Provided by: strongswan-starter_5.3.5-1ubuntu3_i386 bug

NAME

       ipsec - invoke IPsec utilities

SYNOPSIS

       ipsec command [arguments] [options]

DESCRIPTION

       The  ipsec  utility  invokes  any  of  several  utilities  involved  in
       controlling and monitoring the IPsec encryption/authentication  system,
       running  the specified command with the specified arguments and options
       as if it had been invoked directly. This  largely  eliminates  possible
       name  collisions with other software, and also permits some centralized
       services.

       All the commands described in this manual page  are  built-in  and  are
       used  to  control  and  monitor  IPsec  connections  as well as the IKE
       daemon.

       For other commands ipsec supplies the invoked command with  a  suitable
       PATH  environment variable, and also provides the environment variables
       listed under ENVIRONMENT.

   CONTROL COMMANDS
       start [starter options]
              calls starter which in turn parses ipsec.conf and starts the IKE
              daemon charon.

       update sends  a  HUP  signal  to  starter  which in turn determines any
              changes in ipsec.conf  and  updates  the  configuration  on  the
              running IKE daemon charon.

       reload sends  a  USR1 signal to starter which in turn reloads the whole
              configuration of the running IKE  daemon  charon  based  on  the
              actual ipsec.conf.

       restart
              is  equivalent  to  stop  followed  by  start after a guard of 2
              seconds.

       stop   terminates all IPsec connections and stops the IKE daemon charon
              by sending a TERM signal to starter.

       up name
              tells the IKE daemon to start up connection name.

       down name
              tells the IKE daemon to terminate connection name.

       down name{n}
              terminates  IKEv1  Quick  Mode  and IKEv2 CHILD SA instance n of
              connection name.

       down name{*}
              terminates all IKEv1 Quick Mode and  IKEv2 CHILD SA instances of
              connection name.

       down name[n]
              terminates IKE SA instance n of connection name.

       down name[*]
              terminates all IKE SA instances of connection name.

       down-srcip <start> [<end>]
              terminates  all IKE SA instances with clients having virtual IPs
              in the range start-end.

       route name
              tells the IKE daemon to insert an IPsec policy in the kernel for
              connection  name.  The  first  payload packet matching the IPsec
              policy will automatically trigger an IKE connection setup.

       unroute name
              remove the IPsec policy in the kernel for connection name.

       status [name]
              returns concise status information either on connection name  or
              if the argument is lacking, on all connections.

       statusall [name]
              returns detailed status information either on connection name or
              if the argument is lacking, on all connections.

   LIST COMMANDS
       leases [<poolname> [<address>]]
              returns the status of all or the selected IP  address  pool  (or
              even a single virtual IP address).

       listalgs
              returns  a  list  supported  cryptographic algorithms usable for
              IKE, and their corresponding plugin.

       listpubkeys [--utc]
              returns a list of RSA public keys that were either loaded in raw
              key format or extracted from X.509 and|or OpenPGP certificates.

       listcerts [--utc]
              returns  a  list  of X.509 and|or OpenPGP certificates that were
              either loaded locally by the IKE daemon or received via the  IKE
              protocol.

       listcacerts [--utc]
              returns   a   list   of   X.509   Certification  Authority  (CA)
              certificates that were loaded locally by the IKE daemon from the
              /etc/ipsec.d/cacerts/   directory   or   received  via  the  IKE
              protocol.

       listaacerts [--utc]
              returns  a  list   of   X.509   Authorization   Authority   (AA)
              certificates that were loaded locally by the IKE daemon from the
              /etc/ipsec.d/aacerts/ directory.

       listocspcerts [--utc]
              returns a list of  X.509  OCSP  Signer  certificates  that  were
              either   loaded   locally   by   the   IKE   daemon   from   the
              /etc/ipsec.d/ocspcerts/  directory  or  were  sent  by  an  OCSP
              server.

       listacerts [--utc]
              returns  a list of X.509 Attribute certificates that were loaded
              locally  by  the  IKE  daemon  from   the   /etc/ipsec.d/acerts/
              directory.

       listgroups [--utc]
              returns   a  list  of  groups  that  are  used  to  define  user
              authorization profiles.

