Provided by: racoon_0.8.2+20140711-10build1_amd64
NAME
racoonctl — racoon administrative control tool
SYNOPSIS
racoonctl [opts] reload-config racoonctl [opts] show-schedule racoonctl [opts] show-sa [isakmp|esp|ah|ipsec] racoonctl [opts] get-sa-cert [inet|inet6] src dst racoonctl [opts] flush-sa [isakmp|esp|ah|ipsec] racoonctl [opts] delete-sa saopts racoonctl [opts] establish-sa [-w] [-n remoteconf] [-u identity] saopts racoonctl [opts] vpn-connect [-u identity] vpn_gateway racoonctl [opts] vpn-disconnect vpn_gateway racoonctl [opts] show-event racoonctl [opts] logout-user login
DESCRIPTION
racoonctl is used to control racoon(8) operation, if ipsec-tools was configured with adminport support. Communication between racoonctl and racoon(8) is done through a UNIX socket. By changing the default mode and ownership of the socket, you can allow non-root users to alter racoon(8) behavior, so do that with caution. The following general options are available: -d Debug mode. Hexdump sent admin port commands. -l Increase verbosity. Mainly for show-sa command. -s socket Specify unix socket name used to connecting racoon. The following commands are available: reload-config This should cause racoon(8) to reload its configuration file. show-schedule Unknown command. show-sa [isakmp|esp|ah|ipsec] Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. Use -l to increase verbosity. get-sa-cert [inet|inet6] src dst Output the raw certificate that was used to authenticate the phase 1 matching src and dst. flush-sa [isakmp|esp|ah|ipsec] is used to flush all SAs if no SA class is provided, or a class of SAs, either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. establish-sa [-w] [-n remoteconf] [-u username] saopts Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA. The optional -u username can be used when establishing an ISAKMP SA while hybrid auth is in use. The exact remote block to use can be specified with -n remoteconf. racoonctl will prompt you for the password associated with username and these credentials will be used in the Xauth exchange. Specifying -w will make racoonctl wait until the SA is actually established or an error occurs. saopts has the following format: isakmp {inet|inet6} src dst {esp|ah} {inet|inet6} src/prefixlen/port dst/prefixlen/port {icmp|tcp|udp|gre|any} vpn-connect [-u username] vpn_gateway This is a particular case of the previous command. It will establish an ISAKMP SA with vpn_gateway. delete-sa saopts Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA. vpn-disconnect vpn_gateway This is a particular case of the previous command. It will kill all SAs associated with vpn_gateway. show-event Listen for all events reported by racoon(8). logout-user login Delete all SA established on behalf of the Xauth user login. Command shortcuts are available: rc reload-config ss show-sa sc show-schedule fs flush-sa ds delete-sa es establish-sa vc vpn-connect vd vpn-disconnect se show-event lu logout-user
RETURN VALUES
The command should exit with 0 on success, and non-zero on errors.
FILES
/var/racoon/racoon.sock or /var/run/racoon.sock racoon(8) control socket.
SEE ALSO
ipsec(4), racoon(8)
HISTORY
Once was kmpstat in the KAME project. It turned into racoonctl but remained undocumented for a while. Emmanuel Dreyfus <manu@NetBSD.org> wrote this man page.