Provided by: strongswan-starter_4.5.2-1.1ubuntu1_i386 bug

NAME

       ipsec - invoke IPsec utilities

SYNOPSIS

       ipsec command [ arguments ] [ options ]

DESCRIPTION

       The  ipsec  utility  invokes  any  of  several  utilities  involved  in
       controlling and monitoring the IPsec encryption/authentication  system,
       running  the specified command with the specified arguments and options
       as if it had been invoked directly. This  largely  eliminates  possible
       name  collisions with other software, and also permits some centralized
       services.

       All the commands described in this manual page  are  built-in  and  are
       used  to  control  and  monitor  IPsec  connections  as well as the IKE
       daemons.

       For other commands ipsec supplies the invoked command with  a  suitable
       PATH  environment  variable,  and also provides IPSEC_DIR, IPSEC_CONFS,
       and IPSEC_VERSION environment variables,  containing  respectively  the
       full  pathname  of  the directory where the IPsec utilities are stored,
       the full pathname of the directory where the configuration files  live,
       and the IPsec version number.

   CONTROL COMMANDS
       ipsec start [ starter options ]
              calls  ipsec  starter which in turn parses ipsec.conf and starts
              the IKEv1 pluto and IKEv2 charon daemons.

       ipsec update
              sends a HUP signal to ipsec starter which in turn determines any
              changes  in  ipsec.conf  and  updates  the  configuration on the
              running IKEv1 pluto and IKEv2 charon daemons, correspondingly.

       ipsec reload
              sends a USR1 signal to ipsec starter which in turn  reloads  the
              whole  configuration on the running IKEv1 pluto and IKEv2 charon
              daemons based on the actual ipsec.conf.

       ipsec restart
              is equivalent to ipsec stop followed  by  ipsec  start  after  a
              guard of 2 seconds.

       ipsec stop
              terminates  all  IPsec connections and stops the IKEv1 pluto and
              IKEv2 charon daemons by sending a TERM signal to ipsec starter.

       ipsec up name
              tells the responsible IKE daemon to start up connection name.

       ipsec down name
              tells the responsible IKE daemon to terminate connection name.

       ipsec down name{n}
              terminates IKEv2 CHILD SA instance n of connection name.

       ipsec down name{*}
              terminates all IKEv2 CHILD SA instances of connection name.

       ipsec down name[n]
              terminates all IKEv2 IKE SA instance n of connection name.

       ipsec down name[*]
              terminates all IKEv2 IKE SA instances of connection name.

       ipsec route name
              tells the responsible IKE daemon to insert an  IPsec  policy  in
              the  kernel  for  connection  name.  The  first  payload  packet
              matching the IPsec policy  will  automatically  trigger  an  IKE
              connection setup.

       ipsec unroute name
              remove the IPsec policy in the kernel for connection name.

       ipsec status [ name ]
              returns  concise status information either on connection name or
              if the argument is lacking, on all connections.

       ipsec statusall [ name ]
              returns detailed status information either on connection name or
              if the argument is lacking, on all connections.

   LIST COMMANDS
       ipsec listalgs
              returns a list all supported IKE encryption and hash algorithms,
              the available Diffie-Hellman groups, as well  as  all  supported
              ESP  encryption and authentication algorithms registered via the
              Linux kernel's Crypto API.
              Supported by the IKEv1 pluto daemon only.

       ipsec listpubkeys [ --utc ]
              returns a list of RSA public keys that were either loaded in raw
              key format or extracted from X.509 and|or OpenPGP certificates.
              Supported by the IKEv1 pluto daemon only.

       ipsec listcerts [ --utc ]
              returns  a  list  of X.509 and|or OpenPGP certificates that were
              either loaded locally by the IKE  daemon  or  received  via  the
              IKEv2 protocol.

       ipsec listcacerts [ --utc ]
              returns   a   list   of   X.509   Certification  Authority  (CA)
              certificates that were loaded locally by the IKE daemon from the
              /etc/ipsec.d/cacerts/  directory  or  received in PKCS#7-wrapped
              certificate payloads via the IKE protocol.

       ipsec listaacerts [ --utc ]
              returns  a  list   of   X.509   Authorization   Authority   (AA)
              certificates that were loaded locally by the IKE daemon from the
              /etc/ipsec.d/aacerts/ directory.

       ipsec listocspcerts [ --utc ]
              returns a list of  X.509  OCSP  Signer  certificates  that  were
              either   loaded   locally   by   the   IKE   daemon   from   the
              /etc/ipsec.d/ocspcerts/  directory  or  were  sent  by  an  OCSP
              server.

