ipsec¶
- Table of contents
- ipsec
ipsec is an umbrella command comprising a collection of individual sub commands that can be used to control and monitor IPsec connections as well as the IKE daemon.
Important: The
ipseccommand controls the legacy starter daemon and stroke plugin. A more modern and flexible interface is provided via vici plugin and swanctl command since 5.2.0.
Synopsis¶
ipsec <command> [ <argument> ] [ <options> ]
Note: Some distributions (e.g. Fedora and its offsprings) rename the ipsec command to strongswan
Control Commands¶
ipsec start [ <starter options> ]
calls ipsec starter [ <starter options> ] which in turn parses ipsec.conf and starts the IKE daemon charon.
ipsec stop
terminates all IPsec connection and stops the IKE daemon charon by sending a TERM signal to ipsec starter.
ipsec restart [ <starter options> ]
is equivalent to ipsec stop followed by ipsec start [ <starter options> ] after a guard period of 2 seconds.
ipsec update
sends a HUP signal to ipsec starter which in turn determines any changes in ipsec.conf and updates the configuration on the running IKE daemon charon. This generally does not affect established connections, except those for which the configuration has changed (see #129). Such connections should be restarted manually.
ipsec reload
sends a USR1 signal to ipsec starter which in turn reloads the whole configuration on the running IKE daemon charon based on the actual ipsec.conf. All currently established connections could be affected by this (see #129), so using ipsec update is generally preferred.
ipsec up <name>
tells the IKE daemon to start up connection <name>. Implemented by calling the ipsec stroke up <name> command.
ipsec down <name>
tells the IKE daemon to terminate connection <name>. Implemented by calling the ipsec stroke down <name> command.
ipsec down <name>{n}
terminates CHILD_SA instance n of connection <name>. Since {n} uniquely identifis a CHILD_SA the name is optional.
ipsec down <name>{*}
terminates all CHILD_SA instances of connection <name>.
ipsec down <name>[n]
terminates IKE_SA instance n of connection <name> plus dependent CHILD_SAs. Since [n] uniquely identifis an IKE_SA the name is optional.
ipsec down <name>[*]
terminates all IKE_SA instances of connection <name>.
ipsec route <name>
tells the IKE daemon to insert IPsec policies in the kernel for connection <name>. The first payload packet matching the IPsec policies will automatically trigger an IKE connection setup. Implemented by calling the ipsec stroke route <name> command.
ipsec unroute <name>
remove the IPsec policies in the kernel for connection <name>. Implemented by calling the ipsec stroke unroute <name> command.
ipsec status [ <name> ]
returns concise status information either on connection <name> or if the argument is lacking, on all connections. Implemented by calling the ipsec stroke status [ <name> ] command.
ipsec statusall [ <name> ]
returns detailed status information either on connection <name> or if the argument is lacking, on all connections. Implemented by calling the ipsec stroke statusall [ <name> ] command.
Info Commands¶
ipsec version
returns the ipsec version in the form of Linux strongSwan U<strongSwan userland version>/K<Linux kernel version> if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
ipsec copyright
returns the copyright information.
ipsec --confdir
returns the SYSCONFDIR directory as defined by the configure options.
ipsec --directory
returns the LIBEXECDIR directory as defined by the configure options.
ipsec --help
returns the usage information for the ipsec command.
ipsec --versioncode
returns the ipsec version number in the form of U<strongSwan userland version>/K<Linux kernel version> if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
List Commands¶
ipsec leases [ [ <poolname> [ <address> ] ]
returns the status of all or the selected IP address pools (or even a single virtual IP address).
ipsec listaacerts [ --utc ]
returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by the IKE daemon from the /etc/ipsec.d/aacerts directory. Implemented by calling the ipsec stroke listaacerts command.
ipsec listacerts [ --utc ]
returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the /etc/ipsec.d/acerts directory. Implemented by calling the ipsec stroke listacerts command.
ipsec listalgs
returns a list of all supported IKE encryption and hash algorithms, and the available Diffie-Hellman groups. Implemented by calling the ipsec stroke listalgs command.
ipsec listcacerts [ --utc ]
returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by the IKE daemon from the /etc/ipsec.d/cacerts directory or received via the IKE protocol. Implemented by calling the ipsec stroke listcacerts command.
ipsec listcainfos [ --utc ]
returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers) that were defined by ca sections in ipsec.conf. Implemented by calling the ipsec stroke listcainfos command.
