RACOONCTL(8) NetBSD System Manager's Manual RACOONCTL(8)
NAME
racoonctl -- racoon administrative control tool
SYNOPSIS
racoonctl [opts] reload-config
racoonctl [opts] show-schedule
racoonctl [opts] show-sa [isakmp|esp|ah|ipsec]
racoonctl [opts] get-sa-cert [inet|inet6] src dst
racoonctl [opts] flush-sa [isakmp|esp|ah|ipsec]
racoonctl [opts] delete-sa saopts
racoonctl [opts] establish-sa [-u identity] [-w] saopts
racoonctl [opts] vpn-connect [-u identity] vpn_gateway
racoonctl [opts] vpn-disconnect vpn_gateway
racoonctl [opts] show-event
racoonctl [opts] logout-user login
DESCRIPTION
racoonctl is used to control racoon(8) operation, if ipsec-tools was con-
figured with adminport support. Communication between racoonctl and
racoon(8) is done through a UNIX socket. By changing the default mode
and ownership of the socket, you can allow non-root users to alter
racoon(8) behavior, so do that with caution.
The following general options are available:
-d Debug mode. Hexdump sent admin port commands.
-l Increase verbosity. Mainly for show-sa command.
-s socket
Specify unix socket name used to connecting racoon.
The following commands are available:
reload-config
This should cause racoon(8) to reload its configuration file.
show-schedule
Unknown command.
show-sa [isakmp|esp|ah|ipsec]
Dump the SA: All the SAs if no SA class is provided, or either
ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. Use
-l to increase verbosity.
get-sa-cert [inet|inet6] src dst
Output the raw certificate that was used to authenticate the
phase 1 matching src and dst.
flush-sa [isakmp|esp|ah|ipsec]
is used to flush all SAs if no SA class is provided, or a class
of SAs, either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all
IPsec SAs.
establish-sa [-u username] [-w] saopts
Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH
SA. The optional -u username can be used when establishing an
ISAKMP SA while hybrid auth is in use. racoonctl will prompt you
for the password associated with username and these credentials
will be used in the Xauth exchange.
Specifying -w will make racoonctl wait until the SA is actually
established or an error occurs.
saopts has the following format:
isakmp {inet|inet6} src dst
{esp|ah} {inet|inet6} src/prefixlen/port dst/prefixlen/port
{icmp|tcp|udp|gre|any}
vpn-connect [-u username] vpn_gateway
This is a particular case of the previous command. It will
establish an ISAKMP SA with vpn_gateway.
delete-sa saopts
Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
vpn-disconnect vpn_gateway
This is a particular case of the previous command. It will kill
all SAs associated with vpn_gateway.
show-event
Listen for all events reported by racoon(8).
logout-user login
Delete all SA established on behalf of the Xauth user login.
Command shortcuts are available:
rc reload-config
ss show-sa
sc show-schedule
fs flush-sa
ds delete-sa
es establish-sa
vc vpn-connect
vd vpn-disconnect
se show-event
lu logout-user
RETURN VALUES
The command should exit with 0 on success, and non-zero on errors.
FILES
/var/racoon/racoon.sock or
/var/run/racoon.sock racoon(8) control socket.
SEE ALSO
ipsec(4), racoon(8)
HISTORY
Once was kmpstat in the KAME project. It turned into racoonctl but
remained undocumented for a while. Emmanuel Dreyfus <manu@NetBSD.org>
wrote this man page.
NetBSD 5.0 January 23, 2009 NetBSD 5.0
