src/racoon/racoonctl.8 - platform/external/ipsec-tools - Git at Google

 .\"	$NetBSD: racoonctl.8,v 1.22 2009/03/12 14:01:09 wiz Exp $
 .\"
 .\" Id: racoonctl.8,v 1.6 2006/05/07 21:32:59 manubsd Exp
 .\"
 .\" Copyright (C) 2004 Emmanuel Dreyfus
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notice, this list of conditions and the following disclaimer.
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\" 3. Neither the name of the project nor the names of its contributors
 .\"    may be used to endorse or promote products derived from this software
 .\"    without specific prior written permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 .\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
 .Dd March 12, 2009
 .Dt RACOONCTL 8
 .Os
 .\"
 .Sh NAME
 .Nm racoonctl
 .Nd racoon administrative control tool
 .\"
 .Sh SYNOPSIS
 .Nm
 .Op opts
 reload-config
 .Nm
 .Op opts
 show-schedule
 .Nm
 .Op opts
 show-sa
 .Op isakmp|esp|ah|ipsec
 .Nm
 .Op opts
 get-sa-cert
 .Op inet|inet6
 .Ar src dst
 .Nm
 .Op opts
 flush-sa
 .Op isakmp|esp|ah|ipsec
 .Nm
 .Op opts
 delete-sa
 .Ar saopts
 .Nm
 .Op opts
 establish-sa
 .Op Fl w
 .Op Fl n Ar remoteconf
 .Op Fl u Ar identity
 .Ar saopts
 .Nm
 .Op opts
 vpn-connect
 .Op Fl u Ar identity
 .Ar vpn_gateway
 .Nm
 .Op opts
 vpn-disconnect
 .Ar vpn_gateway
 .Nm
 .Op opts
 show-event
 .Nm
 .Op opts
 logout-user
 .Ar login
 .\"
 .Sh DESCRIPTION
 .Nm
 is used to control
 .Xr racoon 8
 operation, if ipsec-tools was configured with adminport support.
 Communication between
 .Nm
 and
 .Xr racoon 8
 is done through a UNIX socket.
 By changing the default mode and ownership
 of the socket, you can allow non-root users to alter
 .Xr racoon 8
 behavior, so do that with caution.
 .Pp
 The following general options are available:
 .Bl -tag -width Ds
 .It Fl d
 Debug mode.
 Hexdump sent admin port commands.
 .It Fl l
 Increase verbosity.
 Mainly for show-sa command.
 .It Fl s Ar socket
 Specify unix socket name used to connecting racoon.
 .El
 .\"
 .Pp
 The following commands are available:
 .Bl -tag -width Ds
 .It reload-config
 This should cause
 .Xr racoon 8
 to reload its configuration file.
 .It show-schedule
 Unknown command.
 .It show-sa Op isakmp|esp|ah|ipsec
 Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs,
 IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
 Use
 .Fl l
 to increase verbosity.
 .It get-sa-cert Oo inet|inet6 Oc Ar src dst
 Output the raw certificate that was used to authenticate the phase 1
 matching
 .Ar src
 and
 .Ar dst .
 .It flush-sa Op isakmp|esp|ah|ipsec
 is used to flush all SAs if no SA class is provided, or a class of SAs,
 either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
 .It establish-sa Oo Fl w Oc Oo Fl n Ar remoteconf Oc Oo Fl u Ar username \
 Oc Ar saopts
 Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
 The optional
 .Fl u Ar username
 can be used when establishing an ISAKMP SA while hybrid auth is in use.
 The exact remote block to use can be specified with
 .Fl n Ar remoteconf .
 .Nm
 will prompt you for the password associated with
 .Ar username
 and these credentials will be used in the Xauth exchange.
 .Pp
 Specifying
 .Fl w
 will make racoonctl wait until the SA is actually established or
 an error occurs.
 .Pp
 .Ar saopts
 has the following format:
 .Bl -tag -width Bl
 .It isakmp {inet|inet6} Ar src Ar dst
 .It {esp|ah} {inet|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port
 {icmp|tcp|udp|gre|any}
 .El
 .It vpn-connect Oo Fl u Ar username Oc Ar vpn_gateway
 This is a particular case of the previous command.
