1IPSEC(8) strongSwan IPSEC(8)
2
6 ipsec - invoke IPsec utilities
7
9 ipsec command [arguments] [options]
10
12 The ipsec utility invokes any of several utilities involved in control‐
13 ling and monitoring the IPsec encryption/authentication system, running
14 the specified command with the specified arguments and options as if it
15 had been invoked directly. This largely eliminates possible name colli‐
16 sions with other software, and also permits some centralized services.
17 All the commands described in this manual page are built-in and are
19 used to control and monitor IPsec connections as well as the IKE dae‐
20 mon.
21 For other commands ipsec supplies the invoked command with a suitable
23 PATH environment variable, and also provides the environment variables
24 listed under ENVIRONMENT.
25 CONTROL COMMANDS
27 start [starter options]
28 calls starter which in turn parses ipsec.conf and starts the IKE
29 daemon charon.
30 update sends a HUP signal to starter which in turn determines any
32 changes in ipsec.conf and updates the configuration on the run‐
33 ning IKE daemon charon.
34 reload sends a USR1 signal to starter which in turn reloads the whole
36 configuration of the running IKE daemon charon based on the
37 actual ipsec.conf.
38 restart
40 is equivalent to stop followed by start after a guard of 2 sec‐
41 onds.
42 stop terminates all IPsec connections and stops the IKE daemon charon
44 by sending a TERM signal to starter.
45 up name
47 tells the IKE daemon to start up connection name.
48 down name
50 tells the IKE daemon to terminate connection name.
51 down name{n}
53 terminates IKEv1 Quick Mode and IKEv2 CHILD SA instance n of
54 connection name.
55 down name{*}
57 terminates all IKEv1 Quick Mode and IKEv2 CHILD SA instances of
58 connection name.
59 down name[n]
61 terminates IKE SA instance n of connection name.
62 down name[*]
64 terminates all IKE SA instances of connection name.
65 down-srcip <start> [<end>]
67 terminates all IKE SA instances with clients having virtual IPs
68 in the range start-end.
69 route name
71 tells the IKE daemon to insert an IPsec policy in the kernel for
72 connection name. The first payload packet matching the IPsec
73 policy will automatically trigger an IKE connection setup.
74 unroute name
76 remove the IPsec policy in the kernel for connection name.
77 status [name]
79 returns concise status information either on connection name or
80 if the argument is lacking, on all connections.
81 statusall [name]
83 returns detailed status information either on connection name or
84 if the argument is lacking, on all connections.
85 LIST COMMANDS
87 leases [<poolname> [<address>]]
88 returns the status of all or the selected IP address pool (or
89 even a single virtual IP address).
90 listalgs
92 returns a list supported cryptographic algorithms usable for
93 IKE, and their corresponding plugin.
94 listpubkeys [--utc]
96 returns a list of RSA public keys that were either loaded in raw
97 key format or extracted from X.509 and|or OpenPGP certificates.
98 listcerts [--utc]
100 returns a list of X.509 and|or OpenPGP certificates that were
101 either loaded locally by the IKE daemon or received via the IKE
102 protocol.
103 listcacerts [--utc]
105 returns a list of X.509 Certification Authority (CA) certifi‐
106 cates that were loaded locally by the IKE daemon from the
107 /etc/ipsec.d/cacerts/ directory or received via the IKE proto‐
108 col.
109 listaacerts [--utc]
111 returns a list of X.509 Authorization Authority (AA) certifi‐
112 cates that were loaded locally by the IKE daemon from the
113 /etc/ipsec.d/aacerts/ directory.
114 listocspcerts [--utc]
116 returns a list of X.509 OCSP Signer certificates that were
117 either loaded locally by the IKE daemon from the
118 /etc/ipsec.d/ocspcerts/ directory or were sent by an OCSP
119 server.
120 listacerts [--utc]
122 returns a list of X.509 Attribute certificates that were loaded
123 locally by the IKE daemon from the /etc/ipsec.d/acerts/ direc‐
124 tory.
125 listgroups [--utc]
127 returns a list of groups that are used to define user authoriza‐
128 tion profiles.
129 listcainfos [--utc]
131 returns certification authority information (CRL distribution
132 points, OCSP URIs, LDAP servers) that were defined by ca sec‐
133 tions in ipsec.conf.
