table of contents
RACOONCTL(8) | System Manager's Manual | RACOONCTL(8) |
NAME¶
racoonctl
—
racoon administrative control tool
SYNOPSIS¶
racoonctl |
[ opts ] reload-config |
racoonctl |
[ opts ] show-schedule |
racoonctl |
[ opts ] show-sa
[isakmp|esp|ah|ipsec ] |
racoonctl |
[ opts ] get-sa-cert
[inet|inet6 ] src
dst |
racoonctl |
[ opts ] flush-sa
[isakmp|esp|ah|ipsec ] |
racoonctl |
[ opts ] delete-sa
saopts |
racoonctl |
[ opts ] establish-sa
[-w -n
remoteconf-u
identity |
racoonctl |
[ opts ] vpn-connect
[-u
identity |
racoonctl |
[ opts ] vpn-disconnect
vpn_gateway |
racoonctl |
[ opts ] show-event |
racoonctl |
[ opts ] logout-user
login |
DESCRIPTION¶
racoonctl
is used to control
racoon(8) operation, if ipsec-tools was
configured with adminport support. Communication between
racoonctl
and
racoon(8) is done through a UNIX socket. By
changing the default mode and ownership of the socket, you can allow non-root
users to alter racoon(8) behavior, so do that
with caution.
The following general options are available:
-d
- Debug mode. Hexdump sent admin port commands.
-l
- Increase verbosity. Mainly for show-sa command.
-s
socket- Specify unix socket name used to connecting racoon.
- reload-config
- This should cause racoon(8) to reload its configuration file.
- show-schedule
- Unknown command.
- show-sa [isakmp|esp|ah|ipsec]
- Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs,
IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. Use
-l
to increase verbosity. - get-sa-cert [inet|inet6] src dst
- Output the raw certificate that was used to authenticate the phase 1 matching src and dst.
- flush-sa [isakmp|esp|ah|ipsec]
- is used to flush all SAs if no SA class is provided, or a class of SAs, either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
- establish-sa [] [
-w
] [-n
remoteconf] saopts-u
username - Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA. The
optional
-u
username can be used when establishing an ISAKMP SA while hybrid auth is in use. The exact remote block to use can be specified with-n
remoteconf.racoonctl
will prompt you for the password associated with username and these credentials will be used in the Xauth exchange. Specifying-w
will make racoonctl wait until the SA is actually established or an error occurs. saopts has the following format:- isakmp {inet|inet6} src dst
- {esp|ah} {inet|inet6} src/prefixlen/port dst/prefixlen/port
- {icmp|tcp|udp|gre|any}
- vpn-connect [] vpn_gateway
-u
username - This is a particular case of the previous command. It will establish an ISAKMP SA with vpn_gateway.
- delete-sa saopts
- Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
- vpn-disconnect vpn_gateway
- This is a particular case of the previous command. It will kill all SAs associated with vpn_gateway.
- show-event
- Listen for all events reported by racoon(8).
- logout-user login
- Delete all SA established on behalf of the Xauth user login.
- rc
- reload-config
- ss
- show-sa
- sc
- show-schedule
- fs
- flush-sa
- ds
- delete-sa
- es
- establish-sa
- vc
- vpn-connect
- vd
- vpn-disconnect
- se
- show-event
- lu
- logout-user
RETURN VALUES¶
The command should exit with 0 on success, and non-zero on errors.FILES¶
- /var/racoon/racoon.sock or
- /var/run/racoon.sock
- racoon(8) control socket.
SEE ALSO¶
ipsec(4), racoon(8)HISTORY¶
Once waskmpstat
in the KAME project. It
turned into racoonctl
but remained
undocumented for a while. Emmanuel Dreyfus
⟨manu@NetBSD.org⟩ wrote this man page.March 12, 2009 | Debian |