Provided by: strongswan-starter_5.3.5-1ubuntu3_amd64 bug

NAME

       ipsec - invoke IPsec utilities

SYNOPSIS

       ipsec command [arguments] [options]

DESCRIPTION

       The  ipsec utility invokes any of several utilities involved in controlling and monitoring
       the IPsec  encryption/authentication  system,  running  the  specified  command  with  the
       specified  arguments  and  options  as  if  it  had  been  invoked  directly. This largely
       eliminates possible name collisions with other software, and also permits some centralized
       services.

       All  the  commands  described in this manual page are built-in and are used to control and
       monitor IPsec connections as well as the IKE daemon.

       For other commands ipsec supplies the invoked command with  a  suitable  PATH  environment
       variable, and also provides the environment variables listed under ENVIRONMENT.

   CONTROL COMMANDS
       start [starter options]
              calls starter which in turn parses ipsec.conf and starts the IKE daemon charon.

       update sends  a  HUP  signal to starter which in turn determines any changes in ipsec.conf
              and updates the configuration on the running IKE daemon charon.

       reload sends a USR1 signal to starter which in turn reloads the whole configuration of the
              running IKE daemon charon based on the actual ipsec.conf.

       restart
              is equivalent to stop followed by start after a guard of 2 seconds.

       stop   terminates  all IPsec connections and stops the IKE daemon charon by sending a TERM
              signal to starter.

       up name
              tells the IKE daemon to start up connection name.

       down name
              tells the IKE daemon to terminate connection name.

       down name{n}
              terminates IKEv1 Quick Mode and IKEv2 CHILD SA instance n of connection name.

       down name{*}
              terminates all IKEv1 Quick Mode and  IKEv2 CHILD SA instances of connection name.

       down name[n]
              terminates IKE SA instance n of connection name.

       down name[*]
              terminates all IKE SA instances of connection name.

       down-srcip <start> [<end>]
              terminates all IKE SA instances with clients having virtual IPs in the range start-
              end.

       route name
              tells  the  IKE daemon to insert an IPsec policy in the kernel for connection name.
              The first payload packet matching the IPsec policy will  automatically  trigger  an
              IKE connection setup.

       unroute name
              remove the IPsec policy in the kernel for connection name.

       status [name]
              returns  concise status information either on connection name or if the argument is
              lacking, on all connections.

       statusall [name]
              returns detailed status information either on connection name or if the argument is
              lacking, on all connections.

   LIST COMMANDS
       leases [<poolname> [<address>]]
              returns the status of all or the selected IP address pool (or even a single virtual
              IP address).

       listalgs
              returns a list  supported  cryptographic  algorithms  usable  for  IKE,  and  their
              corresponding plugin.

       listpubkeys [--utc]
              returns  a  list  of  RSA  public keys that were either loaded in raw key format or
              extracted from X.509 and|or OpenPGP certificates.

       listcerts [--utc]
              returns a list of X.509 and|or OpenPGP certificates that were either loaded locally
              by the IKE daemon or received via the IKE protocol.

       listcacerts [--utc]
              returns  a list of X.509 Certification Authority (CA) certificates that were loaded
              locally by the IKE daemon from the /etc/ipsec.d/cacerts/ directory or received  via
              the IKE protocol.

       listaacerts [--utc]
              returns  a list of X.509 Authorization Authority (AA) certificates that were loaded
              locally by the IKE daemon from the /etc/ipsec.d/aacerts/ directory.

       listocspcerts [--utc]
              returns a list of X.509 OCSP Signer certificates that were either loaded locally by
              the  IKE  daemon from the /etc/ipsec.d/ocspcerts/ directory or were sent by an OCSP
              server.

       listacerts [--utc]
              returns a list of X.509 Attribute certificates that were loaded locally by the  IKE
              daemon from the /etc/ipsec.d/acerts/ directory.

       listgroups [--utc]
              returns a list of groups that are used to define user authorization profiles.

       listcainfos [--utc]
              returns  certification  authority  information (CRL distribution points, OCSP URIs,
              LDAP servers) that were defined by ca sections in ipsec.conf.

