1RACOONCTL(8) BSD System Manager's Manual RACOONCTL(8)
2
4 racoonctl — racoon administrative control tool
5
7 racoonctl [opts] reload-config
8 racoonctl [opts] show-schedule
9 racoonctl [opts] show-sa [isakmp|esp|ah|ipsec]
10 racoonctl [opts] get-sa-cert [inet|inet6] src dst
11 racoonctl [opts] flush-sa [isakmp|esp|ah|ipsec]
12 racoonctl [opts] delete-sa saopts
13 racoonctl [opts] establish-sa [-w] [-n remoteconf] [-u identity] saopts
14 racoonctl [opts] vpn-connect [-u identity] vpn_gateway
15 racoonctl [opts] vpn-disconnect vpn_gateway
16 racoonctl [opts] show-event
17 racoonctl [opts] logout-user login
18
20 racoonctl is used to control racoon(8) operation, if ipsec-tools was con‐
21 figured with adminport support. Communication between racoonctl and
22 racoon(8) is done through a UNIX socket. By changing the default mode
23 and ownership of the socket, you can allow non-root users to alter
24 racoon(8) behavior, so do that with caution.
25 The following general options are available:
27 -d Debug mode. Hexdump sent admin port commands.
29 -l Increase verbosity. Mainly for show-sa command.
31 -s socket
33 Specify unix socket name used to connecting racoon.
34 The following commands are available:
36 reload-config
38 This should cause racoon(8) to reload its configuration file.
39 show-schedule
41 Unknown command.
42 show-sa [isakmp|esp|ah|ipsec]
44 Dump the SA: All the SAs if no SA class is provided, or either
45 ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. Use
46 -l to increase verbosity.
47 get-sa-cert [inet|inet6] src dst
49 Output the raw certificate that was used to authenticate the
50 phase 1 matching src and dst.
51 flush-sa [isakmp|esp|ah|ipsec]
53 is used to flush all SAs if no SA class is provided, or a class
54 of SAs, either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all
55 IPsec SAs.
56 establish-sa [-w] [-n remoteconf] [-u username] saopts
58 Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH
59 SA. The optional -u username can be used when establishing an
60 ISAKMP SA while hybrid auth is in use. The exact remote block to
61 use can be specified with -n remoteconf. racoonctl will prompt
62 you for the password associated with username and these creden‐
63 tials will be used in the Xauth exchange.
64 Specifying -w will make racoonctl wait until the SA is actually
66 established or an error occurs.
67 saopts has the following format:
69 isakmp {inet|inet6} src dst
71 {esp|ah} {inet|inet6} src/prefixlen/port dst/prefixlen/port
73 {icmp|tcp|udp|gre|any}
74 vpn-connect [-u username] vpn_gateway
76 This is a particular case of the previous command. It will
77 establish an ISAKMP SA with vpn_gateway.
78 delete-sa saopts
80 Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
81 vpn-disconnect vpn_gateway
83 This is a particular case of the previous command. It will kill
84 all SAs associated with vpn_gateway.
85 show-event
87 Listen for all events reported by racoon(8).
88 logout-user login
90 Delete all SA established on behalf of the Xauth user login.
91 Command shortcuts are available:
93 rc reload-config
94 ss show-sa
95 sc show-schedule
96 fs flush-sa
97 ds delete-sa
98 es establish-sa
99 vc vpn-connect
100 vd vpn-disconnect
101 se show-event
102 lu logout-user
103
105 The command should exit with 0 on success, and non-zero on errors.
106
108 /var/racoon/racoon.sock or
109 /var/run/racoon.sock racoon(8) control socket.
110
112 ipsec(4), racoon(8)
113
115 Once was kmpstat in the KAME project. It turned into racoonctl but
116 remained undocumented for a while. Emmanuel Dreyfus <manu@NetBSD.org>
117 wrote this man page.
118BSD March 12, 2009 BSD