       listcainfos [--utc]
              returns certification authority  information  (CRL  distribution
              points,  OCSP  URIs,  LDAP  servers)  that  were  defined  by ca
              sections in ipsec.conf.

       listcrls [--utc]
              returns a list of Certificate Revocation Lists (CRLs) that  were
              either  loaded  by  the  IKE  daemon  from the /etc/ipsec.d/crls
              directory  or  fetched  from  an   HTTP-   or   LDAP-based   CRL
              distribution point.

       listocsp [--utc]
              returns revocation information fetched from OCSP servers.

       listplugins
              returns a list of all loaded plugin features.

       listcounters [name]
              returns  a  list  of  global  or connection specific IKE counter
              values collected since daemon startup.

       listall [--utc]
              returns all information generated by the  list  commands  above.
              Each  list  command  can  be  called with the --utc option which
              displays all dates in UTC instead of local time.

   REREAD COMMANDS
       rereadsecrets
              flushes and rereads all secrets defined in ipsec.secrets.

       rereadcacerts
              removes previously loaded CA certificates, reads all certificate
              files  contained  in the /etc/ipsec.d/cacerts directory and adds
              them to the list of Certification Authority  (CA)  certificates.
              This  does  not  affect  certificates  explicitly  defined  in a
              ipsec.conf(5) ca section, which may be separately updated  using
              the update command.

       rereadaacerts
              removes previously loaded AA certificates, reads all certificate
              files contained in the /etc/ipsec.d/aacerts directory  and  adds
              them to the list of Authorization Authority (AA) certificates.

       rereadocspcerts
              reads     all     certificate    files    contained    in    the
              /etc/ipsec.d/ocspcerts/ directory and adds them to the  list  of
              OCSP signer certificates.

       rereadacerts
              reads     all     certificate    files    contained    in    the
              /etc/ipsec.d/acerts/ directory and adds  them  to  the  list  of
              attribute certificates.

       rereadcrls
              reads  all Certificate  Revocation Lists (CRLs) contained in the
              /etc/ipsec.d/crls/ directory and adds them to the list of CRLs.

       rereadall
              executes all reread commands listed above.

   RESET COMMANDS
       resetcounters [name]
              resets global or connection specific counters.

   PURGE COMMANDS
       purgecerts
              purges all cached certificates.

       purgecrls
              purges all cached CRLs.

       purgeike
              purges IKE SAs that don't have a Quick Mode or CHILD SA.

       purgeocsp
              purges all cached OCSP information records.

   INFO COMMANDS
       --help returns the usage information for the ipsec command.

       --version
              returns the version in the form of Linux strongSwan U<strongSwan
              userland version>/K<Linux kernel version> if strongSwan uses the
              native NETKEY IPsec stack of the Linux kernel it is running on.

       --versioncode
              returns the version number in the form of U<strongSwan  userland
              version>/K<Linux  kernel  version> if strongSwan uses the native
              NETKEY IPsec stack of the Linux kernel it is running on.

       --copyright
              returns the copyright information.

       --directory
              returns the LIBEXECDIR directory as  defined  by  the  configure
              options.

       --confdir
              returns  the  SYSCONFDIR  directory  as defined by the configure
              options.

       --piddir
              returns  the  PIDDIR  directory  as  defined  by  the  configure
              options.

FILES

       /usr/libexec/ipsec       utilities directory

ENVIRONMENT

       When  calling  other  commands the ipsec command supplies the following
       environment variables.

       IPSEC_DIR               directory containing ipsec programs and utilities
       IPSEC_BINDIR            directory containing pki command
       IPSEC_SBINDIR           directory containing ipsec command
       IPSEC_CONFDIR           directory containing configuration files
       IPSEC_PIDDIR            directory containing PID/socket files
       IPSEC_SCRIPT            name of the ipsec script
       IPSEC_NAME              name of ipsec distribution
       IPSEC_VERSION           version numer of ipsec userland and kernel
       IPSEC_STARTER_PID       PID file for ipsec starter
       IPSEC_CHARON_PID        PID file for IKE keying daemon

SEE ALSO

       ipsec.conf(5), ipsec.secrets(5)

HISTORY

       Originally written for the FreeS/WAN project by Henry Spencer.  Updated
       and  extended for the strongSwan project <http://www.strongswan.org> by
       Tobias Brunner and Andreas Steffen.