       listcrls [--utc]
              returns a list of Certificate Revocation Lists (CRLs) that were  either  loaded  by
              the  IKE  daemon  from  the /etc/ipsec.d/crls directory or fetched from an HTTP- or
              LDAP-based CRL distribution point.

       listocsp [--utc]
              returns revocation information fetched from OCSP servers.

       listplugins
              returns a list of all loaded plugin features.

       listcounters [name]
              returns a list of global or connection specific IKE counter values collected  since
              daemon startup.

       listall [--utc]
              returns all information generated by the list commands above. Each list command can
              be called with the --utc option which displays all dates in UTC  instead  of  local
              time.

   REREAD COMMANDS
       rereadsecrets
              flushes and rereads all secrets defined in ipsec.secrets.

       rereadcacerts
              removes previously loaded CA certificates, reads all certificate files contained in
              the /etc/ipsec.d/cacerts directory and adds  them  to  the  list  of  Certification
              Authority  (CA)  certificates. This does not affect certificates explicitly defined
              in a ipsec.conf(5) ca section, which may be separately  updated  using  the  update
              command.

       rereadaacerts
              removes previously loaded AA certificates, reads all certificate files contained in
              the /etc/ipsec.d/aacerts directory and adds  them  to  the  list  of  Authorization
              Authority (AA) certificates.

       rereadocspcerts
              reads  all certificate files contained in the /etc/ipsec.d/ocspcerts/ directory and
              adds them to the list of OCSP signer certificates.

       rereadacerts
              reads all certificate files contained in the   /etc/ipsec.d/acerts/  directory  and
              adds them to the list of attribute certificates.

       rereadcrls
              reads  all Certificate  Revocation Lists (CRLs) contained in the /etc/ipsec.d/crls/
              directory and adds them to the list of CRLs.

       rereadall
              executes all reread commands listed above.

   RESET COMMANDS
       resetcounters [name]
              resets global or connection specific counters.

   PURGE COMMANDS
       purgecerts
              purges all cached certificates.

       purgecrls
              purges all cached CRLs.

       purgeike
              purges IKE SAs that don't have a Quick Mode or CHILD SA.

       purgeocsp
              purges all cached OCSP information records.

   INFO COMMANDS
       --help returns the usage information for the ipsec command.

       --version
              returns  the  version  in  the  form  of  Linux  strongSwan  U<strongSwan  userland
              version>/K<Linux  kernel  version> if strongSwan uses the native NETKEY IPsec stack
              of the Linux kernel it is running on.

       --versioncode
              returns the version number in the form of  U<strongSwan  userland  version>/K<Linux
              kernel  version>  if  strongSwan  uses  the  native NETKEY IPsec stack of the Linux
              kernel it is running on.

       --copyright
              returns the copyright information.

       --directory
              returns the LIBEXECDIR directory as defined by the configure options.

       --confdir
              returns the SYSCONFDIR directory as defined by the configure options.

       --piddir
              returns the PIDDIR directory as defined by the configure options.

FILES

       /usr/libexec/ipsec       utilities directory

ENVIRONMENT

       When  calling  other  commands  the  ipsec  command  supplies  the  following  environment
       variables.

       IPSEC_DIR               directory containing ipsec programs and utilities
       IPSEC_BINDIR            directory containing pki command
       IPSEC_SBINDIR           directory containing ipsec command
       IPSEC_CONFDIR           directory containing configuration files
       IPSEC_PIDDIR            directory containing PID/socket files
       IPSEC_SCRIPT            name of the ipsec script
       IPSEC_NAME              name of ipsec distribution
       IPSEC_VERSION           version numer of ipsec userland and kernel
       IPSEC_STARTER_PID       PID file for ipsec starter
       IPSEC_CHARON_PID        PID file for IKE keying daemon

SEE ALSO

       ipsec.conf(5), ipsec.secrets(5)

HISTORY

       Originally  written  for the FreeS/WAN project by Henry Spencer.  Updated and extended for
       the strongSwan project <http://www.strongswan.org> by Tobias Brunner and Andreas Steffen.