.\" $NetBSD: racoonctl.8,v 1.13 2006/09/09 16:22:10 manu Exp $
|
.\"
|
.\" Id: racoonctl.8,v 1.6 2006/05/07 21:32:59 manubsd Exp
|
.\"
|
.\" Copyright (C) 2004 Emmanuel Dreyfus
|
.\" All rights reserved.
|
.\"
|
.\" Redistribution and use in source and binary forms, with or without
|
.\" modification, are permitted provided that the following conditions
|
.\" are met:
|
.\" 1. Redistributions of source code must retain the above copyright
|
.\" notice, this list of conditions and the following disclaimer.
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
.\" notice, this list of conditions and the following disclaimer in the
|
.\" documentation and/or other materials provided with the distribution.
|
.\" 3. Neither the name of the project nor the names of its contributors
|
.\" may be used to endorse or promote products derived from this software
|
.\" without specific prior written permission.
|
.\"
|
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
.\" SUCH DAMAGE.
|
.\"
|
.Dd November 16, 2004
|
.Dt RACOONCTL 8
|
.Os
|
.\"
|
.Sh NAME
|
.Nm racoonctl
|
.Nd racoon administrative control tool
|
.\"
|
.Sh SYNOPSIS
|
.Nm
|
reload-config
|
.Nm
|
show-schedule
|
.Nm
|
.Op Fl l Op Fl l
|
show-sa
|
.Op isakmp|esp|ah|ipsec
|
.Nm
|
flush-sa
|
.Op isakmp|esp|ah|ipsec
|
.Nm
|
delete-sa
|
.Ar saopts
|
.Nm
|
establish-sa
|
.Op Fl u Ar identity
|
.Ar saopts
|
.Nm
|
vpn-connect
|
.Op Fl u identity
|
.Ar vpn_gateway
|
.Nm
|
vpn-disconnect
|
.Ar vpn_gateway
|
.Nm
|
show-event
|
.Op Fl l
|
.Nm
|
logout-user
|
.Ar login
|
.\"
|
.Sh DESCRIPTION
|
.Nm
|
is used to control
|
.Xr racoon 8
|
operation, if ipsec-tools was configured with adminport support.
|
Communication between
|
.Nm
|
and
|
.Xr racoon 8
|
is done through a UNIX socket.
|
By changing the default mode and ownership
|
of the socket, you can allow non-root users to alter
|
.Xr racoon 8
|
behavior, so do that with caution.
|
.Pp
|
The following commands are available:
|
.Bl -tag -width Ds
|
.It reload-config
|
This should cause
|
.Xr racoon 8
|
to reload its configuration file.
|
.It show-schedule
|
Unknown command.
|
.It show-sa Op isakmp|esp|ah|ipsec
|
Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs,
|
IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
|
Use
|
.Fl l
|
to increase verbosity.
|
.It flush-sa Op isakmp|esp|ah|ipsec
|
is used to flush all SAs if no SA class is provided, or a class of SAs,
|
either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
|
.It Xo establish-sa
|
.Oo Fl u Ar username
|
.Oc Ar saopts
|
.Xc
|
Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
|
The optional
|
.Fl u Ar username
|
can be used when establishing an ISAKMP SA while hybrid auth is in use.
|
.Nm
|
will prompt you for the password associated with
|
.Ar username
|
and these credentials will be used in the Xauth exchange.
|
.Pp
|
.Ar saopts
|
has the following format:
|
.Bl -tag -width Bl
|
.It isakmp {inet|inet6} Ar src Ar dst
|
.It {esp|ah} {inet|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port
|
{icmp|tcp|udp|any}
|
.El
|
.It Xo vpn-connect
|
.Oo Fl u Ar username
|
.Oc Ar vpn_gateway
|
.Xc
|
This is a particular case of the previous command.
|
It will establish an ISAKMP SA with
|
.Ar vpn_gateway .
|
.It delete-sa Ar saopts
|
Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
|
.It vpn-disconnect Ar vpn_gateway
|
This is a particular case of the previous command.
|
It will kill all SAs associated with
|
.Ar vpn_gateway .
|
.It show-event Op Fl l
|
Dump all events reported by
|
.Xr racoon 8 ,
|
then quit.
|
The
|
.Fl l
|
flag causes
|
.Nm
|
to not stop once all the events have been read, but rather to loop
|
awaiting and reporting new events.
|
.It logout-user Ar login
|
Delete all SA established on behalf of the Xauth user
|
.Ar login .
|
.El
|
.Pp
|
Command shortcuts are available:
|
.Bl -tag -width XXX -compact -offset indent
|
.It rc
|
reload-config
|
.It ss
|
show-sa
|
.It sc
|
show-schedule
|
.It fs
|
flush-sa
|
.It ds
|
delete-sa
|
.It es
|
establish-sa
|
.It vc
|
vpn-connect
|
.It vd
|
vpn-disconnect
|
.It se
|
show-event
|
.It lu
|
logout-user
|
.El
|
.\"
|
.Sh RETURN VALUES
|
The command should exit with 0 on success, and non-zero on errors.
|
.\"
|
.Sh FILES
|
.Bl -tag -width 30n -compact
|
.It Pa /var/racoon/racoon.sock No or
|
.It Pa /var/run/racoon.sock
|
.Xr racoon 8
|
control socket.
|
.El
|
.\"
|
.Sh SEE ALSO
|
.Xr ipsec 4 ,
|
.Xr racoon 8
|
.Sh HISTORY
|
Once was
|
.Ic kmpstat
|
in the KAME project.
|
It turned into
|
.Nm
|
but remained undocumented for a while.
|
.An Emmanuel Dreyfus Aq manu@NetBSD.org
|
wrote this man page.
|
