ipsec pluto [--help] [--version]
[--nofork] [--rundir path] [--leak-detective] [--efence-protect]
[--stderrlog] [--logfile filename] [--log-no-time] [--log-no-append] [--log-no-ip] [--log-no-audit]
[--config filename] [--secretsfile secrets-file] [--ipsecdir dirname] [--nssdir dirname] [--coredir dirname]
[--vendorid VID] [--uniqueids] [--virtual-private network_list] [--keep-alive delay_sec] [--force-busy] [--crl-strict] [--crlcheckinterval] [--listen ipaddr] [--nhelpers number] [--seedbits numbits] [--statsbin filename] [--secctx-attr-type number]
[--use-xfrm] [--use-bsdkame]
pluto is Libreswan's Internet Key Exchange (IKE) daemon.
pluto is not normally run directly. Instead the daemon is controlled the hosts init(8) system (such as systemd(1) or rc(8)) or the command ipsec (see ipsec(8)).
For more general information on Libreswan see libreswan(7).
For information on how to configure Libreswan and the pluto daemon see ipsec.conf(5).
When starting, pluto attempts to create a
lockfile with the name
/run/pluto/pluto.pid. If the lockfile
cannot be created, pluto exits - this
prevents multiple plutos from competing.
Any "leftover" lockfile must be manually removed before
pluto will run. pluto
then writes its PID into this file
so that scripts can find it. pluto then
forks and the parent exits (this is the conventional "daemon
fork").
The following options alter how pluto starts:
--nofork
disable "daemon fork"
In addition, after the lock file and control socket are created, print the line "Pluto initialized" to standard out.
--rundir path
change the run directory from the
default /run/pluto)
The run directory contains:
path/pluto.ctlthe socket through which whack communicates with pluto
path/pluto.pidthe lockfile to prevent multiple pluto instances
--leak-detective
enable leak detective
--efence-protect
enable efence protection
All logging, including diagnostics, are sent to syslog(3) with facility=authpriv; it decides where to put these messages. The following options alter this behaviour:
--stderrlog
direct logging to standard error instead of a log file
Often combined with --nofork debugging
pluto.
--logfile filename
direct logging to filename
See ipsec.conf(5) and
logfile=filename
--log-no-time
do not include a timestamp prefix when logging to a file
See ipsec.conf(5) and logtime=no.
--log-no-append
do not append to the end of an existing log file
See ipsec.conf(5) and logappend=no.
--log-no-ip
do not include IP addresses when logging
See ipsec.conf(5) and logip=no.
--log-no-audit
do not generate audit logs (on systems that support Linux Auditing)
See ipsec.conf(5) and audit-log=no.
The following options overide pluto's default configuration parameters:
--config filename
specify a ipsec.conf(5) file containing additional configuration parameters
The "config" section of
filename will be loaded.
Normally, pluto is started using
ipsec start, and that passes the
parameter --config
so that the
default configuration is read.
/etc/ipsec.conf
--secretsfile secrets-file
specify the file for authentication secrets
This name is subject to "globbing" as in sh(1), so every file with a matching name is processed. Quoting is generally needed to prevent the shell from doing the globbing.
Default is /etc/ipsec.secrets. See ipsec.secrets(5).
--ipsecdir dirname
the directory containing additional configuration files
Default is /etc/ipsec.d.
--nssdir dirname
the directory containing the NSS trust store
Default is /var/lib/ipsec/nss.
--coredir dirname
the directory to write a core file should pluto abort
Default is /run/pluto.
The following options tweak pluto's behaviour:
--vendorid VID
--uniqueids
require all connections to have a unique identifier
If this option has been selected, whenever a new ISAKMP SA is established, any connection with the same Peer ID but a different Peer IP address is unoriented (causing all its SAs to be deleted). This helps clean up dangling SAs when a connection is lost and then regained at another IP address.
--virtual-private network_list
Pluto supports RFC 3947 NAT-Traversal. The allowed range behind the NAT routers is submitted using the
--virtual-private option.
See ipsec.conf(5) for the syntax
--keep-alive delay_sec
The --keep-alive sets the delay (in
seconds) of these keep-alive packets. The newer NAT-T
standards support port floating, and
Libreswan enables this per default.
--force-busy
If this option has been selected, pluto will be forced to be "busy". In this state, which happens when there is a Denial of Service attack, will force pluto to use cookies before accepting new incoming IKE packets. Cookies are send and required in ikev1 Aggressive Mode and in ikev2. This option is mostly used for testing purposes, but can be selected by paranoid administrators as well.
--crl-strict
reject authentication using X.509 until a valid certificate revocation list has been loaded
--crlcheckinterval
--listen ipaddr
--nhelpers number
specify the number of threads to use when offloading cryptographic operations
Pluto can also use helper children to off-load
cryptographic operations. This behavior can be fine tuned
using the --nhelpers. Pluto will start
(n-1) of them, where
n is the number of CPU's you have
(including hypherthreaded CPU's). A value of
0 forces pluto to do all operations
in the main process. A value of -1
tells pluto to perform the above calculation. Any other
value forces the number to that amount.
See ipsec.conf(5) and
nhelpers=number
--seedbits numbits
specify the number of seed bits to read from the RNG before starting
Pluto uses the NSS crypto library as its random source.
Some government Three Letter Agency requires that pluto
reads 440 bits from /dev/random and feed this into the NSS
RNG before drawing random from the NSS library, despite
the NSS library itself already seeding its internal state.
As this process can block pluto for an extended time, the
default is to not perform this redundant seeding. The
--seedbits option can be used to specify
the number of bits that will be pulled from /dev/random
and seeded into the NSS RNG.
See ipsec.conf(5) and
seedbits=number
This option should not be used by most people.
--statsbin filename
--secctx-attr-type number
Libreswan supports different IPstacks on different operating systems. Since most IPstacks have died the list is very short:
--use-xfrm
linux only
--use-bsdkame
BSD only
When running pluto under a debugger, the
options --nofork and
--stderrlog are recommended.
pluto is willing to produce a prodigious amount of debugging information. There are several classes of debugging output, and pluto may be directed to produce a selection of them. All lines of debugging output are prefixed with "|" to distinguish them from normal diagnostic messages.
See ipsec.conf(5) and
plutodebug=options.
Very occasionally it is necessary to enable debugging early in pluto's startup process. The follow options enable this:
--debug help (whack only)
List the debugging classes recognised by pluto.
--debug none
Disable logging for all debugging classes.
--debug base
Enable debug-logging.
--debug cpu-usage
Enable cpu-usage logging.
--debug class
,
--no-debug class
,
--debug no-class
Enable (disable) logging of the specified debugging
class (--debug
help lists debugging classes supported by this
version of pluto).
pluto responds to SIGHUP
by issuing a suggestion that ipsec listen
might have been intended.
pluto exits when it receives
SIGTERM.
pluto normally forks a daemon process, so the exit status is a very preliminary result.
0means that all is OK so far.
1means that something was wrong.
10means that the lock file already exists.
This code is released under the GPL terms. See the accompanying files CHANGES COPYING and CREDITS.* for more details.
Detailed history (including FreeS/WAN and Openswan) can be found in the docs/ directory.
Please see https://github.com/libreswan/libreswan/issues for a list of currently known bugs and missing features.