1CHARON-CMD(8)                     strongSwan                     CHARON-CMD(8)
2
3
4

NAME

6       charon-cmd - Simple IKE client (IPsec VPN client)
7

SYNOPSIS

9       charon-cmd --host hostname --identity identity [ options ]
10

DESCRIPTION

12       charon-cmd  is a program for setting up IPsec VPN connections using the
13       Internet Key Exchange protocol (IKE) in version 1 and 2.  It supports a
14       number of different road-warrior scenarios.
15
16       Like  the  IKE daemon charon, charon-cmd has to be run as root (or more
17       specifically as a user with CAP_NET_ADMIN capability).
18
19       Of the following options at least --host and --identity  are  required.
20       Depending  on the selected authentication profile credentials also have
21       to be provided with their respective options.
22
23       Many of the charon-specific configuration  options  in  strongswan.conf
24       also  apply  to charon-cmd.  For instance, to configure customized log‐
25       ging to stdout the following snippet can be used:
26
27            charon-cmd {
28                 filelog {
29                      stdout {
30                           default = 1
31                           ike = 2
32                           cfg = 2
33                      }
34                 }
35            }
36

OPTIONS

38       --help Prints usage information and a short summary  of  the  available
39              options.
40
41       --version
42              Prints the strongSwan version.
43
44       --debug level
45              Sets  the  default log level (defaults to 1).  level is a number
46              between -1 and 4.  Refer to strongswan.conf for options that al‐
47              low a more fine-grained configuration of the logging output.
48
49       --host hostname
50              DNS name or IP address to connect to.
51
52       --identity identity
53              Identity the client uses for the IKE exchange.
54
55       --eap-identity identity
56              Identity the client uses for EAP authentication.
57
58       --xauth-username username
59              Username the client uses for XAuth authentication.
60
61       --remote-identity identity
62              Server identity to expect, defaults to hostname.
63
64       --cert path
65              Trusted  certificate,  either  for authentication or trust chain
66              validation.  To  provide  more  than  one  certificate  multiple
67              --cert options can be used.
68
69       --rsa path
70              RSA  private key to use for authentication (if a password is re‐
71              quired, it will be requested on demand).
72
73       --p12 path
74              PKCS#12 file with private key and certificates to  use  for  au‐
75              thentication  and  trust  chain validation (if a password is re‐
76              quired it will be requested on demand).
77
78       --agent[=socket]
79              Use SSH agent for authentication. If socket is not specified  it
80              is read from the SSH_AUTH_SOCK environment variable.
81
82       --local-ts subnet
83              Additional  traffic  selector  to  propose for our side, the re‐
84              quested virtual IP address will always be proposed.
85
86       --remote-ts subnet
87              Traffic  selector  to  propose  for  remote  side,  defaults  to
88              0.0.0.0/0.
89
90       --ike-proposal proposal
91              IKE  proposal  to  offer instead of default. For IKEv1, a single
92              proposal consists of one encryption algorithm, an  integrity/PRF
93              algorithm  and a DH group. IKEv2 can propose multiple algorithms
94              of the same kind. To specify multiple proposals, repeat the  op‐
95              tion.
96
97       --esp-proposal proposal
98              ESP  proposal  to  offer instead of default. For IKEv1, a single
99              proposal consists of one encryption algorithm, an integrity  al‐
100              gorithm  and  an  optional  DH group for Perfect Forward Secrecy
101              rekeying. IKEv2 can propose  multiple  algorithms  of  the  same
102              kind. To specify multiple proposals, repeat the option.
103
104       --ah-proposal proposal
105              AH  proposal  to  offer instead of ESP. For IKEv1, a single pro‐
106              posal consists of an integrity  algorithm  and  an  optional  DH
107              group  for  Perfect  Forward Secrecy rekeying. IKEv2 can propose
108              multiple algorithms of the same kind. To specify  multiple  pro‐
109              posals, repeat the option.
110
111       --profile name
112              Authentication  profile  to  use, the list of supported profiles
113              can be found in the Authentication Profiles sections below.  De‐
114              faults  to  ikev2-pub  if  a  private  key  was supplied, and to
115              ikev2-eap otherwise.
116
117   IKEv2 Authentication Profiles
118       ikev2-pub
119              IKEv2 with public key client and server authentication
120
121       ikev2-eap
122              IKEv2 with EAP client authentication and public key  server  au‐
123              thentication
124
125       ikev2-pub-eap
126              IKEv2  with  public key and EAP client authentication (RFC 4739)
127              and public key server authentication
128
129   IKEv1 Authentication Profiles
130       The following authentication profiles use either Main Mode  or  Aggres‐
131       sive Mode, the latter is denoted with a -am suffix.
132
133       ikev1-pub, ikev1-pub-am
134              IKEv1 with public key client and server authentication
135
136       ikev1-xauth, ikev1-xauth-am
137              IKEv1 with public key client and server authentication, followed
138              by client XAuth authentication
139
140       ikev1-xauth-psk, ikev1-xauth-psk-am
141              IKEv1 with pre-shared key (PSK) client  and  server  authentica‐
142              tion, followed by client XAuth authentication (INSECURE!)
143
144       ikev1-hybrid, ikev1-hybrid-am
145              IKEv1  with  public  key server authentication only, followed by
146              client XAuth authentication
147

SEE ALSO

149       strongswan.conf(5), ipsec(8)
150
151
152
1535.9.6                             2013-06-21                     CHARON-CMD(8)
Impressum