NAME¶
racoonctl —
racoon administrative
control tool
SYNOPSIS¶
racoonctl |
[opts] reload-config |
racoonctl |
[opts] show-schedule |
racoonctl |
[opts] show-sa
[isakmp|esp|ah|ipsec] |
racoonctl |
[opts] get-sa-cert
[inet|inet6] src dst |
racoonctl |
[opts] flush-sa
[isakmp|esp|ah|ipsec] |
racoonctl |
[opts] delete-sa
saopts |
racoonctl |
[opts] establish-sa
[-w]
[-n
remoteconf]
[-u
identity] saopts |
racoonctl |
[opts] vpn-connect
[-u
identity]
vpn_gateway |
racoonctl |
[opts] vpn-disconnect
vpn_gateway |
racoonctl |
[opts] show-event |
racoonctl |
[opts] logout-user
login |
DESCRIPTION¶
racoonctl is used to control
racoon(8)
operation, if ipsec-tools was configured with adminport support. Communication
between
racoonctl and
racoon(8) is done
through a UNIX socket. By changing the default mode and ownership of the
socket, you can allow non-root users to alter
racoon(8)
behavior, so do that with caution.
The following general options are available:
- -d
- Debug mode. Hexdump sent admin port commands.
- -l
- Increase verbosity. Mainly for show-sa command.
- -s
socket
- Specify unix socket name used to connecting racoon.
The following commands are available:
- reload-config
- This should cause racoon(8) to reload its
configuration file.
- show-schedule
- Unknown command.
- show-sa
[isakmp|esp|ah|ipsec]
- Dump the SA: All the SAs if no SA class is provided, or
either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. Use
-l to increase verbosity.
- get-sa-cert
[inet|inet6] src dst
- Output the raw certificate that was used to authenticate
the phase 1 matching src and
dst.
- flush-sa
[isakmp|esp|ah|ipsec]
- is used to flush all SAs if no SA class is provided, or a
class of SAs, either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec
SAs.
- establish-sa
[-w]
[-n
remoteconf]
[-u
username] saopts
- Establish an SA, either an ISAKMP SA, IPsec ESP SA, or
IPsec AH SA. The optional -u
username can be used when establishing an ISAKMP SA
while hybrid auth is in use. The exact remote block to use can be
specified with -n remoteconf.
racoonctl will prompt you for the password associated
with username and these credentials will be used in
the Xauth exchange.
Specifying -w will make racoonctl wait until the SA is
actually established or an error occurs.
saopts has the following format:
- isakmp {inet|inet6}
src dst
-
- {esp|ah} {inet|inet6}
src/prefixlen/port
dst/prefixlen/port
- {icmp|tcp|udp|gre|any}
- vpn-connect
[-u
username]
vpn_gateway
- This is a particular case of the previous command. It will
establish an ISAKMP SA with vpn_gateway.
- delete-sa
saopts
- Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec
AH SA.
- vpn-disconnect
vpn_gateway
- This is a particular case of the previous command. It will
kill all SAs associated with vpn_gateway.
- show-event
- Listen for all events reported by
racoon(8).
- logout-user
login
- Delete all SA established on behalf of the Xauth user
login.
Command shortcuts are available:
- rc
- reload-config
- ss
- show-sa
- sc
- show-schedule
- fs
- flush-sa
- ds
- delete-sa
- es
- establish-sa
- vc
- vpn-connect
- vd
- vpn-disconnect
- se
- show-event
- lu
- logout-user
RETURN VALUES¶
The command should exit with 0 on success, and non-zero on errors.
FILES¶
- /var/racoon/racoon.sock
or
-
- /var/run/racoon.sock
- racoon(8) control socket.
SEE ALSO¶
ipsec(4),
racoon(8)
HISTORY¶
Once was
kmpstat in the KAME project. It turned into
racoonctl but remained undocumented for a while.
Emmanuel Dreyfus ⟨manu@NetBSD.org⟩ wrote
this man page.