ipsec listcerts [ --utc ]
returns a list of X.509 and/or OpenPGP certificates that were either loaded locally by the IKE daemon or received via the IKE protocol. Implemented by calling the ipsec stroke listcerts command.
ipsec listcounters [ <name> ]
returns a list of global or connection specific counter values about received and sent IKE messages and rekeyings. Connection specific ounters are available since 5.0.3. Implemented by calling the ipsec stroke listcounters command.
ipsec listcrls [ --utc ]
returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon from the /etc/ipsec.d/crls directory or fetched from an HTTP- or LDAP-based CRL distribution point. Implemented by calling the ipsec stroke listcrls command. Note that X.509 Authority Key Identifier extension is used to associate CRL with a particular CA, otherwise CRL is listed but not applied.
ipsec listgroups [ --utc ]
returns a list of all groups that are used to define user authorization profiles. Currently not supported.
ipsec listocsp [ --utc ]
returns cached revocation information fetched from OCSP servers. Implemented by calling the ipsec stroke listocsp command.
ipsec listocspcerts [ --utc ]
returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE daemon from the /etc/ipsec.d/ocspcerts directory or were sent by an OCSP server. Implemented by calling the ipsec stroke listocspcerts command.
ipsec listplugins
returns a list of all loaded plugin features. Implemented by calling the ipsec stroke listplugins command.
ipsec listpubkeys [ --utc ]
returns a list of public keys that were loaded in raw key format. Implemented by calling the ipsec stroke listpubkeys command.
ipsec listall [ --utc ]
returns all information generated by the list commands above. Each list command can be called with the --utc option which displays all dates in UTC instead of local time. Implemented by calling the ipsec stroke listall command.
Reread Commands¶
ipsec rereadaacerts
reads all certificate files contained in the /etc/ipsec.d/aacerts directory and adds them to the list of Authorization Authority (AA) certificates. Implemented by calling the ipsec stroke rereadaacerts command.
ipsec rereadacerts
reads all certificate files contained in the /etc/ipsec.d/acerts directory and adds them to the list of attribute certificates. Implemented by calling the ipsec stroke rereadacerts command.
ipsec rereadcacerts
reads all certificate files contained in the /etc/ipsec.d/cacerts directory and adds them to the list of Certification Authority (CA) certificates. Implemented by calling the ipsec stroke rereadcacerts command.
ipsec rereadcrls
reads all Certificate Revocation Lists (CRLs) contained in the /etc/ipsec.d/crls directory and adds them to the list of CRLs. Older CRLs are replaced by newer ones. Implemented by calling the ipsec stroke rereadcrls command.
ipsec rereadocspcerts
reads all certificate files contained in the /etc/ipsec.d/ocspcerts directory and adds them to the list of OCSP signer certificates. Implemented by calling the ipsec stroke rereadocspcerts command.
ipsec rereadsecrets
flushes and rereads all secrets defined in ipsec.secrets. Implemented by calling the ipsec stroke rereadsecrets command.
ipsec secrets
is equivalent to ipsec rereadsecrets.
ipsec rereadall
executes all reread commands listed above. Implemented by calling the ipsec stroke rereadall command.
Reset Commands¶
ipsec resetcounters [ <name> ]
resets global or connection specific counters. Since 5.0.3. Implemented by calling the ipsec stroke resetcounters command.
Purge Commands¶
ipsec purgecerts
purges all cached certificates. Implemented by calling the ipsec stroke purgecerts command.
ipsec purgecrls
purges all cached CRLs. Implemented by calling the ipsec stroke purgecrls command.
ipsec purgeike
purges IKE_SAs that don't have a CHILD_SA. Implemented by calling the ipsec stroke purgeike command.
ipsec purgeocsp
purges all cached OCSP information records. Implemented by calling the ipsec stroke purgeocsp command.
Before 5.0.0¶
In releases before 5.0.0 IKEv1 connections were handled by the separate pluto keying daemon. The ipsec command then used the ipsec whack command in addition to the ipsec stroke command to communicate with pluto.
List Commands¶
ipsec listcards [ --utc ]
lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only. Implemented by calling the ipsec whack --listcards command.
PKCS11 Proxy Commands¶
ipsec scencrypt <value> [ --inbase <base> ] [ --outbase <base> ] [ --keyid <id> ]
Supported by the IKEv1 pluto daemon only. Implemented by calling the ipsec whack --scencrypt command.
ipsec scdecrypt <value> [ --inbase <base> ] [ --outbase <base> ] [ --keyid <id> ]
Supported by the IKEv1 pluto daemon only. Implemented by calling the ipsec whack --scdecrypt command.