Manpages

RACOONCTL(8) BSD System Manager’s Manual RACOONCTL(8)

NAME

racoonctl — racoon administrative control tool

SYNOPSIS

racoonctl [opts] reload-config
racoonctl
[opts] show-schedule
racoonctl
[opts] show-sa [isakmp|esp|ah|ipsec]
racoonctl
[opts] get-sa-cert [inet|inet6] src dst
racoonctl
[opts] flush-sa [isakmp|esp|ah|ipsec]
racoonctl
[opts] delete-sa saopts
racoonctl
[opts] establish-sa [−w] [−n remoteconf] [−u identity] saopts
racoonctl
[opts] vpn-connect [−u identity] vpn_gateway
racoonctl
[opts] vpn-disconnect vpn_gateway
racoonctl
[opts] show-event
racoonctl
[opts] logout-user login

DESCRIPTION

racoonctl is used to control racoon(8) operation, if ipsec-tools was configured with adminport support. Communication between racoonctl and racoon(8) is done through a UNIX socket. By changing the default mode and ownership of the socket, you can allow non-root users to alter racoon(8) behavior, so do that with caution.

The following general options are available:

−d

Debug mode. Hexdump sent admin port commands.

−l

Increase verbosity. Mainly for show-sa command.

−s socket

Specify unix socket name used to connecting racoon.

The following commands are available:

reload-config

This should cause racoon(8) to reload its configuration file.

show-schedule

Unknown command.

show-sa [isakmp|esp|ah|ipsec]

Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. Use −l to increase verbosity.

get-sa-cert [
inet|inet6] src dst

Output the raw certificate that was used to authenticate the phase 1 matching src and dst.

flush-sa [isakmp|esp|ah|ipsec]

is used to flush all SAs if no SA class is provided, or a class of SAs, either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.

establish-sa [
−w
] [
−n
remoteconf] [
−u
username] saopts

Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA. The optional −u username can be used when establishing an ISAKMP SA while hybrid auth is in use. The exact remote block to use can be specified with −n remoteconf. racoonctl will prompt you for the password associated with username and these credentials will be used in the Xauth exchange.

Specifying −w will make racoonctl wait until the SA is actually established or an error occurs.

saopts has the following format:

isakmp {inet|inet6} src dst

{esp|ah} {inet|inet6} src/prefixlen/port dst/prefixlen/port

{icmp|tcp|udp|gre|any}

vpn-connect [
−u
username] vpn_gateway

This is a particular case of the previous command. It will establish an ISAKMP SA with vpn_gateway.

delete-sa saopts

Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.

vpn-disconnect vpn_gateway

This is a particular case of the previous command. It will kill all SAs associated with vpn_gateway.

show-event

Listen for all events reported by racoon(8).

logout-user login

Delete all SA established on behalf of the Xauth user login.

Command shortcuts are available:

rc

reload-config

ss

show-sa

sc

show-schedule

fs

flush-sa

ds

delete-sa

es

establish-sa

vc

vpn-connect

vd

vpn-disconnect

se

show-event

lu

logout-user

RETURN VALUES

The command should exit with 0 on success, and non-zero on errors.

FILES
/var/racoon/racoon.sock or
/var/run/racoon.sock

racoon(8) control socket.

SEE ALSO

ipsec(4), racoon(8)

HISTORY

Once was kmpstat in the KAME project. It turned into racoonctl but remained undocumented for a while. Emmanuel Dreyfus <manu [AT] NetBSD.org> wrote this man page.

BSD March 12, 2009 BSD