IPSEC(8) strongSwan IPSEC(8)NAME
ipsec - invoke IPsec utilities
SYNOPSIS
ipsec command [ arguments ] [ options ]
DESCRIPTION
The ipsec utility invokes any of several utilities involved in control‐
ling and monitoring the IPsec encryption/authentication system, running
the specified command with the specified arguments and options as if it
had been invoked directly. This largely eliminates possible name colli‐
sions with other software, and also permits some centralized services.
All the commands described in this manual page are built-in and are
used to control and monitor IPsec connections as well as the IKE dae‐
mons.
For other commands ipsec supplies the invoked command with a suitable
PATH environment variable, and also provides IPSEC_DIR, IPSEC_CONFS,
and IPSEC_VERSION environment variables, containing respectively the
full pathname of the directory where the IPsec utilities are stored,
the full pathname of the directory where the configuration files live,
and the IPsec version number.
CONTROL COMMANDS
start [ starter options ]
calls starter which in turn parses ipsec.conf and starts the
IKEv1/IKEv2 daemon charon.
update sends a HUP signal to starter which in turn determines any
changes in ipsec.conf and updates the configuration on the run‐
ning IKE daemon charon.
reload sends a USR1 signal to starter which in turn reloads the whole
configuration on the running IKE daemon charon based on the
actual ipsec.conf.
restart
is equivalent to stop followed by start after a guard of 2 sec‐
onds.
stop terminates all IPsec connections and stops the IKE daemon charon
by sending a TERM signal to starter.
up name
tells the IKE daemon to start up connection name.
down name
tells the IKE daemon to terminate connection name.
down name{n}
terminates IKEv1 Quick Mode and IKEv2 CHILD SA instance n of
connection name.
down name{*}
terminates all IKEv1 Quick Mode and IKEv2 CHILD SA instances of
connection name.
down name[n]
terminates IKE SA instance n of connection name.
down name[*]
terminates all IKE SA instances of connection name.
route name
tells the IKE daemon to insert an IPsec policy in the kernel for
connection name. The first payload packet matching the IPsec
policy will automatically trigger an IKE connection setup.
unroute name
remove the IPsec policy in the kernel for connection name.
status [ name ]
returns concise status information either on connection name or
if the argument is lacking, on all connections.
statusall [ name ]
returns detailed status information either on connection name or
if the argument is lacking, on all connections.
LIST COMMANDS
listalgs
returns a list supported cryptographic algorithms usable for
IKE, and their corresponding plugin.
listpubkeys [ --utc ]
returns a list of RSA public keys that were either loaded in raw
key format or extracted from X.509 and|or OpenPGP certificates.
listcerts [ --utc ]
returns a list of X.509 and|or OpenPGP certificates that were
either loaded locally by the IKE daemon or received via the IKE
protocol.
listcacerts [ --utc ]
returns a list of X.509 Certification Authority (CA) certifi‐
cates that were loaded locally by the IKE daemon from the
/etc/ipsec.d/cacerts/ directory or received via the IKE proto‐
col.
listaacerts [ --utc ]
returns a list of X.509 Authorization Authority (AA) certifi‐
cates that were loaded locally by the IKE daemon from the
/etc/ipsec.d/aacerts/ directory.
listocspcerts [ --utc ]
returns a list of X.509 OCSP Signer certificates that were
either loaded locally by the IKE daemon from the
/etc/ipsec.d/ocspcerts/ directory or were sent by an OCSP
server.
listacerts [ --utc ]
returns a list of X.509 Attribute certificates that were loaded
locally by the IKE daemon from the /etc/ipsec.d/acerts/ direc‐
tory.
listgroups [ --utc ]
returns a list of groups that are used to define user authoriza‐
tion profiles.
listcainfos [ --utc ]
returns certification authority information (CRL distribution
points, OCSP URIs, LDAP servers) that were defined by ca sec‐
tions in ipsec.conf.
listcrls [ --utc ]
returns a list of Certificate Revocation Lists (CRLs) that were
either loaded by the IKE daemon from the /etc/ipsec.d/crls
directory or fetched from an HTTP- or LDAP-based CRL distribu‐
tion point.
listocsp [ --utc ]
returns revocation information fetched from OCSP servers.
listcounters
show IKE counter values collected since daemon startup.
listall [ --utc ]
returns all information generated by the list commands above.
Each list command can be called with the --utc option which dis‐
plays all dates in UTC instead of local time.
REREAD COMMANDS
rereadsecrets
flushes and rereads all secrets defined in ipsec.secrets.
rereadcacerts
reads all certificate files contained in the /etc/ipsec.d/cac‐
erts directory and adds them to the list of Certification
Authority (CA) certificates.
rereadaacerts
reads all certificate files contained in the /etc/ipsec.d/aac‐
erts directory and adds them to the list of Authorization
Authority (AA) certificates.
rereadocspcerts
reads all certificate files contained in the
/etc/ipsec.d/ocspcerts/ directory and adds them to the list of
OCSP signer certificates.
rereadacerts
reads all certificate files contained in the
/etc/ipsec.d/acerts/ directory and adds them to the list of
attribute certificates.
rereadcrls
reads all Certificate Revocation Lists (CRLs) contained in the
/etc/ipsec.d/crls/ directory and adds them to the list of CRLs.
rereadall
executes all reread commands listed above.
PURGE COMMANDS
purgeike
purges IKE SAs that don't have a Quick Mode or CHILD SA.
purgeocsp
purges all cached OCSP information records.
INFO COMMANDS
--help returns the usage information for the ipsec command.
--version
returns the version in the form of Linux strongSwan U<strongSwan
userland version>/K<Linux kernel version> if strongSwan uses the
native NETKEY IPsec stack of the Linux kernel it is running on.
--versioncode
returns the version number in the form of U<strongSwan userland
version>/K<Linux kernel version> if strongSwan uses the native
NETKEY IPsec stack of the Linux kernel it is running on.
--copyright
returns the copyright information.
--directory
returns the LIBEXECDIR directory as defined by the configure
options.
--confdir
returns the SYSCONFDIR directory as defined by the configure
options.
--piddir
returns the PIDDIR directory as defined by the configure
options.
FILES
/usr/local/lib/ipsec usual utilities directory
ENVIRONMENT
The following environment variables control where strongSwan finds its
components. The ipsec command sets them if they are not already set.
IPSEC_DIR directory containing ipsec programs and utilities
IPSEC_SBINDIR directory containing ipsec command
IPSEC_CONFDIR directory containing configuration files
IPSEC_PIDDIR directory containing PID/socket files
IPSEC_SCRIPT name of the ipsec script
IPSEC_NAME name of ipsec distribution
IPSEC_VERSION version numer of ipsec userland and kernel
IPSEC_STARTER_PID PID file for ipsec starter
IPSEC_CHARON_PID PID file for IKE keying daemon
SEE ALSOipsec.conf(5), ipsec.secrets(5)HISTORY
Originally written for the FreeS/WAN project by Henry Spencer. Updated
and extended for the strongSwan project <http://www.strongswan.org> by
Tobias Brunner and Andreas Steffen.
5.1.0 2013-07-22 IPSEC(8)
