ipsec

Autres langues

Langue: en

Version: 364285 (ubuntu - 25/10/10)

Section: 8 (Commandes administrateur)

NAME

ipsec - invoke IPsec utilities

SYNOPSIS

ipsec command [ argument ...]

ipsec start|update|reload|restart|stop

ipsec up|down|route|unroute connectionname

ipsec status|statusall [ connectionname ]

ipsec listalgs|listpubkeys|listcerts [ --utc ]
ipsec listcacerts|listaacerts|listocspcerts [ --utc ]
ipsec listacerts|listgroups|listcainfos [ --utc ]
ipsec listcrls|listocsp|listcards|listall [ --utc ]

ipsec rereadsecrets|rereadgroups
ipsec rereadcacerts|rereadaacerts|rereadocspcerts
ipsec rereadacerts|rereadcrls|rereadall

ipsec purgeocsp

ipsec [ --help ] [ --version ] [ --versioncode ] [ --copyright ]
ipsec [ --directory ] [ --confdir ]

DESCRIPTION

Ipsec invokes any of several utilities involved in controlling the IPsec encryption/authentication system, running the specified command with the specified arguments as if it had been invoked directly. This largely eliminates possible name collisions with other software, and also permits some centralized services.

The commands start, update, reload, restart, and stop are built-in and are used to control the ipsec starter utility, an extremely fast replacement for the traditional ipsec setup script.

The commands up, down, route, unroute, status, statusall, listalgs, listpubkeys, listcerts, listcacerts, listaacerts, listocspcerts, listacerts, listgroups, listcainfos, listcrls, listocsp, listcards, listall, rereadsecrets, rereadgroups, rereadcacerts, rereadaacerts, rereadocspcerts, rereadacerts, rereadcrls, and rereadall are also built-in and completely replace the corresponding ipsec auto --operation" commands. Communication with the pluto daemon happens via the ipsec whack socket interface.

In particular, ipsec supplies the invoked command with a suitable PATH environment variable, and also provides IPSEC_DIR, IPSEC_CONFS, and IPSEC_VERSION environment variables, containing respectively the full pathname of the directory where the IPsec utilities are stored, the full pathname of the directory where the configuration files live, and the IPsec version number.

ipsec start calls ipsec starter which in turn starts pluto.

ipsec update sends a HUP signal to ipsec starter which in turn determines any changes in ipsec.conf and updates the configuration on the running pluto daemon, correspondingly.

ipsec reload sends a USR1 signal to ipsec starter which in turn reloads the whole configuration on the running pluto daemon based on the actual ipsec.conf.

ipsec restart executes ipsec stop followed by ipsec start.

ipsec stop stops ipsec by sending a TERM signal to ipsec starter.

ipsec up name tells the pluto daemon to start up connection name.

ipsec down name tells the pluto daemon to take down connection name.

ipsec route name tells the pluto daemon to install a route for connection name.

ipsec unroute name tells the pluto daemon to take down the route for connection name.

ipsec status [ name ] gives concise status information either on connection name or if the name argument is lacking, on all connections.

ipsec statusall [ name ] gives detailed status information either on connection name or if the name argument is lacking, on all connections.

ipsec listalgs returns a list all supported IKE encryption and hash algorithms, the available Diffie-Hellman groups, as well as all supported ESP encryption and authentication algorithms.

ipsec listpubkeys returns a list of RSA public keys that were either loaded in raw key format or extracted from X.509 and|or OpenPGP certificates.

ipsec listcerts returns a list of X.509 and|or OpenPGP certificates that were loaded locally by the pluto daemon.

ipsec listcacerts returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by the pluto daemon from the /etc/ipsec.d/cacerts/ directory or received in PKCS#7-wrapped certificate payloads via the IKE protocol.

ipsec listaacerts returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by the pluto daemon from the /etc/ipsec.d/aacerts/ directory.

ipsec listocspcerts returns a list of X.509 OCSP Signer certificates that were either loaded locally by the pluto daemon from the /etc/ipsec.d/ocspcerts/ directory or were sent by an OCSP server.

ipsec listacerts returns a list of X.509 Attribute certificates that were loaded locally by the pluto daemon from the /etc/ipsec.d/acerts/ directory.

ipsec listgroups returns a list of groups that are used to define user authorization profiles.

ipsec listcainfos returns certification authority information (CRL distribution points, OCSP URIs, LDAP servers) that were defined by ca sections in ipsec.conf.

ipsec listcrls returns a list of Certificate Revocation Lists (CRLs).

ipsec listocsp returns revocation information fetched from OCSP servers.

ipsec listcards returns a list of certificates residing on smartcards.

ipsec listall returns all information generated by the list commands above. Each list command can be called with the --url option which displays all dates in UTC instead of local time.

ipsec rereadsecrets flushes and rereads all secrets defined in ipsec.conf.

ipsec rereadcacerts reads all certificate files contained in the /etc/ipsec.d/cacerts directory and adds them to pluto's list of Certification Authority (CA) certificates.

ipsec rereadaacerts reads all certificate files contained in the /etc/ipsec.d/aacerts directory and adds them to pluto's list of Authorization Authority (AA) certificates.

ipsec rereadocspcerts reads all certificate files contained in the /etc/ipsec.d/ocspcerts/ directory and adds them to pluto's list of OCSP signer certificates.

ipsec rereadacerts operation reads all certificate files contained in the /etc/ipsec.d/acerts/ directory and adds them to pluto's list of attribute certificates.

ipsec rereadcrls reads all Certificate Revocation Lists (CRLs) contained in the /etc/ipsec.d/crls/ directory and adds them to pluto's list of CRLs.

ipsec rereadall is equivalent to the execution of rereadsecrets, rereadcacerts, rereadaacerts, rereadocspcerts, rereadacerts, and rereadcrls.

ipsec --help lists the available commands. Most have their own manual pages, e.g. ipsec_auto(8) for auto.

ipsec --version outputs version information about Linux strongSwan. A version code of the form ``Uxxx/Kyyy'' indicates that the user-level utilities are version xxx but the kernel portion appears to be version yyy (this form is used only if the two disagree).

ipsec --versioncode outputs just the version code, with none of --version's supporting information, for use by scripts.

ipsec --copyright supplies boring copyright details.

ipsec --directory reports where ipsec thinks the IPsec utilities are stored.

ipsec --confdir reports where ipsec thinks the IPsec configuration files are stored.

FILES

/usr/local/lib/ipsec   usual utilities directory

ENVIRONMENT

The following environment variables control where strongSwan finds its components. The ipsec command sets them if they are not already set.

 
 IPSEC_DIR               directory containing ipsec programs and utilities
 IPSEC_SBINDIR           directory containing ipsec command
 IPSEC_CONFDIR           directory containing configuration files
 IPSEC_PIDDIR            directory containing PID files
 IPSEC_NAME              name of ipsec distribution
 IPSEC_VERSION           version numer of ipsec userland and kernel
 IPSEC_STARTER_PID       PID file for ipsec starter
 IPSEC_PLUTO_PID         PID file for IKEv1 keying daemon
 IPSEC_CHARON_PID        PID file for IKEv2 keying daemon
 

SEE ALSO

ipsec.conf(5), ipsec.secrets(5), ipsec_barf(8),

HISTORY

Written for Linux FreeS/WAN <http://www.freeswan.org> by Henry Spencer. Updated and extended for Linux strongSwan <http://www.strongswan.org> by Andreas Steffen.