 It will establish an ISAKMP SA with
 .Ar vpn_gateway .
 .It delete-sa Ar saopts
 Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
 .It vpn-disconnect Ar vpn_gateway
 This is a particular case of the previous command.
 It will kill all SAs associated with
 .Ar vpn_gateway .
 .It show-event
 Listen for all events reported by
 .Xr racoon 8 .
 .It logout-user Ar login
 Delete all SA established on behalf of the Xauth user
 .Ar login .
 .El
 .Pp
 Command shortcuts are available:
 .Bl -tag -width XXX -compact -offset indent
 .It rc
 reload-config
 .It ss
 show-sa
 .It sc
 show-schedule
 .It fs
 flush-sa
 .It ds
 delete-sa
 .It es
 establish-sa
 .It vc
 vpn-connect
 .It vd
 vpn-disconnect
 .It se
 show-event
 .It lu
 logout-user
 .El
 .\"
 .Sh RETURN VALUES
 The command should exit with 0 on success, and non-zero on errors.
 .\"
 .Sh FILES
 .Bl -tag -width 30n -compact
 .It Pa /var/racoon/racoon.sock No or
 .It Pa /var/run/racoon.sock
 .Xr racoon 8
 control socket.
 .El
 .\"
 .Sh SEE ALSO
 .Xr ipsec 4 ,
 .Xr racoon 8
 .Sh HISTORY
 Once was
 .Ic kmpstat
 in the KAME project.
 It turned into
 .Nm
 but remained undocumented for a while.
 .An Emmanuel Dreyfus Aq manu@NetBSD.org
 wrote this man page.
	.\" $NetBSD: racoonctl.8,v 1.22 2009/03/12 14:01:09 wiz Exp $
	.\"
	.\" Id: racoonctl.8,v 1.6 2006/05/07 21:32:59 manubsd Exp
	.\"
	.\" Copyright (C) 2004 Emmanuel Dreyfus
	.\" All rights reserved.
	.\"
	.\" Redistribution and use in source and binary forms, with or without
	.\" modification, are permitted provided that the following conditions
	.\" are met:
	.\" 1. Redistributions of source code must retain the above copyright
	.\" notice, this list of conditions and the following disclaimer.
	.\" 2. Redistributions in binary form must reproduce the above copyright
	.\" notice, this list of conditions and the following disclaimer in the
	.\" documentation and/or other materials provided with the distribution.
	.\" 3. Neither the name of the project nor the names of its contributors
	.\" may be used to endorse or promote products derived from this software
	.\" without specific prior written permission.
	.\"
	.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	.\" SUCH DAMAGE.
	.\"
	.Dd March 12, 2009
	.Dt RACOONCTL 8
	.Os
	.\"
	.Sh NAME
	.Nm racoonctl
	.Nd racoon administrative control tool
	.\"
	.Sh SYNOPSIS
	.Nm
	.Op opts
	reload-config
	.Nm
	.Op opts
	show-schedule
	.Nm
	.Op opts
	show-sa
	.Op isakmp\|esp\|ah\|ipsec
	.Nm
	.Op opts
	get-sa-cert
	.Op inet\|inet6
	.Ar src dst
	.Nm
	.Op opts
	flush-sa
	.Op isakmp\|esp\|ah\|ipsec
	.Nm
	.Op opts
	delete-sa
	.Ar saopts
	.Nm
	.Op opts
	establish-sa
	.Op Fl w
	.Op Fl n Ar remoteconf
	.Op Fl u Ar identity
	.Ar saopts
	.Nm
	.Op opts
	vpn-connect
	.Op Fl u Ar identity
	.Ar vpn_gateway
	.Nm
	.Op opts
	vpn-disconnect
	.Ar vpn_gateway
	.Nm
	.Op opts
	show-event
	.Nm
	.Op opts
	logout-user
	.Ar login
	.\"
	.Sh DESCRIPTION
	.Nm
	is used to control
	.Xr racoon 8
	operation, if ipsec-tools was configured with adminport support.
