ipsec — invoke IPsec utilities


ipsec command [argument...]

ipsec help

ipsec version

ipsec directory


ipsec invokes any of several utilities involved in controlling the IPsec encryption/authentication system, running the specified command with the specified argument as if it had been invoked directly. This largely eliminates possible name collisions with other software, and also permits some centralized services.

ipsec help lists the available commands. Most have their own manual pages.

ipsec version outputs the software version.

ipsec directory reports where the ipsec sub-commands are stored.


To get a list of supported commands, use the command ipsec --help. The full set of commands are listed below:

ipsec start, ipsec stop, ipsec restart, ipsec listen

Used to control the pluto daemon using the host init system. Supported init systems are sysv, systemd, upstart and openrc.

See ipsec-start(8), ipsec-stop(8), ipsec-listen(8), and ipsec-restart(8).

ipsec add, ipsec up, ipsec start, ipsec route, ipsec unroute, ipsec ondemand, ipsec down, ipsec delete, ipsec redirect, ipsec replace

Used to manually add, remove and manipulate connections.

See ipsec-add(8), ipsec-redirect(8), ipsec-up(8), ipsec-start(8), ipsec-route(8), ipsec-unroute(8), ipsec-ondemand(8), ipsec-down(8), ipsec-replace(8), and ipsec-delete(8).

ipsec status, ipsec briefstatus, ipsec connectionstatus, ipsec briefconnectionstatus, ipsec trafficstatus, ipsec shuntstatus

Used to display information about connections and their current status.

See ipsec-status(8), ipsec-briefstatus(8), ipsec-trafficstatus(8), ipsec-connectionstatus(8), ipsec-shuntstatus(8), and ipsec-briefconnectionstatus(8).

ipsec initnss, ipsec checknss, ipsec import, ipsec listall, ipsec listcerts, ipsec rereadsecrets, ipsec listpubkeys, ipsec rereadcerts, ipsec listcacerts, ipsec rereadall, ipsec rereadsecrets

Used to initialise, verify, and manipulate the NSS database that contains all the X.509 certificate information and private RSA keys.

See ipsec-initnss(8), ipsec-rereadall(8), ipsec-rereadsecrets(8), ipsec-listall(8), ipsec-checknss(8), ipsec-import(8), ipsec-rereadcerts(8), ipsec-listcerts(8), ipsec-listcacerts(8), ipsec-fips(8), ipsec-rereadsecrets(8), ipsec-listpubkeys(8), and ipsec-pk12status(8).

ipsec fetchcrls, ipsec listcrls

Update and display the Certificate Revocation List.

See ipsec-fetchcrls(8), and ipsec-listcrls(8).

ipsec certutil, ipsec crlutil, ipsec modutil, ipsec pk12util, ipsec vfychain

Wrappers around the NSS pk12util, modutil, certutil, and crlutil that can be used to directly manipulate Libreswan's NSS database.

See ipsec-certutil(8), ipsec-crlutil(8). ipsec-modutil(8), ipsec-pk12util(8), and ipsec-vfychain(8).

ipsec checkconfig, ipsec readwriteconf

Used to validate and dump the ipsec file (default /etc/ipsec.conf).

See ipsec-checkconfig(8), and ipsec-readwriteconf(8).

ipsec checknflog, ipsec stopnflog

Used to initialise and delete iptable rules for the nflog devices when specified via the nflog= or nflog-all= configuration options.

See ipsec-checknflog(8), and ipsec-stopnflog(8).

ipsec whack

Low-level utilitiy for manipulating Libreswan's daemon pluto.

See ipsec-whack(8).

ipsec pluto

Libreswan's daemon that implements the Internet Key Exchange protocols.

See ipsec-pluto(8).

ipsec showhostkey, ipsec newhostkey, ipsec ecdsasigkey, ipsec rsasigkey

Generate and display raw host keys stored in the NSS database.

See: ipsec-showhostkey(8), ipsec-newhostkey(8), ipsec-ecdsasigkey(8), ipsec-rsasigkey(8).

ipsec algparse

Utility for displaying and verifying cryptographic proposals.

See: ipsec-algparse(8).

ipsec showroute

Utility for displaying the routing information.

See: ipsec-algparse(8).

ipsec letsencrypt

Utility for generating letsencrypt keys.

See: ipsec-letsencrypt(8).

ipsec fipsstatus, ipsec cavp

Display FIPS status and run FIPS crypto tests for CAVP complance.

See: ipsec-fipsstatus(8), ipsec-cavp(8).


The ipsec command passes the return code of the sub-command back to the caller. The only exception is when ipsec pluto is used without --nofork, as it will fork into the background and the ipsec command returns success while the pluto daemon may in fact exit with an error code after the fork.


/usr/local/libexec/ipsec usual utilities directory


ipsec.conf(5), ipsec-add(8), ipsec-algparse(8), ipsec-briefconnectionstatus(8), ipsec-briefstatus(8), ipsec-certutil(8), ipsec-checkconfig(8), ipsec-checknflog(8), ipsec-checknss(8), ipsec-connectionstatus(8), ipsec-crlutil(8), ipsec-delete(8), ipsec-down(8), ipsec-ecdsasigkey(8), ipsec-fetchcrls(8), ipsec-fipsstatus(8), ipsec-globalstatus(8), ipsec-import(8), ipsec-initnss(8), ipsec-letsencrypt(8), ipsec-listall(8), ipsec-listcacerts(8), ipsec-listcerts(8), ipsec-listcrls(8), ipsec-listen(8), ipsec-listpubkeys(8), ipsec-modutil(8), ipsec-newhostkey(8), ipsec-ondemand(8), ipsec-pk12util(8), ipsec-pluto(8), ipsec-purgeocsp(8), ipsec-redirect(8), ipsec-replace(8), ipsec-rereadall(8), ipsec-rereadcerts(8), ipsec-rereadsecrets(8), ipsec-restart(8), ipsec-route(8), ipsec-rsasigkey(8), ipsec-setup(8), ipsec-showhostkey(8), ipsec-showroute(8), ipsec-showstates(8), ipsec-shuntstatus(8), ipsec-start(8), ipsec-status(8), ipsec-stop(8), ipsec-trafficstatus(8), ipsec-unroute(8), ipsec-up(8), ipsec-vfychain(8), ipsec-whack(8)


Tuomo Soini Andrew Cagney