{"id":3537,"date":"2022-12-20T17:08:57","date_gmt":"2022-12-20T20:08:57","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/ipsec_auto-man8\/"},"modified":"2022-12-20T17:08:57","modified_gmt":"2022-12-20T20:08:57","slug":"ipsec_auto-man8","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/ipsec_auto-man8\/","title":{"rendered":"IPSEC_AUTO (man8)"},"content":{"rendered":"

IPSEC_AUTO<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
EXAMPLES<\/a>
DESCRIPTION<\/a>
FILES<\/a>
SEE ALSO<\/a>
HISTORY<\/a>
BUGS<\/a>
AUTHOR<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

ipsec_auto \u2212 control automatically\u2212keyed IPsec connections<\/p>\n

SYNOPSIS <\/a> <\/h2>\n\n\n
<\/td>\n\n

ipsec<\/b> auto<\/i> [\u2212\u2212showonly] [\u2212\u2212asynchronous]<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

[\u2212\u2212config\u00a0configfile<\/i>] [\u2212\u2212verbose] operation\u00a0connection<\/i><\/p>\n\n\n
<\/td>\n\n

ipsec<\/b> auto<\/i> [\u2212\u2212showonly] [\u2212\u2212asynchronous]<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

[\u2212\u2212config\u00a0configfile<\/i>] [\u2212\u2212verbose] operation\u00a0connection<\/i><\/p>\n\n\n

EXAMPLES <\/a> <\/h2>\n

\n\n\n\n\n
<\/td>\n\n

ipsec<\/b> auto<\/i> {\u00a0\u2212\u2212add\u00a0|\u00a0\u2212\u2212delete\u00a0|\u00a0\u2212\u2212replace\u00a0|\u00a0\u2212\u2212start\u00a0} connection<\/i><\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

ipsec<\/b> auto<\/i> {\u00a0\u2212\u2212up\u00a0|\u00a0\u2212\u2212down\u00a0} connection<\/i><\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

ipsec<\/b> auto<\/i> {\u00a0\u2212\u2212route\u00a0|\u00a0\u2212\u2212unroute\u00a0|\u00a0\u2212\u2212ondemand\u00a0} connection<\/i><\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

ipsec<\/b> auto<\/i> {\u00a0\u2212\u2212status\u00a0|\u00a0\u2212\u2212ready\u00a0}<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

ipsec<\/b> auto<\/i> [\u2212\u2212utc] [\u2212\u2212listall\u00a0|\u00a0\u2212\u2212rereadall] [\u2212\u2212rereadsecrets] [\u2212\u2212listcerts] [\u2212\u2212listpubkeys] [\u2212\u2212checkpubkeys] [\u2212\u2212listcacerts] [\u2212\u2212fetchcrls] [\u2212\u2212listcrls] [\u2212\u2212purgeocsp]<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

ipsec<\/b> auto<\/i> [\u2212\u2212utc] [\u2212\u2212rereadcerts] connection<\/i><\/p>\n<\/td>\n<\/tr>\n<\/table>\n

DESCRIPTION <\/a> <\/h2>\n

Auto<\/i> manipulates automatically\u2212keyed Libreswan IPsec connections, setting them up and shutting them down based on the information in the IPsec configuration file. In the normal usage, connection<\/i> is the name of a connection specification in the configuration file; operation<\/i> is \u2212\u2212add<\/b>, \u2212\u2212delete<\/b>, \u2212\u2212replace<\/b>, \u2212\u2212start<\/b>, \u2212\u2212up<\/b>, \u2212\u2212down<\/b>, \u2212\u2212route<\/b>, \u2212\u2212unroute<\/b>, \u2212\u2212ondemand<\/b>, The \u2212\u2212ready<\/b>, \u2212\u2212rereadsecrets<\/b>, and \u2212\u2212status<\/b> operations<\/i> do not take a connection name. Auto<\/i> generates suitable commands and feeds them to a shell for execution.<\/p>\n

