1STRONGSWAN(8) strongSwan STRONGSWAN(8)
2
6 strongswan - invoke IPsec utilities
7
9 strongswan command [arguments] [options]
10
12 The strongswan utility invokes any of several utilities involved in
13 controlling and monitoring the IPsec encryption/authentication system,
14 running the specified command with the specified arguments and options
15 as if it had been invoked directly. This largely eliminates possible
16 name collisions with other software, and also permits some centralized
17 services.
18 All the commands described in this manual page are built-in and are
20 used to control and monitor IPsec connections as well as the IKE dae‐
21 mon.
22 For other commands strongswan supplies the invoked command with a suit‐
24 able PATH environment variable, and also provides the environment vari‐
25 ables listed under ENVIRONMENT.
26 CONTROL COMMANDS
28 start [starter options]
29 calls starter which in turn parses ipsec.conf and starts the IKE
30 daemon charon.
31 update sends a HUP signal to starter which in turn determines any
33 changes in ipsec.conf and updates the configuration on the run‐
34 ning IKE daemon charon.
35 reload sends a USR1 signal to starter which in turn reloads the whole
37 configuration of the running IKE daemon charon based on the ac‐
38 tual ipsec.conf.
39 restart
41 is equivalent to stop followed by start after a guard of 2 sec‐
42 onds.
43 stop terminates all IPsec connections and stops the IKE daemon charon
45 by sending a TERM signal to starter.
46 up name
48 tells the IKE daemon to start up connection name.
49 down name
51 tells the IKE daemon to terminate connection name.
52 down name{n}
54 terminates IKEv1 Quick Mode and IKEv2 CHILD SA instance n of
55 connection name.
56 down name{*}
58 terminates all IKEv1 Quick Mode and IKEv2 CHILD SA instances of
59 connection name.
60 down name[n]
62 terminates IKE SA instance n of connection name.
63 down name[*]
65 terminates all IKE SA instances of connection name.
66 down-srcip <start> [<end>]
68 terminates all IKE SA instances with clients having virtual IPs
69 in the range start-end.
70 route name
72 tells the IKE daemon to insert an IPsec policy in the kernel for
73 connection name. The first payload packet matching the IPsec
74 policy will automatically trigger an IKE connection setup.
75 unroute name
77 remove the IPsec policy in the kernel for connection name.
78 status [name]
80 returns concise status information either on connection name or
81 if the argument is lacking, on all connections.
82 statusall [name]
84 returns detailed status information either on connection name or
85 if the argument is lacking, on all connections.
86 LIST COMMANDS
88 leases [<poolname> [<address>]]
89 returns the status of all or the selected IP address pool (or
90 even a single virtual IP address).
91 listalgs
93 returns a list supported cryptographic algorithms usable for
94 IKE, and their corresponding plugin.
95 listpubkeys [--utc]
97 returns a list of RSA public keys that were either loaded in raw
98 key format or extracted from X.509 and|or OpenPGP certificates.
99 listcerts [--utc]
101 returns a list of X.509 and|or OpenPGP certificates that were
102 either loaded locally by the IKE daemon or received via the IKE
103 protocol.
104 listcacerts [--utc]
106 returns a list of X.509 Certification Authority (CA) certifi‐
107 cates that were loaded locally by the IKE daemon from the
108 /etc/strongswan/ipsec.d/cacerts/ directory or received via the
109 IKE protocol.
110 listaacerts [--utc]
112 returns a list of X.509 Authorization Authority (AA) certifi‐
113 cates that were loaded locally by the IKE daemon from the
114 /etc/strongswan/ipsec.d/aacerts/ directory.
115 listocspcerts [--utc]
117 returns a list of X.509 OCSP Signer certificates that were ei‐
118 ther loaded locally by the IKE daemon from the
119 /etc/strongswan/ipsec.d/ocspcerts/ directory or were sent by an
120 OCSP server.
121 listacerts [--utc]
123 returns a list of X.509 Attribute certificates that were loaded
124 locally by the IKE daemon from the /etc/strongswan/ipsec.d/ac‐
125 erts/ directory.
126 listgroups [--utc]
128 returns a list of groups that are used to define user authoriza‐
129 tion profiles.
130 listcainfos [--utc]
132 returns certification authority information (CRL distribution
133 points, OCSP URIs, LDAP servers) that were defined by ca sec‐
134 tions in ipsec.conf.
