CHARON-CMD(8) strongSwan CHARON-CMD(8)NAMEcharon-cmd - Simple IKE client (IPsec VPN client)
SYNOPSIScharon-cmd--host hostname --identity identity [ options ]
DESCRIPTIONcharon-cmd is a program for setting up IPsec VPN connections using the
Internet Key Exchange protocol (IKE) in version 1 and 2. It supports a
number of different road-warrior scenarios.
Like the IKE daemon charon, charon-cmd has to be run as root (or more
specifically as a user with CAP_NET_ADMIN capability).
Of the following options at least --host and --identity are required.
Depending on the selected authentication profile credentials also have
to be provided with their respective options.
Many of the charon-specific configuration options in strongswan.conf
also apply to charon-cmd. For instance, to configure customized log‐
ging to stdout the following snippet can be used:
charon-cmd {
filelog {
stdout {
default = 1
ike = 2
cfg = 2
}
}
}
OPTIONS--help Prints usage information and a short summary of the available
options.
--version
Prints the strongSwan version.
--debug level
Sets the default log level (defaults to 1). level is a number
between -1 and 4. Refer to strongswan.conf for options that
allow a more fine-grained configuration of the logging output.
--host hostname
DNS name or IP address to connect to.
--identity identity
Identity the client uses for the IKE exchange.
--eap-identity identity
Identity the client uses for EAP authentication.
--xauth-username username
Username the client uses for XAuth authentication.
--remote-identity identity
Server identity to expect, defaults to hostname.
--cert path
Trusted certificate, either for authentication or trust chain
validation. To provide more than one certificate multiple
--cert options can be used.
--rsa path
RSA private key to use for authentication (if a password is
required, it will be requested on demand).
--p12 path
PKCS#12 file with private key and certificates to use for
authentication and trust chain validation (if a password is
required it will be requested on demand).
--agent[=socket]
Use SSH agent for authentication. If socket is not specified it
is read from the SSH_AUTH_SOCK environment variable.
--local-ts subnet
Additional traffic selector to propose for our side, the
requested virtual IP address will always be proposed.
--remote-ts subnet
Traffic selector to propose for remote side, defaults to
0.0.0.0/0.
--ike-proposal proposal
IKE proposal to offer instead of default. For IKEv1, a single
proposal consists of one encryption algorithm, an integrity/PRF
algorithm and a DH group. IKEv2 can propose multiple algorithms
of the same kind. To specify multiple proposals, repeat the
option.
--esp-proposal proposal
ESP proposal to offer instead of default. For IKEv1, a single
proposal consists of one encryption algorithm, an integrity
algorithm and an optional DH group for Perfect Forward Secrecy
rekeying. IKEv2 can propose multiple algorithms of the same
kind. To specify multiple proposals, repeat the option.
--ah-proposal proposal
AH proposal to offer instead of ESP. For IKEv1, a single pro‐
posal consists of an integrity algorithm and an optional DH
group for Perfect Forward Secrecy rekeying. IKEv2 can propose
multiple algorithms of the same kind. To specify multiple pro‐
posals, repeat the option.
--profile name
Authentication profile to use, the list of supported profiles
can be found in the Authentication Profiles sections below.
Defaults to ikev2-pub if a private key was supplied, and to
ikev2-eap otherwise.
IKEv2 Authentication Profiles
ikev2-pub
IKEv2 with public key client and server authentication
ikev2-eap
IKEv2 with EAP client authentication and public key server
authentication
ikev2-pub-eap
IKEv2 with public key and EAP client authentication (RFC 4739)
and public key server authentication
IKEv1 Authentication Profiles
The following authentication profiles use either Main Mode or Aggres‐
sive Mode, the latter is denoted with a -am suffix.
ikev1-pub, ikev1-pub-am
IKEv1 with public key client and server authentication
ikev1-xauth, ikev1-xauth-am
IKEv1 with public key client and server authentication, followed
by client XAuth authentication
ikev1-xauth-psk, ikev1-xauth-psk-am
IKEv1 with pre-shared key (PSK) client and server authentica‐
tion, followed by client XAuth authentication (INSECURE!)
ikev1-hybrid, ikev1-hybrid-am
IKEv1 with public key server authentication only, followed by
client XAuth authentication
SEE ALSOstrongswan.conf(5), ipsec(8)5.3.5 2013-06-21 CHARON-CMD(8)