Name

ipsec — invoke IPsec utilities

Synopsis

ipsec command [argument...]

ipsec help

ipsec version

ipsec directory

DESCRIPTION

ipsec invokes any of several utilities involved in controlling the IPsec encryption/authentication system, running the specified command with the specified argument as if it had been invoked directly. This largely eliminates possible name collisions with other software, and also permits some centralized services.

ipsec help lists the available commands. Most have their own manual pages.

ipsec version outputs the software version.

ipsec directory reports where the ipsec sub-commands are stored.

COMMANDS

To get a list of supported commands, use the command ipsec --help. The full set of commands are listed below:

ipsec start
ipsec stop
ipsec restart
ipsec listen

Used to control the pluto daemon using the host init system. Supported init systems are sysv, systemd, upstart and openrc.

See ipsec-start(8), ipsec-stop(8), ipsec-listen(8), and ipsec-restart(8).

ipsec add
ipsec up
ipsec start
ipsec route
ipsec unroute
ipsec ondemand
ipsec down
ipsec delete
ipsec redirect
ipsec replace

Used to manually add, remove and manipulate connections.

See ipsec-add(8), ipsec-redirect(8), ipsec-up(8), ipsec-start(8), ipsec-route(8), ipsec-unroute(8), ipsec-ondemand(8), ipsec-down(8), ipsec-replace(8), and ipsec-delete(8).

ipsec status
ipsec briefstatus
ipsec connectionstatus
ipsec briefconnectionstatus
ipsec trafficstatus
ipsec shuntstatus

Used to display information about connections and their current status.

See ipsec-status(8), ipsec-briefstatus(8), ipsec-trafficstatus(8), ipsec-connectionstatus(8), ipsec-shuntstatus(8), and ipsec-briefconnectionstatus(8).

ipsec initnss
ipsec checknss
ipsec import
ipsec listall
ipsec listcerts
ipsec rereadsecrets
ipsec listpubkeys
ipsec rereadcerts
ipsec listcacerts
ipsec rereadall
ipsec rereadsecrets

Used to initialise, verify, and manipulate the NSS database that contains all the X.509 certificate information and private RSA keys.

See ipsec-initnss(8), ipsec-rereadall(8), ipsec-rereadsecrets(8), ipsec-listall(8), ipsec-checknss(8), ipsec-import(8), ipsec-rereadcerts(8), ipsec-listcerts(8), ipsec-listcacerts(8), ipsec-fips(8), ipsec-rereadsecrets(8), ipsec-listpubkeys(8), and ipsec-pk12status(8).

ipsec fetchcrls
ipsec listcrls

Update and display the Certificate Revocation List.

See ipsec-fetchcrls(8), and ipsec-listcrls(8).

ipsec certutil
ipsec crlutil
ipsec modutil
ipsec pk12util
ipsec vfychain

Wrappers around the NSS pk12util, modutil, certutil, and crlutil that can be used to directly manipulate Libreswan's NSS database.

See ipsec-certutil(8), ipsec-crlutil(8). ipsec-modutil(8), ipsec-pk12util(8), and ipsec-vfychain(8).

ipsec checkconfig
ipsec readwriteconf

Used to validate and dump the ipsec file (default /etc/ipsec.conf).

See ipsec-checkconfig(8), and ipsec-readwriteconf(8).

ipsec checknflog
ipsec stopnflog

Used to initialise and delete iptable rules for the nflog devices when specified via the nflog= or nflog-all= configuration options.

See ipsec-checknflog(8), and ipsec-stopnflog(8).

ipsec whack

Low-level utility for manipulating Libreswan's daemon pluto.

See ipsec-whack(8).

ipsec pluto

Libreswan's daemon that implements the Internet Key Exchange protocols.

See ipsec-pluto(8).

ipsec showhostkey
ipsec newhostkey
ipsec ecdsasigkey
ipsec rsasigkey

Generate and display raw host keys stored in the NSS database.

See: ipsec-showhostkey(8), ipsec-newhostkey(8), ipsec-ecdsasigkey(8), ipsec-rsasigkey(8).

ipsec algparse

Utility for displaying and verifying cryptographic proposals.

See: ipsec-algparse(8).

ipsec showroute

Utility for displaying the routing information.

See: ipsec-showroute(8).

ipsec letsencrypt

Utility for generating letsencrypt keys.

See: ipsec-letsencrypt(8).

ipsec fipsstatus
ipsec cavp

Display FIPS status and run FIPS crypto tests for CAVP complance.

See: ipsec-fipsstatus(8), ipsec-cavp(8).

RETURN CODE

The ipsec command passes the return code of the sub-command back to the caller. The only exception is when ipsec pluto is used without --nofork, as it will fork into the background and the ipsec command returns success while the pluto daemon may in fact exit with an error code after the fork.

FILES

/usr/local/libexec/ipsec usual utilities directory

SEE ALSO

ipsec.conf(5), ipsec-add(8), ipsec-algparse(8), ipsec-briefconnectionstatus(8), ipsec-briefstatus(8), ipsec-certutil(8), ipsec-checkconfig(8), ipsec-checknflog(8), ipsec-checknss(8), ipsec-connectionstatus(8), ipsec-crlutil(8), ipsec-delete(8), ipsec-down(8), ipsec-ecdsasigkey(8), ipsec-fetchcrls(8), ipsec-fipsstatus(8), ipsec-globalstatus(8), ipsec-import(8), ipsec-initnss(8), ipsec-letsencrypt(8), ipsec-listall(8), ipsec-listcacerts(8), ipsec-listcerts(8), ipsec-listcrls(8), ipsec-listen(8), ipsec-listpubkeys(8), ipsec-modutil(8), ipsec-newhostkey(8), ipsec-ondemand(8), ipsec-pk12util(8), ipsec-pluto(8), ipsec-purgeocsp(8), ipsec-redirect(8), ipsec-replace(8), ipsec-rereadall(8), ipsec-rereadcerts(8), ipsec-rereadsecrets(8), ipsec-restart(8), ipsec-route(8), ipsec-rsasigkey(8), ipsec-setup(8), ipsec-showhostkey(8), ipsec-showroute(8), ipsec-showstates(8), ipsec-shuntstatus(8), ipsec-start(8), ipsec-status(8), ipsec-stop(8), ipsec-trafficstatus(8), ipsec-unroute(8), ipsec-up(8), ipsec-vfychain(8), ipsec-whack(8)

AUTHOR

Tuomo Soini, Andrew Cagney