Provided by: racoon_0.8.2+20140711-10build1_amd64 bug

NAME

     racoonctl — racoon administrative control tool

SYNOPSIS

     racoonctl [opts] reload-config
     racoonctl [opts] show-schedule
     racoonctl [opts] show-sa [isakmp|esp|ah|ipsec]
     racoonctl [opts] get-sa-cert [inet|inet6] src dst
     racoonctl [opts] flush-sa [isakmp|esp|ah|ipsec]
     racoonctl [opts] delete-sa saopts
     racoonctl [opts] establish-sa [-w] [-n remoteconf] [-u identity] saopts
     racoonctl [opts] vpn-connect [-u identity] vpn_gateway
     racoonctl [opts] vpn-disconnect vpn_gateway
     racoonctl [opts] show-event
     racoonctl [opts] logout-user login

DESCRIPTION

     racoonctl is used to control racoon(8) operation, if ipsec-tools was configured with
     adminport support.  Communication between racoonctl and racoon(8) is done through a UNIX
     socket.  By changing the default mode and ownership of the socket, you can allow non-root
     users to alter racoon(8) behavior, so do that with caution.

     The following general options are available:

     -d      Debug mode.  Hexdump sent admin port commands.

     -l      Increase verbosity.  Mainly for show-sa command.

     -s socket
             Specify unix socket name used to connecting racoon.

     The following commands are available:

     reload-config
             This should cause racoon(8) to reload its configuration file.

     show-schedule
             Unknown command.

     show-sa [isakmp|esp|ah|ipsec]
             Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs, IPsec ESP
             SAs, IPsec AH SAs, or all IPsec SAs.  Use -l to increase verbosity.

     get-sa-cert [inet|inet6] src dst
             Output the raw certificate that was used to authenticate the phase 1 matching src
             and dst.

     flush-sa [isakmp|esp|ah|ipsec]
             is used to flush all SAs if no SA class is provided, or a class of SAs, either
             ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.

     establish-sa [-w] [-n remoteconf] [-u username] saopts
             Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.  The optional -u
             username can be used when establishing an ISAKMP SA while hybrid auth is in use.
             The exact remote block to use can be specified with -n remoteconf.  racoonctl will
             prompt you for the password associated with username and these credentials will be
             used in the Xauth exchange.

             Specifying -w will make racoonctl wait until the SA is actually established or an
             error occurs.

             saopts has the following format:

             isakmp {inet|inet6} src dst

             {esp|ah} {inet|inet6} src/prefixlen/port dst/prefixlen/port
               {icmp|tcp|udp|gre|any}

     vpn-connect [-u username] vpn_gateway
             This is a particular case of the previous command.  It will establish an ISAKMP SA
             with vpn_gateway.

     delete-sa saopts
             Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.

     vpn-disconnect vpn_gateway
             This is a particular case of the previous command.  It will kill all SAs associated
             with vpn_gateway.

     show-event
             Listen for all events reported by racoon(8).

     logout-user login
             Delete all SA established on behalf of the Xauth user login.

     Command shortcuts are available:
           rc   reload-config
           ss   show-sa
           sc   show-schedule
           fs   flush-sa
           ds   delete-sa
           es   establish-sa
           vc   vpn-connect
           vd   vpn-disconnect
           se   show-event
           lu   logout-user

RETURN VALUES

     The command should exit with 0 on success, and non-zero on errors.

FILES

     /var/racoon/racoon.sock or
     /var/run/racoon.sock            racoon(8) control socket.

SEE ALSO

     ipsec(4), racoon(8)

HISTORY

     Once was kmpstat in the KAME project.  It turned into racoonctl but remained undocumented
     for a while.  Emmanuel Dreyfus <manu@NetBSD.org> wrote this man page.