ipsec
ipsec is actually an umbrella command comprising a collection of individual sub commands of the form
ipsec <command> [ <argument> ] [ <options> ]
that can be used to control and monitor IPsec connections as well as the IKE daemons.
Control Commands
ipsec start [ <starter options> ]
calls ipsec starter [ <starter options> ] which in turn parses ipsec.conf and starts the IKE daemon charon.
ipsec stop
terminates all IPsec connection and stops the IKE daemon charon by sending a TERM signal to ipsec starter.
ipsec restart [ <starter options> ]
is equivalent to ipsec stop followed by ipsec start [ <starter options> ] after a guard period of 2 seconds.
ipsec update
sends a HUP signal to ipsec starter which in turn determines any changes in ipsec.conf and updates the configuration on the running IKE daemon charon. Currently established connections are not affected by configuration changes.
ipsec reload
sends a USR1 signal to ipsec starter which in turn reloads the whole configuration on the running IKE daemon charon based on the actual ipsec.conf. Currently established connections are not affected by configuration changes.
ipsec up <name>
tells the IKE daemon to start up connection <name>. Implemented by calling the ipsec stroke up <name> command.
ipsec down <name>
tells the IKE daemon to terminate connection <name>. Implemented by calling the ipsec stroke down <name> command.
ipsec down <name>{n}
terminates CHILD_SA instance n of connection <name>. Since {n} uniquely identifis a CHILD_SA the name is optional.
ipsec down <name>{*}
terminates all CHILD_SA instances of connection <name>.
ipsec down <name>[n]
terminates IKE_SA instance n of connection <name> plus dependent CHILD_SAs. Since [n] uniquely identifis an IKE_SA the name is optional.
ipsec down <name>[*]
terminates all IKE_SA instances of connection <name>.
ipsec route <name>
tells the IKE daemon to insert IPsec policies in the kernel for connection <name>. The first payload packet matching the IPsec policies will automatically trigger an IKE connection setup. Implemented by calling the ipsec stroke route <name> command.
ipsec unroute <name>
remove the IPsec policies in the kernel for connection <name>. Implemented by calling the ipsec stroke unroute <name>command.
ipsec status [ <name> ]
returns concise status information either on connection <name> or if the argument is lacking, on all connections. Implemented by calling the ipsec stroke status [ <name> ] command.
ipsec statusall [ <name> ]
returns detailed status information either on connection <name> or if the argument is lacking, on all connections. Implemented by calling the ipsec stroke statusall [ <name> ] command.
Info Commands
ipsec version
returns the ipsec version in the form of Linux strongSwan U<strongSwan userland version>/K<Linux kernel version> if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
ipsec copyright
returns the copyright information.
ipsec --confdir
returns the SYSCONFDIR directory as defined by the configure options.
ipsec --directory
returns the LIBEXECDIR directory as defined by the configure options.
ipsec --help
returns the usage information for the ipsec command.
ipsec --versioncode
returns the ipsec version number in the form of U<strongSwan userland version>/K<Linux kernel version> if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.
List Commands
ipsec listaacerts [ --utc ]
returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by the IKE daemon from the/etc/ipsec.d/aacerts directory. Implemented by calling the ipsec stroke listaacerts command.
ipsec listacerts [ --utc ]
returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the /etc/ipsec.d/acerts directory. Implemented by calling the ipsec stroke listacerts command.
ipsec listcounters [ <name> ]
returns a list of global or connection specific counter values about received and sent IKE messages and rekeyings. Connection specific ounters are available since 5.0.3. Implemented by calling the ipsec stroke listcounters command.
ipsec listalgs
returns a list of all supported IKE encryption and hash algorithms, and the available Diffie-Hellman groups. Implemented by calling theipsec stroke listalgs command.
ipsec listcacerts [ --utc ]
returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by the IKE daemon from the/etc/ipsec.d/cacerts directory or received via the IKE protocol. Implemented by calling the ipsec stroke listcacerts command.
ipsec listcainfos [ --utc ]
returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers) that were defined by ca sections inipsec.conf. Implemented by calling the ipsec stroke listcainfos command.
ipsec listcrls [ --utc ]
returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon from the /etc/ipsec.d/crls directory or fetched from an HTTP- or LDAP-based CRL distribution point. Implemented by calling the ipsec stroke listcrls command.
ipsec listcerts [ --utc ]
returns a list of X.509 and/or OpenPGP certificates that were either loaded locally by the IKE daemon or received via the IKE protocol. Implemented by calling the ipsec stroke listcerts command.
