NAME
ipsec - invoke IPsec utilities
SYNOPSIS
ipsec command [ argument ...]
ipsec start|update|reload|restart|stop
ipsec up|down|route|unroute connectionname
ipsec status|statusall [ connectionname ]
ipsec listalgs|listpubkeys|listcerts [ --utc ]
ipsec listcacerts|listaacerts|listocspcerts [ --utc ]
ipsec listacerts|listgroups|listcainfos [ --utc ]
ipsec listcrls|listocsp|listcards|listall [ --utc ]
ipsec rereadsecrets|rereadgroups
ipsec rereadcacerts|rereadaacerts|rereadocspcerts
ipsec rereadacerts|rereadcrls|rereadall
ipsec purgeocsp
ipsec [ --help ] [ --version ] [ --versioncode ] [ --copyright ]
ipsec [ --directory ] [ --confdir ]
DESCRIPTION
Ipsec invokes any of several utilities involved in controlling the
IPsec encryption/authentication system, running the specified command
with the specified arguments as if it had been invoked directly. This
largely eliminates possible name collisions with other software, and
also permits some centralized services.
The commands start, update, reload, restart, and stop are built-in and
are used to control the ipsec starter utility, an extremely fast
replacement for the traditional ipsec setup script.
The commands up, down, route, unroute, status, statusall, listalgs,
listpubkeys, listcerts, listcacerts, listaacerts, listocspcerts,
listacerts, listgroups, listcainfos, listcrls, listocsp, listcards,
listall, rereadsecrets, rereadgroups, rereadcacerts, rereadaacerts,
rereadocspcerts, rereadacerts, rereadcrls, and rereadall are also
built-in and completely replace the corresponding ipsec auto
--operation" commands. Communication with the pluto daemon happens via
the ipsec whack socket interface.
In particular, ipsec supplies the invoked command with a suitable PATH
environment variable, and also provides IPSEC_DIR, IPSEC_CONFS, and
IPSEC_VERSION environment variables, containing respectively the full
pathname of the directory where the IPsec utilities are stored, the
full pathname of the directory where the configuration files live, and
the IPsec version number.
ipsec start calls ipsec starter which in turn starts pluto.
ipsec update sends a HUP signal to ipsec starter which in turn
determines any changes in ipsec.conf and updates the configuration on
the running pluto daemon, correspondingly.
ipsec reload sends a USR1 signal to ipsec starter which in turn reloads
the whole configuration on the running pluto daemon based on the actual
ipsec.conf.
ipsec restart executes ipsec stop followed by ipsec start.
ipsec stop stops ipsec by sending a TERM signal to ipsec starter.
ipsec up name tells the pluto daemon to start up connection name.
ipsec down name tells the pluto daemon to take down connection name.
ipsec route name tells the pluto daemon to install a route for
connection name.
ipsec unroute name tells the pluto daemon to take down the route for
connection name.
ipsec status [ name ] gives concise status information either on
connection name or if the name argument is lacking, on all connections.
ipsec statusall [ name ] gives detailed status information either on
connection name or if the name argument is lacking, on all connections.
ipsec listalgs returns a list all supported IKE encryption and hash
algorithms, the available Diffie-Hellman groups, as well as all
supported ESP encryption and authentication algorithms.
ipsec listpubkeys returns a list of RSA public keys that were either
loaded in raw key format or extracted from X.509 and|or OpenPGP
certificates.
ipsec listcerts returns a list of X.509 and|or OpenPGP certificates
that were loaded locally by the pluto daemon.
ipsec listcacerts returns a list of X.509 Certification Authority (CA)
certificates that were loaded locally by the pluto daemon from the
/etc/ipsec.d/cacerts/ directory or received in PKCS#7-wrapped
certificate payloads via the IKE protocol.
ipsec listaacerts returns a list of X.509 Authorization Authority (AA)
certificates that were loaded locally by the pluto daemon from the
/etc/ipsec.d/aacerts/ directory.
ipsec listocspcerts returns a list of X.509 OCSP Signer certificates
that were either loaded locally by the pluto daemon from the
/etc/ipsec.d/ocspcerts/ directory or were sent by an OCSP server.
ipsec listacerts returns a list of X.509 Attribute certificates that
were loaded locally by the pluto daemon from the /etc/ipsec.d/acerts/
directory.
ipsec listgroups returns a list of groups that are used to define user
authorization profiles.
ipsec listcainfos returns certification authority information (CRL
distribution points, OCSP URIs, LDAP servers) that were defined by ca
sections in ipsec.conf.
ipsec listcrls returns a list of Certificate Revocation Lists (CRLs).
ipsec listocsp returns revocation information fetched from OCSP
servers.
ipsec listcards returns a list of certificates residing on smartcards.
ipsec listall returns all information generated by the list commands
above. Each list command can be called with the --url option which
displays all dates in UTC instead of local time.
ipsec rereadsecrets flushes and rereads all secrets defined in
ipsec.conf.
ipsec rereadcacerts reads all certificate files contained in the
/etc/ipsec.d/cacerts directory and adds them to pluto’s list of
Certification Authority (CA) certificates.
ipsec rereadaacerts reads all certificate files contained in the
/etc/ipsec.d/aacerts directory and adds them to pluto’s list of
Authorization Authority (AA) certificates.
ipsec rereadocspcerts reads all certificate files contained in the
/etc/ipsec.d/ocspcerts/ directory and adds them to pluto’s list of OCSP
signer certificates.
ipsec rereadacerts operation reads all certificate files contained in
the /etc/ipsec.d/acerts/ directory and adds them to pluto’s list of
attribute certificates.
ipsec rereadcrls reads all Certificate Revocation Lists (CRLs)
contained in the /etc/ipsec.d/crls/ directory and adds them to pluto’s
list of CRLs.
ipsec rereadall is equivalent to the execution of rereadsecrets,
rereadcacerts, rereadaacerts, rereadocspcerts, rereadacerts, and
rereadcrls.
ipsec --help lists the available commands. Most have their own manual
pages, e.g. ipsec_auto(8) for auto.
ipsec --version outputs version information about Linux strongSwan. A
version code of the form ‘‘Uxxx/Kyyy’’ indicates that the user-level
utilities are version xxx but the kernel portion appears to be version
yyy (this form is used only if the two disagree).
ipsec --versioncode outputs just the version code, with none of
--version’s supporting information, for use by scripts.
ipsec --copyright supplies boring copyright details.
ipsec --directory reports where ipsec thinks the IPsec utilities are
stored.
ipsec --confdir reports where ipsec thinks the IPsec configuration
files are stored.
FILES
/usr/local/lib/ipsec usual utilities directory
ENVIRONMENT
The following environment variables control where strongSwan finds its
components. The ipsec command sets them if they are not already set.
IPSEC_DIR directory containing ipsec programs and utilities
IPSEC_SBINDIR directory containing ipsec command
IPSEC_CONFDIR directory containing configuration files
IPSEC_PIDDIR directory containing PID files
IPSEC_NAME name of ipsec distribution
IPSEC_VERSION version numer of ipsec userland and kernel
IPSEC_STARTER_PID PID file for ipsec starter
IPSEC_PLUTO_PID PID file for IKEv1 keying daemon
IPSEC_CHARON_PID PID file for IKEv2 keying daemon
SEE ALSO
ipsec.conf(5), ipsec.secrets(5), ipsec_barf(8),
HISTORY
Written for Linux FreeS/WAN <http://www.freeswan.org> by Henry Spencer.
Updated and extended for Linux strongSwan <http://www.strongswan.org>
by Andreas Steffen.
9 February 2006