       ipsec listacerts [ --utc ]
              returns  a list of X.509 Attribute certificates that were loaded
              locally  by  the  IKE  daemon  from   the   /etc/ipsec.d/acerts/
              directory.

       ipsec listgroups [ --utc ]
              returns   a  list  of  groups  that  are  used  to  define  user
              authorization profiles.
              Supported by the IKEv1 pluto daemon only.

       ipsec listcainfos [ --utc ]
              returns certification authority  information  (CRL  distribution
              points,  OCSP  URIs,  LDAP  servers)  that  were  defined  by ca
              sections in ipsec.conf.

       ipsec listcrls [ --utc ]
              returns a list of Certificate Revocation Lists (CRLs) that  were
              either  loaded  by  the  IKE  daemon  from the /etc/ipsec.d/crls
              directory  or  fetched  from  an   HTTP-   or   LDAP-based   CRL
              distribution point.

       ipsec listocsp [ --utc ]
              returns revocation information fetched from OCSP servers.

       ipsec listcards [ --utc ]
              list all certificates found on attached smart cards.
              Supported by the IKEv1 pluto daemon only.

       ipsec listall [ --utc ]
              returns  all  information  generated by the list commands above.
              Each list command can be called  with  the  --utc  option  which
              displays all dates in UTC instead of local time.

   REREAD COMMANDS
       ipsec rereadsecrets
              flushes and rereads all secrets defined in ipsec.secrets.

       ipsec rereadcacerts
              reads     all     certificate    files    contained    in    the
              /etc/ipsec.d/cacerts directory and adds  them  to  the  list  of
              Certification Authority (CA) certificates.

       ipsec rereadaacerts
              reads     all     certificate    files    contained    in    the
              /etc/ipsec.d/aacerts directory and adds  them  to  the  list  of
              Authorization Authority (AA) certificates.

       ipsec rereadocspcerts
              reads     all     certificate    files    contained    in    the
              /etc/ipsec.d/ocspcerts/ directory and adds them to the  list  of
              OCSP signer certificates.

       ipsec rereadacerts
              reads     all     certificate    files    contained    in    the
              /etc/ipsec.d/acerts/ directory and adds  them  to  the  list  of
              attribute certificates.

       ipsec rereadcrls
              reads  all Certificate  Revocation Lists (CRLs) contained in the
              /etc/ipsec.d/crls/ directory and adds them to the list of CRLs.

       ipsec rereadall
              executes all reread commands listed above.

   PURGE COMMANDS
       ipsec purgeike
              purges IKEv2 SAs that don't have a CHILD SA.

       ipsec purgeocsp
              purges all cached OCSP information records.

   INFO COMMANDS
       ipsec --help
              returns the usage information for the ipsec command.

       ipsec --version
              returns the version in the form of Linux strongSwan U<strongSwan
              userland version>/K<Linux kernel version> if strongSwan uses the
              native NETKEY IPsec stack of the Linux kernel it is running on.

       ipsec --versioncode
              returns the version number in the form of U<strongSwan  userland
              version>/K<Linux  kernel  version> if strongSwan uses the native
              NETKEY IPsec stack of the Linux kernel it is running on.

       ipsec --copyright
              returns the copyright information.

       ipsec --directory
              returns the LIBEXECDIR directory as  defined  by  the  configure
              options.

       ipsec --confdir
              returns  the  SYSCONFDIR  directory  as defined by the configure
              options.

FILES

       /usr/local/lib/ipsec     usual utilities directory

ENVIRONMENT

       The following environment variables control where strongSwan finds  its
       components.  The ipsec command sets them if they are not already set.

       IPSEC_DIR           directory containing ipsec programs and utilities
       IPSEC_SBINDIR       directory containing ipsec command
       IPSEC_CONFDIR       directory containing configuration files
       IPSEC_PIDDIR        directory containing PID files
       IPSEC_NAME          name of ipsec distribution
       IPSEC_VERSION       version numer of ipsec userland and kernel
       IPSEC_STARTER_PID   PID file for ipsec starter
       IPSEC_PLUTO_PID     PID file for IKEv1 keying daemon
       IPSEC_CHARON_PID    PID file for IKEv2 keying daemon

SEE ALSO

       ipsec.conf(5), ipsec.secrets(5)

HISTORY

       Originally written for the FreeS/WAN project by Henry Spencer.  Updated
       and extended for the strongSwan project <http://www.strongswan.org>  by
       Tobias Brunner and Andreas Steffen.