Home | History | Annotate | Download | only in racoon
 $NetBSD: racoonctl.8,v 1.22 2009/03/12 14:01:09 wiz Exp $

Id: racoonctl.8,v 1.6 2006/05/07 21:32:59 manubsd Exp

Copyright (C) 2004 Emmanuel Dreyfus
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the project nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.

.Dd March 12, 2009 .Dt RACOONCTL 8 .Os
.Sh NAME .Nm racoonctl .Nd racoon administrative control tool
.Sh SYNOPSIS .Nm .Op opts reload-config .Nm .Op opts show-schedule .Nm .Op opts show-sa .Op isakmp|esp|ah|ipsec .Nm .Op opts get-sa-cert .Op inet|inet6 .Ar src dst .Nm .Op opts flush-sa .Op isakmp|esp|ah|ipsec .Nm .Op opts delete-sa .Ar saopts .Nm .Op opts establish-sa .Op Fl w .Op Fl n Ar remoteconf .Op Fl u Ar identity .Ar saopts .Nm .Op opts vpn-connect .Op Fl u Ar identity .Ar vpn_gateway .Nm .Op opts vpn-disconnect .Ar vpn_gateway .Nm .Op opts show-event .Nm .Op opts logout-user .Ar login
.Sh DESCRIPTION .Nm is used to control .Xr racoon 8 operation, if ipsec-tools was configured with adminport support. Communication between .Nm and .Xr racoon 8 is done through a UNIX socket. By changing the default mode and ownership of the socket, you can allow non-root users to alter .Xr racoon 8 behavior, so do that with caution.

p The following general options are available: l -tag -width Ds t Fl d Debug mode. Hexdump sent admin port commands. t Fl l Increase verbosity. Mainly for show-sa command. t Fl s Ar socket Specify unix socket name used to connecting racoon. .El

p The following commands are available: l -tag -width Ds t reload-config This should cause .Xr racoon 8 to reload its configuration file. t show-schedule Unknown command. t show-sa Op isakmp|esp|ah|ipsec Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. Use .Fl l to increase verbosity. t get-sa-cert Oo inet|inet6 Oc Ar src dst Output the raw certificate that was used to authenticate the phase 1 matching .Ar src and .Ar dst . t flush-sa Op isakmp|esp|ah|ipsec is used to flush all SAs if no SA class is provided, or a class of SAs, either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. t establish-sa Oo Fl w Oc Oo Fl n Ar remoteconf Oc Oo Fl u Ar username \ Oc Ar saopts Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA. The optional .Fl u Ar username can be used when establishing an ISAKMP SA while hybrid auth is in use. The exact remote block to use can be specified with .Fl n Ar remoteconf . .Nm will prompt you for the password associated with .Ar username and these credentials will be used in the Xauth exchange.

p Specifying .Fl w will make racoonctl wait until the SA is actually established or an error occurs.

p .Ar saopts has the following format: l -tag -width Bl t isakmp {inet|inet6} Ar src Ar dst t {esp|ah} {inet|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port {icmp|tcp|udp|gre|any} .El t vpn-connect Oo Fl u Ar username Oc Ar vpn_gateway This is a particular case of the previous command. It will establish an ISAKMP SA with .Ar vpn_gateway . t delete-sa Ar saopts Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA. t vpn-disconnect Ar vpn_gateway This is a particular case of the previous command. It will kill all SAs associated with .Ar vpn_gateway . t show-event Listen for all events reported by .Xr racoon 8 . t logout-user Ar login Delete all SA established on behalf of the Xauth user .Ar login . .El

p Command shortcuts are available: l -tag -width XXX -compact -offset indent t rc reload-config t ss show-sa t sc show-schedule t fs flush-sa t ds delete-sa t es establish-sa t vc vpn-connect t vd vpn-disconnect t se show-event t lu logout-user .El
.Sh RETURN VALUES The command should exit with 0 on success, and non-zero on errors.
.Sh FILES l -tag -width 30n -compact t Pa /var/racoon/racoon.sock No or t Pa /var/run/racoon.sock .Xr racoon 8 control socket. .El
.Sh SEE ALSO .Xr ipsec 4 , .Xr racoon 8 .Sh HISTORY Once was c kmpstat in the KAME project. It turned into .Nm but remained undocumented for a while. .An Emmanuel Dreyfus Aq manu (at] NetBSD.org wrote this man page.