135 listcrls [--utc]
137 returns a list of Certificate Revocation Lists (CRLs) that were
138 either loaded by the IKE daemon from the
139 /etc/strongswan/ipsec.d/crls directory or fetched from an HTTP-
140 or LDAP-based CRL distribution point.
141 listocsp [--utc]
143 returns revocation information fetched from OCSP servers.
144 listplugins
146 returns a list of all loaded plugin features.
147 listcounters [name]
149 returns a list of global or connection specific IKE counter val‐
150 ues collected since daemon startup.
151 listall [--utc]
153 returns all information generated by the list commands above.
154 Each list command can be called with the --utc option which dis‐
155 plays all dates in UTC instead of local time.
156 REREAD COMMANDS
158 rereadsecrets
159 flushes and rereads all secrets defined in ipsec.secrets.
160 rereadcacerts
162 removes previously loaded CA certificates, reads all certificate
163 files contained in the /etc/strongswan/ipsec.d/cacerts directory
164 and adds them to the list of Certification Authority (CA) cer‐
165 tificates. This does not affect certificates explicitly defined
166 in a ipsec.conf(5) ca section, which may be separately updated
167 using the update command.
168 rereadaacerts
170 removes previously loaded AA certificates, reads all certificate
171 files contained in the /etc/strongswan/ipsec.d/aacerts directory
172 and adds them to the list of Authorization Authority (AA) cer‐
173 tificates.
174 rereadocspcerts
176 reads all certificate files contained in the
177 /etc/strongswan/ipsec.d/ocspcerts/ directory and adds them to
178 the list of OCSP signer certificates.
179 rereadacerts
181 reads all certificate files contained in the
182 /etc/strongswan/ipsec.d/acerts/ directory and adds them to the
183 list of attribute certificates.
184 rereadcrls
186 reads all Certificate Revocation Lists (CRLs) contained in the
187 /etc/strongswan/ipsec.d/crls/ directory and adds them to the
188 list of CRLs.
189 rereadall
191 executes all reread commands listed above.
192 RESET COMMANDS
194 resetcounters [name]
195 resets global or connection specific counters.
196 PURGE COMMANDS
198 purgecerts
199 purges all cached certificates.
200 purgecrls
202 purges all cached CRLs.
203 purgeike
205 purges IKE SAs that don't have a Quick Mode or CHILD SA.
206 purgeocsp
208 purges all cached OCSP information records.
209 INFO COMMANDS
211 --help returns the usage information for the strongswan command.
212 --version
214 returns the version in the form of Linux strongSwan U<strongSwan
215 userland version>/K<Linux kernel version> if strongSwan uses the
216 native NETKEY IPsec stack of the Linux kernel it is running on.
217 --versioncode
219 returns the version number in the form of U<strongSwan userland
220 version>/K<Linux kernel version> if strongSwan uses the native
221 NETKEY IPsec stack of the Linux kernel it is running on.
222 --copyright
224 returns the copyright information.
225 --directory
227 returns the LIBEXECDIR directory as defined by the configure op‐
228 tions.
229 --confdir
231 returns the SYSCONFDIR directory as defined by the configure op‐
232 tions.
233 --piddir
235 returns the PIDDIR directory as defined by the configure op‐
236 tions.
237
239 /usr/libexec/strongswan utilities directory
240
242 When calling other commands the strongswan command supplies the follow‐
243 ing environment variables.
244 IPSEC_DIR directory containing ipsec programs and utilities
246 IPSEC_BINDIR directory containing pki command
247 IPSEC_SBINDIR directory containing ipsec command
248 IPSEC_CONFDIR directory containing configuration files
249 IPSEC_PIDDIR directory containing PID/socket files
250 IPSEC_SCRIPT name of the ipsec script
251 IPSEC_NAME name of ipsec distribution
252 IPSEC_VERSION version number of ipsec userland and kernel
253 IPSEC_STARTER_PID PID file for ipsec starter
254 IPSEC_CHARON_PID PID file for IKE keying daemon
255
257 ipsec.conf(5), ipsec.secrets(5)
258
260 Originally written for the FreeS/WAN project by Henry Spencer. Updated
261 and extended for the strongSwan project <http://www.strongswan.org> by
262 Tobias Brunner and Andreas Steffen.
2635.9.11 2013-10-29 STRONGSWAN(8)