1IPSEC(8) strongSwan IPSEC(8)
2
6 ipsec - invoke IPsec utilities
7
9 ipsec command [arguments] [options]
10
12 The ipsec utility invokes any of several utilities involved in control‐
13 ling and monitoring the IPsec encryption/authentication system, running
14 the specified command with the specified arguments and options as if it
15 had been invoked directly. This largely eliminates possible name colli‐
16 sions with other software, and also permits some centralized services.
17 All the commands described in this manual page are built-in and are
19 used to control and monitor IPsec connections as well as the IKE dae‐
20 mon.
21 For other commands ipsec supplies the invoked command with a suitable
23 PATH environment variable, and also provides the environment variables
24 listed under ENVIRONMENT.
25 CONTROL COMMANDS
27 start [starter options]
28 calls starter which in turn parses ipsec.conf and starts the IKE
29 daemon charon.
30 update sends a HUP signal to starter which in turn determines any
32 changes in ipsec.conf and updates the configuration on the run‐
33 ning IKE daemon charon.
34 reload sends a USR1 signal to starter which in turn reloads the whole
36 configuration of the running IKE daemon charon based on the ac‐
37 tual ipsec.conf.
38 restart
40 is equivalent to stop followed by start after a guard of 2 sec‐
41 onds.
42 stop terminates all IPsec connections and stops the IKE daemon charon
44 by sending a TERM signal to starter.
45 up name
47 tells the IKE daemon to start up connection name.
48 down name
50 tells the IKE daemon to terminate connection name.
51 down name{n}
53 terminates IKEv1 Quick Mode and IKEv2 CHILD SA instance n of
54 connection name.
55 down name{*}
57 terminates all IKEv1 Quick Mode and IKEv2 CHILD SA instances of
58 connection name.
59 down name[n]
61 terminates IKE SA instance n of connection name.
62 down name[*]
64 terminates all IKE SA instances of connection name.
65 down-srcip <start> [<end>]
67 terminates all IKE SA instances with clients having virtual IPs
68 in the range start-end.
69 route name
71 tells the IKE daemon to insert an IPsec policy in the kernel for
72 connection name. The first payload packet matching the IPsec
73 policy will automatically trigger an IKE connection setup.
74 unroute name
76 remove the IPsec policy in the kernel for connection name.
77 status [name]
79 returns concise status information either on connection name or
80 if the argument is lacking, on all connections.
81 statusall [name]
83 returns detailed status information either on connection name or
84 if the argument is lacking, on all connections.
85 LIST COMMANDS
87 leases [<poolname> [<address>]]
88 returns the status of all or the selected IP address pool (or
89 even a single virtual IP address).
90 listalgs
92 returns a list supported cryptographic algorithms usable for
93 IKE, and their corresponding plugin.
94 listpubkeys [--utc]
96 returns a list of RSA public keys that were either loaded in raw
97 key format or extracted from X.509 and|or OpenPGP certificates.
98 listcerts [--utc]
100 returns a list of X.509 and|or OpenPGP certificates that were
101 either loaded locally by the IKE daemon or received via the IKE
102 protocol.
103 listcacerts [--utc]
105 returns a list of X.509 Certification Authority (CA) certifi‐
106 cates that were loaded locally by the IKE daemon from the
107 /etc/ipsec.d/cacerts/ directory or received via the IKE proto‐
108 col.
109 listaacerts [--utc]
111 returns a list of X.509 Authorization Authority (AA) certifi‐
112 cates that were loaded locally by the IKE daemon from the
113 /etc/ipsec.d/aacerts/ directory.
114 listocspcerts [--utc]
116 returns a list of X.509 OCSP Signer certificates that were ei‐
117 ther loaded locally by the IKE daemon from the /etc/ipsec.d/oc‐
118 spcerts/ directory or were sent by an OCSP server.
119 listacerts [--utc]
121 returns a list of X.509 Attribute certificates that were loaded
122 locally by the IKE daemon from the /etc/ipsec.d/acerts/ direc‐
123 tory.
124 listgroups [--utc]
126 returns a list of groups that are used to define user authoriza‐
127 tion profiles.
128 listcainfos [--utc]
130 returns certification authority information (CRL distribution
131 points, OCSP URIs, LDAP servers) that were defined by ca sec‐
132 tions in ipsec.conf.
