racoonctl (8) - Linux Manuals
racoonctl: racoon administrative control tool
NAME
racoonctl - racoon administrative control tool
SYNOPSIS
[opts] reload-config[opts] show-schedule
[opts] show-sa [isakmp|esp|ah|ipsec]
[opts] get-sa-cert [inet|inet6] src dst
[opts] flush-sa [isakmp|esp|ah|ipsec]
[opts] delete-sa saopts
[opts] establish-sa [-w ] [-n remoteconf ] [-u identity ] saopts
[opts] vpn-connect [-u identity ] vpn_gateway
[opts] vpn-disconnect vpn_gateway
[opts] show-event
[opts] logout-user login
DESCRIPTION
is used to control racoon(8) operation, if ipsec-tools was configured with adminport support. Communication between and racoon(8) is done through a UNIX socket. By changing the default mode and ownership of the socket, you can allow non-root users to alter racoon(8) behavior, so do that with caution.The following general options are available:
- -d
- Debug mode. Hexdump sent admin port commands.
- -l
- Increase verbosity. Mainly for show-sa command.
- -s socket
- Specify unix socket name used to connecting racoon.
The following commands are available:
- reload-config
- This should cause racoon(8) to reload its configuration file.
- show-schedule
- Unknown command.
- show-sa [isakmp|esp|ah|ipsec]
- Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. Use -l to increase verbosity.
- get-sa-cert [inet|inet6 src dst ]
- Output the raw certificate that was used to authenticate the phase 1 matching src and dst
- flush-sa [isakmp|esp|ah|ipsec]
- is used to flush all SAs if no SA class is provided, or a class of SAs, either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
- establish-sa [-w [-n remoteconf [-u username ] ]
-
Oc Ar saopts
Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
The optional
-u username
can be used when establishing an ISAKMP SA while hybrid auth is in use.
The exact remote block to use can be specified with
-n remoteconf
will prompt you for the password associated with
username
and these credentials will be used in the Xauth exchange.
Specifying -w will make racoonctl wait until the SA is actually established or an error occurs.
saopts has the following format:
- isakmp {inet|inet6} src dst
- {esp|ah} {inet|inet6} src/prefixlen/port dst/prefixlen/port
- {icmp|tcp|udp|gre|any}
- vpn-connect [-u username vpn_gateway ]
- This is a particular case of the previous command. It will establish an ISAKMP SA with vpn_gateway
- delete-sa saopts
- Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
- vpn-disconnect vpn_gateway
- This is a particular case of the previous command. It will kill all SAs associated with vpn_gateway
- show-event
- Listen for all events reported by racoon(8).
- logout-user login
- Delete all SA established on behalf of the Xauth user login
Command shortcuts are available:
- rc
- reload-config
- ss
- show-sa
- sc
- show-schedule
- fs
- flush-sa
- ds
- delete-sa
- es
- establish-sa
- vc
- vpn-connect
- vd
- vpn-disconnect
- se
- show-event
- lu
- logout-user
RETURN VALUES
The command should exit with 0 on success, and non-zero on errors.FILES
- /var/racoon/racoon.sock or
- /var/run/racoon.sock
- racoon(8) control socket.
HISTORY
Once was kmpstat in the KAME project. It turned into but remained undocumented for a while. An Emmanuel Dreyfus Aq manu [at] NetBSD.org wrote this man page.