1.\" $NetBSD: racoonctl.8,v 1.18 2008/06/18 07:40:16 wiz Exp $ 2.\" 3.\" Id: racoonctl.8,v 1.6 2006/05/07 21:32:59 manubsd Exp 4.\" 5.\" Copyright (C) 2004 Emmanuel Dreyfus 6.\" All rights reserved. 7.\" 8.\" Redistribution and use in source and binary forms, with or without 9.\" modification, are permitted provided that the following conditions 10.\" are met: 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 2. Redistributions in binary form must reproduce the above copyright 14.\" notice, this list of conditions and the following disclaimer in the 15.\" documentation and/or other materials provided with the distribution. 16.\" 3. Neither the name of the project nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.Dd June 18, 2008 33.Dt RACOONCTL 8 34.Os 35.\" 36.Sh NAME 37.Nm racoonctl 38.Nd racoon administrative control tool 39.\" 40.Sh SYNOPSIS 41.Nm 42reload-config 43.Nm 44show-schedule 45.Nm 46.Op Fl l Op Fl l 47show-sa 48.Op isakmp|esp|ah|ipsec 49.Nm 50get-sa-cert 51.Op inet|inet6 52.Ar src dst 53.Nm 54flush-sa 55.Op isakmp|esp|ah|ipsec 56.Nm 57delete-sa 58.Ar saopts 59.Nm 60establish-sa 61.Op Fl u Ar identity 62.Op Fl w 63.Ar saopts 64.Nm 65vpn-connect 66.Op Fl u Ar identity 67.Ar vpn_gateway 68.Nm 69vpn-disconnect 70.Ar vpn_gateway 71.Nm 72show-event 73.Nm 74logout-user 75.Ar login 76.\" 77.Sh DESCRIPTION 78.Nm 79is used to control 80.Xr racoon 8 81operation, if ipsec-tools was configured with adminport support. 82Communication between 83.Nm 84and 85.Xr racoon 8 86is done through a UNIX socket. 87By changing the default mode and ownership 88of the socket, you can allow non-root users to alter 89.Xr racoon 8 90behavior, so do that with caution. 91.Pp 92The following commands are available: 93.Bl -tag -width Ds 94.It reload-config 95This should cause 96.Xr racoon 8 97to reload its configuration file. 98.It show-schedule 99Unknown command. 100.It show-sa Op isakmp|esp|ah|ipsec 101Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs, 102IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. 103Use 104.Fl l 105to increase verbosity. 106.It Xo get-sa-cert 107.Oo inet|inet6 108.Oc Ar src dst 109.Xc 110Output the raw certificate that was used to authenticate the phase 1 111matching 112.Ar src 113and 114.Ar dst . 115.It flush-sa Op isakmp|esp|ah|ipsec 116is used to flush all SAs if no SA class is provided, or a class of SAs, 117either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. 118.It Xo establish-sa 119.Oo Fl u Ar username 120.Oc 121.Oo Fl w 122.Oc Ar saopts 123.Xc 124Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA. 125The optional 126.Fl u Ar username 127can be used when establishing an ISAKMP SA while hybrid auth is in use. 128.Nm 129will prompt you for the password associated with 130.Ar username 131and these credentials will be used in the Xauth exchange. 132.Pp 133Specifying 134.Fl w 135will make racoonctl wait until the SA is actually established or 136an error occurs. 137.Pp 138.Ar saopts 139has the following format: 140.Bl -tag -width Bl 141.It isakmp {inet|inet6} Ar src Ar dst 142.It {esp|ah} {inet|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port 143{icmp|tcp|udp|gre|any} 144.El 145.It Xo vpn-connect 146.Oo Fl u Ar username 147.Oc Ar vpn_gateway 148.Xc 149This is a particular case of the previous command. 150It will establish an ISAKMP SA with 151.Ar vpn_gateway . 152.It delete-sa Ar saopts 153Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA. 154.It vpn-disconnect Ar vpn_gateway 155This is a particular case of the previous command. 156It will kill all SAs associated with 157.Ar vpn_gateway . 158.It show-event 159Listen for all events reported by 160.Xr racoon 8 . 161.It logout-user Ar login 162Delete all SA established on behalf of the Xauth user 163.Ar login . 164.El 165.Pp 166Command shortcuts are available: 167.Bl -tag -width XXX -compact -offset indent 168.It rc 169reload-config 170.It ss 171show-sa 172.It sc 173show-schedule 174.It fs 175flush-sa 176.It ds 177delete-sa 178.It es 179establish-sa 180.It vc 181vpn-connect 182.It vd 183vpn-disconnect 184.It se 185show-event 186.It lu 187logout-user 188.El 189.\" 190.Sh RETURN VALUES 191The command should exit with 0 on success, and non-zero on errors. 192.\" 193.Sh FILES 194.Bl -tag -width 30n -compact 195.It Pa /var/racoon/racoon.sock No or 196.It Pa /var/run/racoon.sock 197.Xr racoon 8 198control socket. 199.El 200.\" 201.Sh SEE ALSO 202.Xr ipsec 4 , 203.Xr racoon 8 204.Sh HISTORY 205Once was 206.Ic kmpstat 207in the KAME project. 208It turned into 209.Nm 210but remained undocumented for a while. 211.An Emmanuel Dreyfus Aq manu@NetBSD.org 212wrote this man page. 213