Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
IPSEC(8)			  strongSwan			      IPSEC(8)

NAME
       ipsec - invoke IPsec utilities

SYNOPSIS
       ipsec command [arguments] [options]

DESCRIPTION
       The ipsec utility invokes any of	several	utilities involved in control-
       ling and	monitoring the IPsec encryption/authentication system, running
       the specified command with the specified	arguments and options as if it
       had been	invoked	directly. This largely eliminates possible name	colli-
       sions with other	software, and also permits some	centralized services.

       All  the	 commands  described  in this manual page are built-in and are
       used to control and monitor IPsec connections as	well as	the  IKE  dae-
       mon.

       For  other  commands ipsec supplies the invoked command with a suitable
       PATH environment	variable, and also provides the	environment  variables
       listed under ENVIRONMENT.

   CONTROL COMMANDS
       start [starter options]
	      calls starter which in turn parses ipsec.conf and	starts the IKE
	      daemon charon.

       update sends a HUP signal to  starter  which  in	 turn  determines  any
	      changes  in ipsec.conf and updates the configuration on the run-
	      ning IKE daemon charon.

       reload sends a USR1 signal to starter which in turn reloads  the	 whole
	      configuration  of	the running IKE	daemon charon based on the ac-
	      tual ipsec.conf.

       restart
	      is equivalent to stop followed by	start after a guard of 2  sec-
	      onds.

       stop   terminates all IPsec connections and stops the IKE daemon	charon
	      by sending a TERM	signal to starter.

       up name
	      tells the	IKE daemon to start up connection name.

       down name
	      tells the	IKE daemon to terminate	connection name.

       down name{n}
	      terminates IKEv1 Quick Mode and IKEv2 CHILD  SA  instance	 n  of
	      connection name.

       down name{*}
	      terminates all IKEv1 Quick Mode and  IKEv2 CHILD SA instances of
	      connection name.

       down name[n]
	      terminates IKE SA	instance n of connection name.

       down name[*]
	      terminates all IKE SA instances of connection name.

       down-srcip <start> [<end>]
	      terminates all IKE SA instances with clients having virtual  IPs
	      in the range start-end.

       route name
	      tells the	IKE daemon to insert an	IPsec policy in	the kernel for
	      connection name. The first payload  packet  matching  the	 IPsec
	      policy will automatically	trigger	an IKE connection setup.

       unroute name
	      remove the IPsec policy in the kernel for	connection name.

       status [name]
	      returns  concise status information either on connection name or
	      if the argument is lacking, on all connections.

       statusall [name]
	      returns detailed status information either on connection name or
	      if the argument is lacking, on all connections.

   LIST	COMMANDS
       leases [<poolname> [<address>]]
	      returns  the  status  of all or the selected IP address pool (or
	      even a single virtual IP address).

       listalgs
	      returns a	list supported	cryptographic  algorithms  usable  for
	      IKE, and their corresponding plugin.

       listpubkeys [--utc]
	      returns a	list of	RSA public keys	that were either loaded	in raw
	      key format or extracted from X.509 and|or	OpenPGP	certificates.

       listcerts [--utc]
	      returns a	list of	X.509 and|or OpenPGP  certificates  that  were
	      either  loaded locally by	the IKE	daemon or received via the IKE
	      protocol.

       listcacerts [--utc]
	      returns a	list of	X.509 Certification  Authority	(CA)  certifi-
	      cates  that  were	 loaded	 locally  by  the  IKE daemon from the
	      /etc/ipsec.d/cacerts/ directory or received via the  IKE	proto-
	      col.

       listaacerts [--utc]
	      returns  a  list	of X.509 Authorization Authority (AA) certifi-
	      cates that were loaded  locally  by  the	IKE  daemon  from  the
	      /etc/ipsec.d/aacerts/ directory.

       listocspcerts [--utc]
	      returns  a  list of X.509	OCSP Signer certificates that were ei-
	      ther loaded locally by the IKE daemon from the  /etc/ipsec.d/oc-
	      spcerts/ directory or were sent by an OCSP server.

       listacerts [--utc]
	      returns  a list of X.509 Attribute certificates that were	loaded
	      locally by the IKE daemon	from the  /etc/ipsec.d/acerts/	direc-
	      tory.

       listgroups [--utc]
	      returns a	list of	groups that are	used to	define user authoriza-
	      tion profiles.

       listcainfos [--utc]
	      returns certification authority  information  (CRL  distribution
	      points,  OCSP  URIs,  LDAP servers) that were defined by ca sec-
	      tions in ipsec.conf.

       listcrls	[--utc]
	      returns a	list of	Certificate Revocation Lists (CRLs) that  were
	      either  loaded  by the IKE daemon	from the /etc/ipsec.d/crls di-
	      rectory or fetched from an HTTP- or LDAP-based CRL  distribution
	      point.

       listocsp	[--utc]
	      returns revocation information fetched from OCSP servers.

       listplugins
	      returns a	list of	all loaded plugin features.

       listcounters [name]
	      returns a	list of	global or connection specific IKE counter val-
	      ues collected since daemon startup.

       listall [--utc]
	      returns all information generated	by the	list  commands	above.
	      Each list	command	can be called with the --utc option which dis-
	      plays all	dates in UTC instead of	local time.