	Communication between
	.Nm
	and
	.Xr racoon 8
	is done through a UNIX socket.
	By changing the default mode and ownership
	of the socket, you can allow non-root users to alter
	.Xr racoon 8
	behavior, so do that with caution.
	.Pp
	The following general options are available:
	.Bl -tag -width Ds
	.It Fl d
	Debug mode.
	Hexdump sent admin port commands.
	.It Fl l
	Increase verbosity.
	Mainly for show-sa command.
	.It Fl s Ar socket
	Specify unix socket name used to connecting racoon.
	.El
	.\"
	.Pp
	The following commands are available:
	.Bl -tag -width Ds
	.It reload-config
	This should cause
	.Xr racoon 8
	to reload its configuration file.
	.It show-schedule
	Unknown command.
	.It show-sa Op isakmp\|esp\|ah\|ipsec
	Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs,
	IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
	Use
	.Fl l
	to increase verbosity.
	.It get-sa-cert Oo inet\|inet6 Oc Ar src dst
	Output the raw certificate that was used to authenticate the phase 1
	matching
	.Ar src
	and
	.Ar dst .
	.It flush-sa Op isakmp\|esp\|ah\|ipsec
	is used to flush all SAs if no SA class is provided, or a class of SAs,
	either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
	.It establish-sa Oo Fl w Oc Oo Fl n Ar remoteconf Oc Oo Fl u Ar username \
	Oc Ar saopts
	Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
	The optional
	.Fl u Ar username
	can be used when establishing an ISAKMP SA while hybrid auth is in use.
	The exact remote block to use can be specified with
	.Fl n Ar remoteconf .
	.Nm
	will prompt you for the password associated with
	.Ar username
	and these credentials will be used in the Xauth exchange.
	.Pp
	Specifying
	.Fl w
	will make racoonctl wait until the SA is actually established or
	an error occurs.
	.Pp
	.Ar saopts
	has the following format:
	.Bl -tag -width Bl
	.It isakmp {inet\|inet6} Ar src Ar dst
	.It {esp\|ah} {inet\|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port
	{icmp\|tcp\|udp\|gre\|any}
	.El
	.It vpn-connect Oo Fl u Ar username Oc Ar vpn_gateway
	This is a particular case of the previous command.
	It will establish an ISAKMP SA with
	.Ar vpn_gateway .
	.It delete-sa Ar saopts
	Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
	.It vpn-disconnect Ar vpn_gateway
	This is a particular case of the previous command.
	It will kill all SAs associated with
	.Ar vpn_gateway .
	.It show-event
	Listen for all events reported by
	.Xr racoon 8 .
	.It logout-user Ar login
	Delete all SA established on behalf of the Xauth user
	.Ar login .
	.El
	.Pp
	Command shortcuts are available:
	.Bl -tag -width XXX -compact -offset indent
	.It rc
	reload-config
	.It ss
	show-sa
	.It sc
	show-schedule
	.It fs
	flush-sa
	.It ds
	delete-sa
	.It es
	establish-sa
	.It vc
	vpn-connect
	.It vd
	vpn-disconnect
	.It se
	show-event
	.It lu
	logout-user
	.El
	.\"
	.Sh RETURN VALUES
	The command should exit with 0 on success, and non-zero on errors.
	.\"
	.Sh FILES
	.Bl -tag -width 30n -compact
	.It Pa /var/racoon/racoon.sock No or
	.It Pa /var/run/racoon.sock
	.Xr racoon 8
	control socket.
	.El
	.\"
	.Sh SEE ALSO
	.Xr ipsec 4 ,
	.Xr racoon 8
	.Sh HISTORY
	Once was
	.Ic kmpstat
	in the KAME project.
	It turned into
	.Nm
	but remained undocumented for a while.
	.An Emmanuel Dreyfus Aq manu@NetBSD.org
	wrote this man page.