1CHARON-CMD(8) strongSwan CHARON-CMD(8)
2
3
4
6 charon-cmd - Simple IKE client (IPsec VPN client)
7
9 charon-cmd --host hostname --identity identity [ options ]
10
12 charon-cmd is a program for setting up IPsec VPN connections using the
13 Internet Key Exchange protocol (IKE) in version 1 and 2. It supports a
14 number of different road-warrior scenarios.
15
16 Like the IKE daemon charon, charon-cmd has to be run as root (or more
17 specifically as a user with CAP_NET_ADMIN capability).
18
19 Of the following options at least --host and --identity are required.
20 Depending on the selected authentication profile credentials also have
21 to be provided with their respective options.
22
23 Many of the charon-specific configuration options in strongswan.conf
24 also apply to charon-cmd. For instance, to configure customized log‐
25 ging to stdout the following snippet can be used:
26
27 charon-cmd {
28 filelog {
29 stdout {
30 default = 1
31 ike = 2
32 cfg = 2
33 }
34 }
35 }
36
38 --help Prints usage information and a short summary of the available
39 options.
40
41 --version
42 Prints the strongSwan version.
43
44 --debug level
45 Sets the default log level (defaults to 1). level is a number
46 between -1 and 4. Refer to strongswan.conf for options that al‐
47 low a more fine-grained configuration of the logging output.
48
49 --host hostname
50 DNS name or IP address to connect to.
51
52 --identity identity
53 Identity the client uses for the IKE exchange.
54
55 --eap-identity identity
56 Identity the client uses for EAP authentication.
57
58 --xauth-username username
59 Username the client uses for XAuth authentication.
60
61 --remote-identity identity
62 Server identity to expect, defaults to hostname.
63
64 --cert path
65 Trusted certificate, either for authentication or trust chain
66 validation. To provide more than one certificate multiple
67 --cert options can be used.
68
69 --rsa path
70 RSA private key to use for authentication (if a password is re‐
71 quired, it will be requested on demand).
72
73 --p12 path
74 PKCS#12 file with private key and certificates to use for au‐
75 thentication and trust chain validation (if a password is re‐
76 quired it will be requested on demand).
77
78 --agent[=socket]
79 Use SSH agent for authentication. If socket is not specified it
80 is read from the SSH_AUTH_SOCK environment variable.
81
82 --local-ts subnet
83 Additional traffic selector to propose for our side, the re‐
84 quested virtual IP address will always be proposed.
85
86 --remote-ts subnet
87 Traffic selector to propose for remote side, defaults to
88 0.0.0.0/0.
89
90 --ike-proposal proposal
91 IKE proposal to offer instead of default. For IKEv1, a single
92 proposal consists of one encryption algorithm, an integrity/PRF
93 algorithm and a DH group. IKEv2 can propose multiple algorithms
94 of the same kind. To specify multiple proposals, repeat the op‐
95 tion.
96
97 --esp-proposal proposal
98 ESP proposal to offer instead of default. For IKEv1, a single
99 proposal consists of one encryption algorithm, an integrity al‐
100 gorithm and an optional DH group for Perfect Forward Secrecy
101 rekeying. IKEv2 can propose multiple algorithms of the same
102 kind. To specify multiple proposals, repeat the option.
103
104 --ah-proposal proposal
105 AH proposal to offer instead of ESP. For IKEv1, a single pro‐
106 posal consists of an integrity algorithm and an optional DH
107 group for Perfect Forward Secrecy rekeying. IKEv2 can propose
108 multiple algorithms of the same kind. To specify multiple pro‐
109 posals, repeat the option.
110
111 --profile name
112 Authentication profile to use, the list of supported profiles
113 can be found in the Authentication Profiles sections below. De‐
114 faults to ikev2-pub if a private key was supplied, and to
115 ikev2-eap otherwise.
116
117 IKEv2 Authentication Profiles
118 ikev2-pub
119 IKEv2 with public key client and server authentication
120
121 ikev2-eap
122 IKEv2 with EAP client authentication and public key server au‐
123 thentication
124
125 ikev2-pub-eap
126 IKEv2 with public key and EAP client authentication (RFC 4739)
127 and public key server authentication
128
129 IKEv1 Authentication Profiles
130 The following authentication profiles use either Main Mode or Aggres‐
131 sive Mode, the latter is denoted with a -am suffix.
132
133 ikev1-pub, ikev1-pub-am
134 IKEv1 with public key client and server authentication
135
136 ikev1-xauth, ikev1-xauth-am
137 IKEv1 with public key client and server authentication, followed
138 by client XAuth authentication
139
140 ikev1-xauth-psk, ikev1-xauth-psk-am
141 IKEv1 with pre-shared key (PSK) client and server authentica‐
142 tion, followed by client XAuth authentication (INSECURE!)
143
144 ikev1-hybrid, ikev1-hybrid-am
145 IKEv1 with public key server authentication only, followed by
146 client XAuth authentication
147
149 strongswan.conf(5), ipsec(8)
150
151
152
1535.9.6 2013-06-21 CHARON-CMD(8)