180 resetcounters [name]
181 resets global or connection specific counters.
182 PURGE COMMANDS
184 purgecerts
185 purges all cached certificates.
186 purgecrl
188 purges all cached CRLs.
189 purgeike
191 purges IKE SAs that don't have a Quick Mode or CHILD SA.
192 purgeocsp
194 purges all cached OCSP information records.
195 INFO COMMANDS
197 --help returns the usage information for the ipsec command.
198 --version
200 returns the version in the form of Linux strongSwan U<strongSwan
201 userland version>/K<Linux kernel version> if strongSwan uses the
202 native NETKEY IPsec stack of the Linux kernel it is running on.
203 --versioncode
205 returns the version number in the form of U<strongSwan userland
206 version>/K<Linux kernel version> if strongSwan uses the native
207 NETKEY IPsec stack of the Linux kernel it is running on.
208 --copyright
210 returns the copyright information.
211 --directory
213 returns the LIBEXECDIR directory as defined by the configure
214 options.
215 --confdir
217 returns the SYSCONFDIR directory as defined by the configure
218 options.
219 --piddir
221 returns the PIDDIR directory as defined by the configure
222 options.
223
225 /usr/libexec/ipsec utilities directory
226
228 When calling other commands the ipsec command supplies the following
229 environment variables.
230 IPSEC_DIR directory containing ipsec programs and utilities
232 IPSEC_BINDIR directory containing pki command
233 IPSEC_SBINDIR directory containing ipsec command
234 IPSEC_CONFDIR directory containing configuration files
235 IPSEC_PIDDIR directory containing PID/socket files
236 IPSEC_SCRIPT name of the ipsec script
237 IPSEC_NAME name of ipsec distribution
238 IPSEC_VERSION version numer of ipsec userland and kernel
239 IPSEC_STARTER_PID PID file for ipsec starter
240 IPSEC_CHARON_PID PID file for IKE keying daemon
241
243 ipsec.conf(5), ipsec.secrets(5)
244
246 Originally written for the FreeS/WAN project by Henry Spencer. Updated
247 and extended for the strongSwan project <http://www.strongswan.org> by
248 Tobias Brunner and Andreas Steffen.
2495.2.0 2013-10-29 IPSEC(8)