DESCRIPTION
racoonctl is used to control
racoon(8) operation, if ipsec-tools was configured with adminport support. Communication between
racoonctl and
racoon(8) is done through a UNIX socket. By changing the default mode and ownership of the socket, you can allow non-root users to alter
racoon(8) behavior, so do that with caution.
The following general options are available:
-
-d
-
Debug mode. Hexdump sent admin port commands.
-
-l
-
Increase verbosity. Mainly for show-sa command.
-
-s socket
-
Specify unix socket name used to connecting racoon.
The following commands are available:
-
reload-config
-
This should cause racoon(8) to reload its configuration file.
-
show-schedule
-
Unknown command.
-
show-sa [isakmp|esp|ah|ipsec]
-
Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. Use -l to increase verbosity.
-
get-sa-cert [inet|inet6] src dst
-
Output the raw certificate that was used to authenticate the phase 1 matching src and dst.
-
flush-sa [isakmp|esp|ah|ipsec]
-
is used to flush all SAs if no SA class is provided, or a class of SAs, either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
-
establish-sa [-w] [-n remoteconf] [-u username] saopts
-
Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA. The optional -u username can be used when establishing an ISAKMP SA while hybrid auth is in use. The exact remote block to use can be specified with -n remoteconf. racoonctl will prompt you for the password associated with username and these credentials will be used in the Xauth exchange.
Specifying -w will make racoonctl wait until the SA is actually established or an error occurs.
saopts has the following format:
-
isakmp {inet|inet6} src dst
-
-
{esp|ah} {inet|inet6} src/prefixlen/port dst/prefixlen/port
-
{icmp|tcp|udp|gre|any}
-
vpn-connect [-u username] vpn_gateway
-
This is a particular case of the previous command. It will establish an ISAKMP SA with vpn_gateway.
-
delete-sa saopts
-
Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
-
vpn-disconnect vpn_gateway
-
This is a particular case of the previous command. It will kill all SAs associated with vpn_gateway.
-
show-event
-
Listen for all events reported by racoon(8).
-
logout-user login
-
Delete all SA established on behalf of the Xauth user login.
Command shortcuts are available:
-
rc
-
reload-config
-
ss
-
show-sa
-
sc
-
show-schedule
-
fs
-
flush-sa
-
ds
-
delete-sa
-
es
-
establish-sa
-
vc
-
vpn-connect
-
vd
-
vpn-disconnect
-
se
-
show-event
-
lu
-
logout-user