The \u2212\u2212add<\/b> operation adds a connection specification to the internal database within pluto<\/i>; it will fail if pluto<\/i> already has a specification by that name. The \u2212\u2212delete<\/b> operation deletes a connection specification from pluto<\/i>‘s internal database (also tearing down any connections based on it); The \u2212\u2212replace<\/b> operation is equivalent to \u2212\u2212delete<\/b> (if there is already a loaded connection by the given name) followed by \u2212\u2212add<\/b>, and is a convenience for updating pluto<\/i>‘s internal specification to match an external one. (Note that a \u2212\u2212rereadsecrets<\/b> may also be needed.) The \u2212\u2212start<\/b> operation is equivalent to running first with \u2212\u2212add<\/b> and then with \u2212\u2212up<\/b>, causing same effect as connection configuration option auto=start<\/b>.<\/p>\n

The \u2212\u2212up<\/b> operation asks pluto<\/i> to establish a connection based on an entry in its internal database. The \u2212\u2212down<\/b> operation tells pluto<\/i> to tear down such a connection.<\/p>\n

Normally, pluto<\/i> establishes a route to the destination specified for a connection as part of the \u2212\u2212up<\/b> operation. However, the route can be established with the \u2212\u2212route<\/b> operation. Until and unless an actual connection is established, this discards any packets sent there, which may be preferable to having them sent elsewhere based on a more general route (e.g., a default route).<\/p>\n

Normally, pluto<\/i>‘s route to a destination remains in place when a \u2212\u2212down<\/b> operation is used to take the connection down (or if connection setup, or later automatic rekeying, fails). This permits establishing a new connection (perhaps using a different specification; the route is altered as necessary) without having a \u201cwindow\u201d in which packets might go elsewhere based on a more general route. Such a route can be removed using the \u2212\u2212unroute<\/b> operation (and is implicitly removed by \u2212\u2212delete<\/b>).<\/p>\n

The \u2212\u2212ondemand<\/b> operation is equivalent to running first with \u2212\u2212add<\/b> and then with \u2212\u2212route<\/b>, causing same effect as connection configuration option auto=ondemand<\/b>.<\/p>\n

The \u2212\u2212ready<\/b> operation tells pluto<\/i> to listen for connection\u2212setup requests from other hosts. Doing an \u2212\u2212up<\/b> operation before doing \u2212\u2212ready<\/b> on both ends is futile and will not work, although this is now automated as part of IPsec startup and should not normally be an issue.<\/p>\n

The \u2212\u2212status<\/b> operation asks pluto<\/i> for current connection status. The output format is ad\u2212hoc and likely to change.<\/p>\n

The \u2212\u2212rereadsecrets<\/b> operation tells pluto<\/i> to re\u2212read the \/etc\/ipsec.secrets secret\u2212keys file, which it normally reads only at startup time. (This is currently a synonym for \u2212\u2212ready<\/b>, but that may change.)<\/p>\n

The \u2212\u2212fetchcrls<\/b> operation reads all certificate revocation list (CRL) entries of loaded certificates and tries to fetch updates for these from the CRL servers.<\/p>\n

The \u2212\u2212rereadall<\/b> operation is equivalent to the execution of \u2212\u2212rereadsecrets (in the past there were other kinds of reread operations)<\/p>\n

The \u2212\u2212listpubkeys<\/b> operation lists all RSA public keys either received from peers via the IKE protocol embedded in authenticated certificate payloads or loaded locally using the rightcert \/ leftcert or rightr\u2212 sasigkey \/ leftrsasigkey parameters in ipsec.conf(5).<\/p>\n

The \u2212\u2212listcerts<\/b> operation lists all X.509 certificates loaded locally using the rightcert and leftcert parameters in ipsec.conf(5). To see all certificates in the NSS database, use certutil \u2212d \/var\/lib\/ipsec\/nss \u2212L<\/b>.<\/p>\n

The \u2212\u2212checkpubkeys<\/b> operation lists all loaded X.509 certificates that are about to expire or have expired.<\/p>\n

