racoonctl (8) Linux Manual Page
racoonctl – racoon administrative control tool
Synopsis
[opts] reload-config
[opts] show-schedule
[opts] show-sa [isakmp|esp|ah|ipsec]
[opts] get-sa-cert [inet|inet6] src dst
[opts] flush-sa [isakmp|esp|ah|ipsec]
[opts] delete-sa saopts
[opts] establish-sa [-w ] [-n remoteconf ] [-u identity ] saopts
[opts] vpn-connect [-u identity ] vpn_gateway
[opts] vpn-disconnect vpn_gateway
[opts] show-event
[opts] logout-user login
Description
is used to control racoon(8) operation, if ipsec-tools was configured with adminport support. Communication between and racoon(8) is done through a UNIX socket. By changing the default mode and ownership of the socket, you can allow non-root users to alter racoon(8) behavior, so do that with caution. The following general options are available:
-d- Debug mode. Hexdump sent admin port commands.
-l- Increase verbosity. Mainly for show-sa command.
-ssocket- Specify unix socket name used to connecting racoon.
The following commands are available:
reload-config- This should cause racoon(8) to reload its configuration file.
show-schedule- Unknown command.
show-sa[isakmp|esp|ah|ipsec]- Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. Use –
lto increase verbosity. get-sa-cert[inet|inet6 src dst ]- Output the raw certificate that was used to authenticate the phase 1 matching src and dst
flush-sa[isakmp|esp|ah|ipsec]- is used to flush all SAs if no SA class is provided, or a class of SAs, either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
establish-sa[-w[-nremoteconf [-uusername ] ]- Oc Ar saopts Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA. The optional –
uusername can be used when establishing an ISAKMP SA while hybrid auth is in use. The exact remote block to use can be specified with –nremoteconf will prompt you for the password associated with username and these credentials will be used in the Xauth exchange. Specifying –wwill make racoonctl wait until the SA is actually established or an error occurs. saopts has the following format:isakmp {inet|inet6}src dst{esp|ah} {inet|inet6}src/prefixlen/port dst/prefixlen/port- {icmp|tcp|udp|gre|any}
vpn-connect[-uusername vpn_gateway ]- This is a particular case of the previous command. It will establish an ISAKMP SA with vpn_gateway
delete-sasaopts- Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
vpn-disconnectvpn_gateway- This is a particular case of the previous command. It will kill all SAs associated with vpn_gateway
show-event- Listen for all events reported by racoon(8).
logout-userlogin- Delete all SA established on behalf of the Xauth user login
Command shortcuts are available:
rc- reload-config
ss- show-sa
sc- show-schedule
fs- flush-sa
ds- delete-sa
es- establish-sa
vc- vpn-connect
vd- vpn-disconnect
se- show-event
lu- logout-user
Return Values
The command should exit with 0 on success, and non-zero on errors.
Files
/var/racoon/racoon.sock or/var/run/racoon.sock- racoon(8) control socket.
See Also
History
Once was kmpstat in the KAME project. It turned into but remained undocumented for a while. An Emmanuel Dreyfus Aq manu [at] NetBSD.org wrote this man page.
