1 .TH IPSEC 8 "9 February 2006"
2 .\" RCSID $Id: ipsec.8,v 1.3 2006/02/09 19:47:38 as Exp $
4 ipsec \- invoke IPsec utilities
7 command [ argument ...]
9 .B ipsec start|update|reload|restart|stop
11 .B ipsec up|down|route|unroute
14 .B ipsec status|statusall
19 .B ipsec listalgs|listpubkeys|listcerts
24 .B ipsec listcacerts|listaacerts|listocspcerts
29 .B ipsec listacerts|listgroups|listcainfos
34 .B ipsec listcrls|listocsp|listcards|listall
39 .B ipsec rereadsecrets|rereadgroups
41 .B ipsec rereadcacerts|rereadaacerts|rereadocspcerts
43 .B ipsec rereadacerts|rereadcrls|rereadall
66 invokes any of several utilities involved in controlling the IPsec
67 encryption/authentication system,
72 as if it had been invoked directly.
73 This largely eliminates possible name collisions with other software,
74 and also permits some centralized services.
83 are built-in and are used to control the
85 utility, an extremely fast replacement for the traditional
119 are also built-in and completely replace the corresponding
122 commands. Communication with the pluto daemon happens via the
130 with a suitable PATH environment variable,
131 and also provides IPSEC_DIR,
132 IPSEC_CONFS, and IPSEC_VERSION environment variables,
133 containing respectively
134 the full pathname of the directory where the IPsec utilities are stored,
135 the full pathname of the directory where the configuration files live,
136 and the IPsec version number.
141 which in turn starts \fIpluto\fR.
144 sends a \fIHUP\fR signal to
146 which in turn determines any changes in \fIipsec.conf\fR
147 and updates the configuration on the running \fIpluto\fR daemon, correspondingly.
150 sends a \fIUSR1\fR signal to
152 which in turn reloads the whole configuration on the running \fIpluto\fR daemon
153 based on the actual \fIipsec.conf\fR.
162 stops \fIipsec\fR by sending a \fITERM\fR signal to
166 \fIname\fP tells the \fIpluto\fP daemon to start up connection \fIname\fP.
169 \fIname\fP tells the \fIpluto\fP daemon to take down connection \fIname\fP.
172 \fIname\fP tells the \fIpluto\fP daemon to install a route for connection
176 \fIname\fP tells the \fIpluto\fP daemon to take down the route for connection
180 [ \fIname\fP ] gives concise status information either on connection
181 \fIname\fP or if the \fIname\fP argument is lacking, on all connections.
184 [ \fIname\fP ] gives detailed status information either on connection
185 \fIname\fP or if the \fIname\fP argument is lacking, on all connections.
188 returns a list all supported IKE encryption and hash algorithms, the available
189 Diffie-Hellman groups, as well as all supported ESP encryption and authentication
192 .B "ipsec listpubkeys"
193 returns a list of RSA public keys that were either loaded in raw key format
194 or extracted from X.509 and|or OpenPGP certificates.
197 returns a list of X.509 and|or OpenPGP certificates that were loaded locally
198 by the \fIpluto\fP daemon.
200 .B "ipsec listcacerts"
201 returns a list of X.509 Certification Authority (CA) certificates that were
202 loaded locally by the \fIpluto\fP daemon from the \fI/etc/ipsec.d/cacerts/\fP
203 directory or received in PKCS#7-wrapped certificate payloads via the IKE
206 .B "ipsec listaacerts"
207 returns a list of X.509 Authorization Authority (AA) certificates that were
208 loaded locally by the \fIpluto\fP daemon from the \fI/etc/ipsec.d/aacerts/\fP
211 .B "ipsec listocspcerts"
212 returns a list of X.509 OCSP Signer certificates that were either loaded
213 locally by the \fIpluto\fP daemon from the \fI/etc/ipsec.d/ocspcerts/\fP
214 directory or were sent by an OCSP server.
216 .B "ipsec listacerts"
217 returns a list of X.509 Attribute certificates that were loaded locally by
218 the \fIpluto\fP daemon from the \fI/etc/ipsec.d/acerts/\fP directory.
220 .B "ipsec listgroups"
221 returns a list of groups that are used to define user authorization profiles.
223 .B "ipsec listcainfos"
224 returns certification authority information (CRL distribution points, OCSP URIs,
225 LDAP servers) that were defined by
227 sections in \fIipsec.conf\fP.
230 returns a list of Certificate Revocation Lists (CRLs).
233 returns revocation information fetched from OCSP servers.
236 returns a list of certificates residing on smartcards.
239 returns all information generated by the list commands above. Each list command
240 can be called with the
242 option which displays all dates in UTC instead of local time.
244 .B "ipsec rereadsecrets"
245 flushes and rereads all secrets defined in \fIipsec.conf\fP.
247 .B "ipsec rereadcacerts"
248 reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP
249 directory and adds them to \fIpluto\fP's list of Certification Authority (CA) certificates.
251 .B "ipsec rereadaacerts"
252 reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP
253 directory and adds them to \fIpluto\fP's list of Authorization Authority (AA) certificates.
255 .B "ipsec rereadocspcerts"
256 reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP
257 directory and adds them to \fIpluto\fP's list of OCSP signer certificates.
259 .B "ipsec rereadacerts"
260 operation reads all certificate files contained in the \fI/etc/ipsec.d/acerts/\fP
261 directory and adds them to \fIpluto\fP's list of attribute certificates.
263 .B "ipsec rereadcrls"
264 reads all Certificate Revocation Lists (CRLs) contained in the
265 \fI/etc/ipsec.d/crls/\fP directory and adds them to \fIpluto\fP's list of CRLs.
268 is equivalent to the execution of \fBrereadsecrets\fP,
269 \fBrereadcacerts\fP, \fBrereadaacerts\fP, \fBrereadocspcerts\fP,
270 \fBrereadacerts\fP, and \fBrereadcrls\fP.
273 lists the available commands.
274 Most have their own manual pages, e.g.
279 .B "ipsec \-\-version"
280 outputs version information about Linux strongSwan.
281 A version code of the form ``U\fIxxx\fR/K\fIyyy\fR''
282 indicates that the user-level utilities are version \fIxxx\fR
283 but the kernel portion appears to be version \fIyyy\fR
284 (this form is used only if the two disagree).
286 .B "ipsec \-\-versioncode"
287 outputs \fIjust\fR the version code,
290 supporting information,
293 .B "ipsec \-\-copyright"
294 supplies boring copyright details.
296 .B "ipsec \-\-directory"
299 thinks the IPsec utilities are stored.
301 .B "ipsec \-\-confdir"
304 thinks the IPsec configuration files are stored.
306 /usr/local/lib/ipsec usual utilities directory
309 The following environment variables control where strongSwan finds its
313 command sets them if they are not already set.
316 IPSEC_EXECDIR directory containing published commands
317 IPSEC_LIBDIR directory containing internal executables
318 IPSEC_SBINDIR directory containing \fBipsec\fP command
319 IPSEC_CONFS directory containing configuration files
325 ipsec.conf(5), ipsec.secrets(5),
331 Written for Linux FreeS/WAN
332 <http://www.freeswan.org>
334 Updated and extended for Linux strongSwan
335 <http://www.strongswan.org>