Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

racoonctl(8) [freebsd man page]

RACOONCTL(8)						    BSD System Manager's Manual 					      RACOONCTL(8)

racoonctl -- racoon administrative control tool SYNOPSIS
racoonctl [opts] reload-config racoonctl [opts] show-schedule racoonctl [opts] show-sa [isakmp|esp|ah|ipsec] racoonctl [opts] get-sa-cert [inet|inet6] src dst racoonctl [opts] flush-sa [isakmp|esp|ah|ipsec] racoonctl [opts] delete-sa saopts racoonctl [opts] establish-sa [-w] [-n remoteconf] [-u identity] saopts racoonctl [opts] vpn-connect [-u identity] vpn_gateway racoonctl [opts] vpn-disconnect vpn_gateway racoonctl [opts] show-event racoonctl [opts] logout-user login DESCRIPTION
racoonctl is used to control racoon(8) operation, if ipsec-tools was configured with adminport support. Communication between racoonctl and racoon(8) is done through a UNIX socket. By changing the default mode and ownership of the socket, you can allow non-root users to alter racoon(8) behavior, so do that with caution. The following general options are available: -d Debug mode. Hexdump sent admin port commands. -l Increase verbosity. Mainly for show-sa command. -s socket Specify unix socket name used to connecting racoon. The following commands are available: reload-config This should cause racoon(8) to reload its configuration file. show-schedule Unknown command. show-sa [isakmp|esp|ah|ipsec] Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. Use -l to increase verbosity. get-sa-cert [inet|inet6] src dst Output the raw certificate that was used to authenticate the phase 1 matching src and dst. flush-sa [isakmp|esp|ah|ipsec] is used to flush all SAs if no SA class is provided, or a class of SAs, either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. establish-sa [-w] [-n remoteconf] [-u username] saopts Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA. The optional -u username can be used when establishing an ISAKMP SA while hybrid auth is in use. The exact remote block to use can be specified with -n remoteconf. racoonctl will prompt you for the password associated with username and these credentials will be used in the Xauth exchange. Specifying -w will make racoonctl wait until the SA is actually established or an error occurs. saopts has the following format: isakmp {inet|inet6} src dst {esp|ah} {inet|inet6} src/prefixlen/port dst/prefixlen/port {icmp|tcp|udp|gre|any} vpn-connect [-u username] vpn_gateway This is a particular case of the previous command. It will establish an ISAKMP SA with vpn_gateway. delete-sa saopts Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA. vpn-disconnect vpn_gateway This is a particular case of the previous command. It will kill all SAs associated with vpn_gateway. show-event Listen for all events reported by racoon(8). logout-user login Delete all SA established on behalf of the Xauth user login. Command shortcuts are available: rc reload-config ss show-sa sc show-schedule fs flush-sa ds delete-sa es establish-sa vc vpn-connect vd vpn-disconnect se show-event lu logout-user RETURN VALUES
The command should exit with 0 on success, and non-zero on errors. FILES
/var/racoon/racoon.sock or /var/run/racoon.sock racoon(8) control socket. SEE ALSO
ipsec(4), racoon(8) HISTORY
Once was kmpstat in the KAME project. It turned into racoonctl but remained undocumented for a while. Emmanuel Dreyfus <> wrote this man page. BSD
March 12, 2009 BSD

Check Out this Related Man Page

RACOON(8)						    BSD System Manager's Manual 						 RACOON(8)

racoon -- IKE (ISAKMP/Oakley) key management daemon SYNOPSIS
racoon [-46BdFLVv] [-f configfile] [-l logfile] [-P isakmp-natt-port] [-p isakmp-port] DESCRIPTION
racoon speaks the IKE (ISAKMP/Oakley) key management protocol, to establish security associations with other hosts. The SPD (Security Policy Database) in the kernel usually triggers racoon. racoon usually sends all informational messages, warnings and error messages to syslogd(8) with the facility LOG_DAEMON and the priority LOG_INFO. Debugging messages are sent with the priority LOG_DEBUG. You should configure syslog.conf(5) appropriately to see these messages. -4 -6 Specify the default address family for the sockets. -B Install SA(s) from the file which is specified in racoon.conf(5). -d Increase the debug level. Multiple -d arguments will increase the debug level even more. -F Run racoon in the foreground. -f configfile Use configfile as the configuration file instead of the default. -L Include file_name:line_number:function_name in all messages. -l logfile Use logfile as the logging file instead of syslogd(8). -P isakmp-natt-port Use isakmp-natt-port for NAT-Traversal port-floating. The default is 4500. -p isakmp-port Listen to the ISAKMP key exchange on port isakmp-port instead of the default port number, 500. -V Print racoon version and compilation options and exit. -v This flag causes the packet dump be more verbose, with higher debugging level. racoon assumes the presence of the kernel random number device rnd(4) at /dev/urandom. RETURN VALUES
The command exits with 0 on success, and non-zero on errors. FILES
/etc/racoon.conf default configuration file. SEE ALSO
ipsec(4), racoon.conf(5), syslog.conf(5), setkey(8), syslogd(8) HISTORY
The racoon command first appeared in the ``YIPS'' Yokogawa IPsec implementation. SECURITY CONSIDERATIONS
The use of IKE phase 1 aggressive mode is not recommended, as described in BSD
January 23, 2009 BSD
Man Page