   REREAD COMMANDS
       rereadsecrets
	      flushes and rereads all secrets defined in ipsec.secrets.

       rereadcacerts
	      removes previously loaded	CA certificates, reads all certificate
	      files  contained	in the /etc/ipsec.d/cacerts directory and adds
	      them to the list of Certification	Authority  (CA)	 certificates.
	      This  does  not  affect  certificates  explicitly	 defined  in a
	      ipsec.conf(5) ca section,	which may be separately	updated	 using
	      the update command.

       rereadaacerts
	      removes previously loaded	AA certificates, reads all certificate
	      files contained in the /etc/ipsec.d/aacerts directory  and  adds
	      them to the list of Authorization	Authority (AA) certificates.

       rereadocspcerts
	      reads  all  certificate  files contained in the /etc/ipsec.d/oc-
	      spcerts/ directory and adds them to the list of OCSP signer cer-
	      tificates.

       rereadacerts
	      reads  all  certificate files contained in the  /etc/ipsec.d/ac-
	      erts/ directory and adds them to the list	of attribute  certifi-
	      cates.

       rereadcrls
	      reads  all Certificate  Revocation Lists (CRLs) contained	in the
	      /etc/ipsec.d/crls/ directory and adds them to the	list of	CRLs.

       rereadall
	      executes all reread commands listed above.

   RESET COMMANDS
       resetcounters [name]
	      resets global or connection specific counters.

   PURGE COMMANDS
       purgecerts
	      purges all cached	certificates.

       purgecrls
	      purges all cached	CRLs.

       purgeike
	      purges IKE SAs that don't	have a Quick Mode or CHILD SA.

       purgeocsp
	      purges all cached	OCSP information records.

   INFO	COMMANDS
       --help returns the usage	information for	the ipsec command.

       --version
	      returns the version in the form of Linux strongSwan U<strongSwan
	      userland version>/K<Linux	kernel version>	if strongSwan uses the
	      native NETKEY IPsec stack	of the Linux kernel it is running on.

       --versioncode
	      returns the version number in the	form of	U<strongSwan  userland
	      version>/K<Linux	kernel	version> if strongSwan uses the	native
	      NETKEY IPsec stack of the	Linux kernel it	is running on.

       --copyright
	      returns the copyright information.

       --directory
	      returns the LIBEXECDIR directory as defined by the configure op-
	      tions.

       --confdir
	      returns the SYSCONFDIR directory as defined by the configure op-
	      tions.

       --piddir
	      returns the PIDDIR directory as defined  by  the	configure  op-
	      tions.

FILES
       /usr/libexec/ipsec	utilities directory

ENVIRONMENT
       When  calling  other  commands the ipsec	command	supplies the following
       environment variables.

       IPSEC_DIR	       directory containing ipsec programs and utilities
       IPSEC_BINDIR	       directory containing pki	command
       IPSEC_SBINDIR	       directory containing ipsec command
       IPSEC_CONFDIR	       directory containing configuration files
       IPSEC_PIDDIR	       directory containing PID/socket files
       IPSEC_SCRIPT	       name of the ipsec script
       IPSEC_NAME	       name of ipsec distribution
       IPSEC_VERSION	       version numer of	ipsec userland and kernel
       IPSEC_STARTER_PID       PID file	for ipsec starter
       IPSEC_CHARON_PID	       PID file	for IKE	keying daemon

SEE ALSO
       ipsec.conf(5), ipsec.secrets(5)

HISTORY
       Originally written for the FreeS/WAN project by Henry Spencer.  Updated
       and  extended for the strongSwan	project	<http://www.strongswan.org> by
       Tobias Brunner and Andreas Steffen.

5.5.2dr4			  2013-10-29			      IPSEC(8)

NAME | SYNOPSIS | DESCRIPTION | FILES | ENVIRONMENT | SEE ALSO | HISTORY

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=ipsec&manpath=FreeBSD+12.0-RELEASE+and+Ports>

home | help