The \u2212\u2212listcacerts<\/b> operation lists all X.509 CA certificates contained in the NSS database.<\/p>\n

The \u2212\u2212listcrls<\/b> operation lists all Certificate Revocation Lists (CRLs) either loaded locally from the \/etc\/ipsec.d\/crls directory or fetched dynamically from an HTTP or LDAP server.<\/p>\n

The \u2212\u2212listall<\/b> operation is equivalent to the execution of \u2212\u2212listpubkeys, \u2212\u2212listcerts, \u2212\u2212listcacerts, \u2212\u2212listcrls.<\/p>\n

The \u2212\u2212purgeocsp<\/b> operation displays \u2212\u2212listall and purges the NSS OCSP cache.<\/p>\n

The \u2212\u2212showonly<\/b> option causes auto<\/i> to show the commands it would run, on standard output, and not run them.<\/p>\n

The \u2212\u2212asynchronous<\/b> option, applicable only to the up<\/b> operation, tells pluto<\/i> to attempt to establish the connection, but does not delay to report results. This is especially useful to start multiple connections in parallel when network links are slow.<\/p>\n

The \u2212\u2212verbose<\/b> option instructs auto<\/i> to pass through all output from ipsec_whack<\/b>(8), including log output that is normally filtered out as uninteresting.<\/p>\n

The \u2212\u2212config<\/b> option specifies a non\u2212standard location for the IPsec configuration file (default \/etc\/ipsec.conf).<\/p>\n

See ipsec.conf<\/b>(5) for details of the configuration file.<\/p>\n

FILES <\/a> <\/h2>\n\n\n\n\n\n\n
<\/td>\n\n

\/etc\/ipsec.conf<\/p>\n<\/td>\n

<\/td>\n<\/td>\n<\/td>\n <\/td>\n <\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n\n

default IPSEC configuration file<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

\/var\/lib\/ipsec\/nss<\/p>\n<\/td>\n

<\/td>\n<\/td>\n<\/td>\n <\/td>\n <\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n\n

X.509 and Opportunistic Encryption files<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

\/var\/run\/pluto\/pluto.ctl<\/p>\n<\/td>\n

<\/td>\n<\/td>\n<\/td>\n<\/td>\n\n

Pluto command socket<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

SEE ALSO <\/a> <\/h2>\n

ipsec.conf<\/b>(5), ipsec<\/b>(8), ipsec_pluto<\/b>(8), ipsec_whack<\/b>(8)<\/p>\n

HISTORY <\/a> <\/h2>\n

Originally written for the FreeS\/WAN project <https:\/\/www.freeswan.org<\/font><\/b>> by Henry Spencer.<\/font><\/p>\n

BUGS <\/a> <\/h2>\n

Although an \u2212\u2212up<\/b> operation does connection setup on both ends, \u2212\u2212down<\/b> tears only one end of the connection down (although the orphaned end will eventually time out).<\/font><\/p>\n

There is no support for passthrough<\/b> connections.<\/font><\/p>\n

A connection description that uses %defaultroute<\/b> for one of its nexthop<\/b> parameters but not the other may be falsely rejected as erroneous in some circumstances.<\/font><\/p>\n

The exit status of \u2212\u2212showonly<\/b> does not always reflect errors discovered during processing of the request. (This is fine for human inspection, but not so good for use in scripts.)<\/font><\/p>\n

AUTHOR <\/a> <\/h2>\n

Paul Wouters<\/b><\/font><\/p>\n

placeholder to suppress warning<\/font><\/p>\n

\n","protected":false},"excerpt":{"rendered":"

ipsec_auto \u2212 control automatically\u2212keyed IPsec connections <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[5,52,657,4],"class_list":["post-3537","post","type-post","status-publish","format-standard","hentry","category-8-administracion-del-sistema","tag-5","tag-administracion","tag-ipsec_auto","tag-man8"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3537","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=3537"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3537\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=3537"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=3537"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=3537"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}