134 listcrls [--utc]
136 returns a list of Certificate Revocation Lists (CRLs) that were
137 either loaded by the IKE daemon from the /etc/ipsec.d/crls
138 directory or fetched from an HTTP- or LDAP-based CRL distribu‐
139 tion point.
140 listocsp [--utc]
142 returns revocation information fetched from OCSP servers.
143 listplugins
145 returns a list of all loaded plugin features.
146 listcounters [name]
148 returns a list of global or connection specific IKE counter val‐
149 ues collected since daemon startup.
150 listall [--utc]
152 returns all information generated by the list commands above.
153 Each list command can be called with the --utc option which dis‐
154 plays all dates in UTC instead of local time.
155 REREAD COMMANDS
157 rereadsecrets
158 flushes and rereads all secrets defined in ipsec.secrets.
159 rereadcacerts
161 removes previously loaded CA certificates, reads all certificate
162 files contained in the /etc/ipsec.d/cacerts directory and adds
163 them to the list of Certification Authority (CA) certificates.
164 This does not affect certificates explicitly defined in a
165 ipsec.conf(5) ca section, which may be separately updated using
166 the update command.
167 rereadaacerts
169 removes previously loaded AA certificates, reads all certificate
170 files contained in the /etc/ipsec.d/aacerts directory and adds
171 them to the list of Authorization Authority (AA) certificates.
172 rereadocspcerts
174 reads all certificate files contained in the
175 /etc/ipsec.d/ocspcerts/ directory and adds them to the list of
176 OCSP signer certificates.
177 rereadacerts
179 reads all certificate files contained in the
180 /etc/ipsec.d/acerts/ directory and adds them to the list of
181 attribute certificates.
182 rereadcrls
184 reads all Certificate Revocation Lists (CRLs) contained in the
185 /etc/ipsec.d/crls/ directory and adds them to the list of CRLs.
186 rereadall
188 executes all reread commands listed above.
189 RESET COMMANDS
191 resetcounters [name]
192 resets global or connection specific counters.
193 PURGE COMMANDS
195 purgecerts
196 purges all cached certificates.
197 purgecrls
199 purges all cached CRLs.
200 purgeike
202 purges IKE SAs that don't have a Quick Mode or CHILD SA.
203 purgeocsp
205 purges all cached OCSP information records.
206 INFO COMMANDS
208 --help returns the usage information for the ipsec command.
209 --version
211 returns the version in the form of Linux strongSwan U<strongSwan
212 userland version>/K<Linux kernel version> if strongSwan uses the
213 native NETKEY IPsec stack of the Linux kernel it is running on.
214 --versioncode
216 returns the version number in the form of U<strongSwan userland
217 version>/K<Linux kernel version> if strongSwan uses the native
218 NETKEY IPsec stack of the Linux kernel it is running on.
219 --copyright
221 returns the copyright information.
222 --directory
224 returns the LIBEXECDIR directory as defined by the configure
225 options.
226 --confdir
228 returns the SYSCONFDIR directory as defined by the configure
229 options.
230 --piddir
232 returns the PIDDIR directory as defined by the configure
233 options.
234
236 /usr/libexec/ipsec utilities directory
237
239 When calling other commands the ipsec command supplies the following
240 environment variables.
241 IPSEC_DIR directory containing ipsec programs and utilities
243 IPSEC_BINDIR directory containing pki command
244 IPSEC_SBINDIR directory containing ipsec command
245 IPSEC_CONFDIR directory containing configuration files
246 IPSEC_PIDDIR directory containing PID/socket files
247 IPSEC_SCRIPT name of the ipsec script
248 IPSEC_NAME name of ipsec distribution
249 IPSEC_VERSION version number of ipsec userland and kernel
250 IPSEC_STARTER_PID PID file for ipsec starter
251 IPSEC_CHARON_PID PID file for IKE keying daemon
252
254 ipsec.conf(5), ipsec.secrets(5)
255
257 Originally written for the FreeS/WAN project by Henry Spencer. Updated
258 and extended for the strongSwan project <http://www.strongswan.org> by
259 Tobias Brunner and Andreas Steffen.
2605.7.2dr1 2013-10-29 IPSEC(8)