ipsec listgroups [ --utc ]
returns a list of all groups that are used to define user authorization profiles. Currently not supported.
ipsec listocsp [ --utc ]
returns cached revocation information fetched from OCSP servers. Implemented by calling the ipsec stroke listocsp command.
ipsec listocspcerts [ --utc ]
returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE daemon from the /etc/ipsec.d/ocspcertsdirectory or were sent by an OCSP server. Implemented by calling the ipsec stroke listocspcerts command.
ipsec listplugins
returns a list of all loaded plugin features. Implemented by calling the ipsec stroke listplugins command.
ipsec listpubkeys [ --utc ]
returns a list of RSA public keys that were loaded in raw key format. Implemented by calling the ipsec stroke listpubkeys command.
ipsec listall [ --utc ]
returns all information generated by the list commands above. Each list command can be called with the --utc
option which displays all dates in UTC instead of local time. Implemented by calling the ipsec stroke listall command.
Reread Commands
ipsec rereadaacerts
reads all certificate files contained in the /etc/ipsec.d/aacerts directory and adds them to the list of Authorization Authority (AA) certificates. Implemented by calling the ipsec stroke rereadaacerts command.
ipsec rereadacerts
reads all certificate files contained in the /etc/ipsec.d/acerts directory and adds them to the list of attribute certificates. Implemented by calling the ipsec stroke rereadacerts command.
ipsec rereadcacerts
reads all certificate files contained in the /etc/ipsec.d/cacerts directory and adds them to the list of Certification Authority (CA) certificates. Implemented by calling the ipsec stroke rereadcacerts command.
ipsec rereadcrls
reads all Certificate Revocation Lists (CRLs) contained in the /etc/ipsec.d/crls directory and adds them to the list of CRLs. Older CRLs are replaced by newer ones. Implemented by calling the ipsec stroke rereadcrls command.
ipsec rereadocspcerts
reads all certificate files contained in the /etc/ipsec.d/ocspcerts directory and adds them to the list of OCSP signer certificates. Implemented by calling the ipsec stroke rereadocspcerts command.
ipsec rereadsecrets
flushes and rereads all secrets defined in ipsec.secrets. Implemented by calling the ipsec stroke rereadsecrets command.
ipsec secrets
is equivalent to ipsec rereadsecrets.
ipsec rereadall
executes all reread commands listed above. Implemented by calling the ipsec stroke rereadall command.
Reset Commands
ipsec resetcounters [ <name> ]
resets global or connection specific counters. Since 5.0.3. Implemented by calling the ipsec stroke resetcounters command.
Purge Commands
ipsec purgecerts
purges all cached certificates. Implemented by calling the ipsec stroke purgecerts command.
ipsec purgecrl
purges all cached CRLs. Implemented by calling the ipsec stroke purgecrl command.
ipsec purgeike
purges IKE_SAs that don't have a CHILD_SA. Implemented by calling the ipsec stroke purgeike command.
ipsec purgeocsp
purges all cached OCSP information records. Implemented by calling the ipsec stroke purgeocsp command.
Before 5.0.0
In releases before 5.0.0 IKEv1 connections were handled by the separate pluto keying daemon. The ipsec command then used theipsec whack in addition to the ipsec stroke command to communicate with pluto.
List Commands
ipsec listcards [ --utc ]
lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only. Implemented by calling the ipsec whack --listcards command.
PKCS11 Proxy Commands
ipsec scencrypt <value> [ --inbase <base> ] [ --outbase <base> ] [ --keyid <id> ]
Supported by the IKEv1 pluto daemon only. Implemented by calling the ipsec whack --scencrypt command.
ipsec scdecrypt <value> [ --inbase <base> ] [ --outbase <base> ] [ --keyid <id> ]
Supported by the IKEv1 pluto daemon only. Implemented by calling the ipsec whack --scdecrypt command.
'Programming > 그밖에...' 카테고리의 다른 글
ANT+ 후방감지 센서 만들기(1) (0) | 2016.05.10 |
---|---|
라즈베리파이2 apt-get update Hash Sum mismatch 해결방법 (0) | 2015.06.02 |
Y.1731 Ethernet alarm indication signal (ETH-AIS) (0) | 2011.12.20 |
Y.1731 Ethernet continuity check (ETH-CC) (0) | 2011.12.17 |
Android froyo flash~!! (0) | 2010.11.19 |