133 listcrls [--utc]
135 returns a list of Certificate Revocation Lists (CRLs) that were
136 either loaded by the IKE daemon from the /etc/ipsec.d/crls di‐
137 rectory or fetched from an HTTP- or LDAP-based CRL distribution
138 point.
139 listocsp [--utc]
141 returns revocation information fetched from OCSP servers.
142 listplugins
144 returns a list of all loaded plugin features.
145 listcounters [name]
147 returns a list of global or connection specific IKE counter val‐
148 ues collected since daemon startup.
149 listall [--utc]
151 returns all information generated by the list commands above.
152 Each list command can be called with the --utc option which dis‐
153 plays all dates in UTC instead of local time.
154 REREAD COMMANDS
156 rereadsecrets
157 flushes and rereads all secrets defined in ipsec.secrets.
158 rereadcacerts
160 removes previously loaded CA certificates, reads all certificate
161 files contained in the /etc/ipsec.d/cacerts directory and adds
162 them to the list of Certification Authority (CA) certificates.
163 This does not affect certificates explicitly defined in a
164 ipsec.conf(5) ca section, which may be separately updated using
165 the update command.
166 rereadaacerts
168 removes previously loaded AA certificates, reads all certificate
169 files contained in the /etc/ipsec.d/aacerts directory and adds
170 them to the list of Authorization Authority (AA) certificates.
171 rereadocspcerts
173 reads all certificate files contained in the /etc/ipsec.d/oc‐
174 spcerts/ directory and adds them to the list of OCSP signer cer‐
175 tificates.
176 rereadacerts
178 reads all certificate files contained in the /etc/ipsec.d/ac‐
179 erts/ directory and adds them to the list of attribute certifi‐
180 cates.
181 rereadcrls
183 reads all Certificate Revocation Lists (CRLs) contained in the
184 /etc/ipsec.d/crls/ directory and adds them to the list of CRLs.
185 rereadall
187 executes all reread commands listed above.
188 RESET COMMANDS
190 resetcounters [name]
191 resets global or connection specific counters.
192 PURGE COMMANDS
194 purgecerts
195 purges all cached certificates.
196 purgecrls
198 purges all cached CRLs.
199 purgeike
201 purges IKE SAs that don't have a Quick Mode or CHILD SA.
202 purgeocsp
204 purges all cached OCSP information records.
205 INFO COMMANDS
207 --help returns the usage information for the ipsec command.
208 --version
210 returns the version in the form of Linux strongSwan U<strongSwan
211 userland version>/K<Linux kernel version> if strongSwan uses the
212 native NETKEY IPsec stack of the Linux kernel it is running on.
213 --versioncode
215 returns the version number in the form of U<strongSwan userland
216 version>/K<Linux kernel version> if strongSwan uses the native
217 NETKEY IPsec stack of the Linux kernel it is running on.
218 --copyright
220 returns the copyright information.
221 --directory
223 returns the LIBEXECDIR directory as defined by the configure op‐
224 tions.
225 --confdir
227 returns the SYSCONFDIR directory as defined by the configure op‐
228 tions.
229 --piddir
231 returns the PIDDIR directory as defined by the configure op‐
232 tions.
233
235 /usr/libexec/ipsec utilities directory
236
238 When calling other commands the ipsec command supplies the following
239 environment variables.
240 IPSEC_DIR directory containing ipsec programs and utilities
242 IPSEC_BINDIR directory containing pki command
243 IPSEC_SBINDIR directory containing ipsec command
244 IPSEC_CONFDIR directory containing configuration files
245 IPSEC_PIDDIR directory containing PID/socket files
246 IPSEC_SCRIPT name of the ipsec script
247 IPSEC_NAME name of ipsec distribution
248 IPSEC_VERSION version number of ipsec userland and kernel
249 IPSEC_STARTER_PID PID file for ipsec starter
250 IPSEC_CHARON_PID PID file for IKE keying daemon
251
253 ipsec.conf(5), ipsec.secrets(5)
254
256 Originally written for the FreeS/WAN project by Henry Spencer. Updated
257 and extended for the strongSwan project <http://www.strongswan.org> by
258 Tobias Brunner and Andreas Steffen.
2595.9.2dr1 2013-10-29 IPSEC(8)