src/racoon/racoonctl.8

.\"	$NetBSD: racoonctl.8,v 1.24 2014/03/18 18:20:35 riastradh Exp $
.\"
.\" Id: racoonctl.8,v 1.6 2006/05/07 21:32:59 manubsd Exp
.\"
.\" Copyright (C) 2004 Emmanuel Dreyfus
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the project nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd March 12, 2009
.Dt RACOONCTL 8
.Os
.\"
.Sh NAME
.Nm racoonctl
.Nd racoon administrative control tool
.\"
.Sh SYNOPSIS
.Nm
.Op opts
reload-config
.Nm
.Op opts
show-schedule
.Nm
.Op opts
show-sa
.Op isakmp|esp|ah|ipsec
.Nm
.Op opts
get-sa-cert
.Op inet|inet6
.Ar src dst
.Nm
.Op opts
flush-sa
.Op isakmp|esp|ah|ipsec
.Nm
.Op opts
delete-sa
.Ar saopts
.Nm
.Op opts
establish-sa
.Op Fl w
.Op Fl n Ar remoteconf
.Op Fl u Ar identity
.Ar saopts
.Nm
.Op opts
vpn-connect
.Op Fl u Ar identity
.Ar vpn_gateway
.Nm
.Op opts
vpn-disconnect
.Ar vpn_gateway
.Nm
.Op opts
show-event
.Nm
.Op opts
logout-user
.Ar login
.\"
.Sh DESCRIPTION
.Nm
is used to control
.Xr racoon 8
operation, if ipsec-tools was configured with adminport support.
Communication between
.Nm
and
.Xr racoon 8
is done through a UNIX socket.
By changing the default mode and ownership
of the socket, you can allow non-root users to alter
.Xr racoon 8
behavior, so do that with caution.
.Pp
The following general options are available:
.Bl -tag -width Ds
.It Fl d
Debug mode.
Hexdump sent admin port commands.
.It Fl l
Increase verbosity.
Mainly for show-sa command.
.It Fl s Ar socket
Specify unix socket name used to connecting racoon.
.El
.\"
.Pp
The following commands are available:
.Bl -tag -width Ds
.It reload-config
This should cause
.Xr racoon 8
to reload its configuration file.
.It show-schedule
Unknown command.
.It show-sa Op isakmp|esp|ah|ipsec
Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs,
IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
Use
.Fl l
to increase verbosity.
.It get-sa-cert Oo inet|inet6 Oc Ar src dst
Output the raw certificate that was used to authenticate the phase 1
matching
.Ar src
and
.Ar dst .
.It flush-sa Op isakmp|esp|ah|ipsec
is used to flush all SAs if no SA class is provided, or a class of SAs,
either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
.It establish-sa Oo Fl w Oc Oo Fl n Ar remoteconf Oc Oo Fl u Ar username \
Oc Ar saopts
Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
The optional
.Fl u Ar username
can be used when establishing an ISAKMP SA while hybrid auth is in use.
The exact remote block to use can be specified with
.Fl n Ar remoteconf .
.Nm
will prompt you for the password associated with
.Ar username
and these credentials will be used in the Xauth exchange.
.Pp
Specifying
.Fl w
will make racoonctl wait until the SA is actually established or
an error occurs.
.Pp
.Ar saopts
has the following format:
.Bl -tag -width Bl
.It isakmp {inet|inet6} Ar src Ar dst
.It {esp|ah} {inet|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port
{icmp|tcp|udp|gre|any}
.El
.It vpn-connect Oo Fl u Ar username Oc Ar vpn_gateway
This is a particular case of the previous command.
It will establish an ISAKMP SA with
.Ar vpn_gateway .
.It delete-sa Ar saopts
Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
.It vpn-disconnect Ar vpn_gateway
This is a particular case of the previous command.
It will kill all SAs associated with
.Ar vpn_gateway .
.It show-event
Listen for all events reported by
.Xr racoon 8 .
.It logout-user Ar login
Delete all SA established on behalf of the Xauth user
.Ar login .
.El
.Pp
Command shortcuts are available:
.Bl -tag -width XXX -compact -offset indent
.It rc
reload-config
.It ss
show-sa
.It sc
show-schedule
.It fs
flush-sa
.It ds
delete-sa
.It es
establish-sa
.It vc
vpn-connect
.It vd
vpn-disconnect
.It se
show-event
.It lu
logout-user
.El
.\"
.Sh RETURN VALUES
The command should exit with 0 on success, and non-zero on errors.
.\"
.Sh FILES
.Bl -tag -width 30n -compact
.It Pa /var/racoon/racoon.sock No or
.It Pa /var/run/racoon.sock
.Xr racoon 8
control socket.
.El
.\"
.Sh SEE ALSO
.Xr ipsec 4 ,
.Xr racoon 8
.Sh HISTORY
Once was
.Ic kmpstat
in the KAME project.
It turned into
.Nm
but remained undocumented for a while.
.An Emmanuel Dreyfus Aq Mt manu@NetBSD.org
wrote this man page.