2013.10.24

[uclinux-h8/uClinux-dist.git] / freeswan / doc / manpage.d / ipsec_auto.8.html

Content-type: text/html

<HTML><HEAD><TITLE>Manpage of IPSEC_AUTO</TITLE>
</HEAD><BODY>
<H1>IPSEC_AUTO</H1>
Section: Maintenance Commands (8)<BR>Updated: 31 May 2001<BR><A HREF="#index">Index</A>
<A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR>


<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>

ipsec auto - control automatically-keyed IPsec connections
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>

<B>ipsec</B>

<B>auto</B>

[
<B>--show</B>

] [
<B>--showonly</B>

] [
<B>--asynchronous</B>

]
<BR>

&nbsp;&nbsp;&nbsp;[
<B>--config</B>

configfile
] [
<B>--verbose</B>

]
<BR>

&nbsp;&nbsp;&nbsp;operation
connection
<P>
<B>ipsec</B>

<B>auto</B>

[
<B>--show</B>

] [
<B>--showonly</B>

] operation
<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>

<I>Auto</I>

manipulates automatically-keyed FreeS/WAN IPsec connections,
setting them up and shutting them down
based on the information in the IPsec configuration file.
In the normal usage,
<I>connection</I>

is the name of a connection specification in the configuration file;
<I>operation</I>

is
<B>--add</B>,

<B>--delete</B>,

<B>--replace</B>,

<B>--up</B>,

<B>--down</B>,

<B>--route</B>,

or
<B>--unroute</B>.

The
<B>--ready</B>,

<B>--rereadsecrets</B>,

and
<B>--status</B>

<I>operations</I>

do not take a connection name.
<I>Auto</I>

generates suitable
commands and feeds them to a shell for execution.
<P>

The
<B>--add</B>

operation adds a connection specification to the internal database
within
<I>pluto</I>;

it will fail if
<I>pluto</I>

already has a specification by that name.
The
<B>--delete</B>

operation deletes a connection specification from
<I>pluto</I>'s

internal database (also tearing down any connections based on it);
it will fail if the specification does not exist.
The
<B>--replace</B>

operation is equivalent to
<B>--delete</B>

(if there is already a specification by the given name)
followed by
<B>--add</B>,

and is a convenience for updating
<I>pluto</I>'s

internal specification to match an external one.
(Note that a
<B>--rereadsecrets</B>

may also be needed.)
None of the other operations alters the internal database.
<P>

The
<B>--up</B>

operation asks
<I>pluto</I>

to establish a connection based on an entry in its internal database.
The
<B>--down</B>

operation tells
<I>pluto</I>

to tear down such a connection.
<P>

Normally,
<I>pluto</I>

establishes a route to the destination specified for a connection as
part of the
<B>--up</B>

operation.
However, the route and only the route can be established with the
<B>--route</B>

operation.
Until and unless an actual connection is established,
this discards any packets sent there,
which may be preferable to having them sent elsewhere based on a more
general route (e.g., a default route).
<P>

Normally,
<I>pluto</I>'s

route to a destination remains in place when a
<B>--down</B>

operation is used to take the connection down
(or if connection setup, or later automatic rekeying, fails).
This permits establishing a new connection (perhaps using a
different specification; the route is altered as necessary)
without having a ``window'' in which packets might go elsewhere
based on a more general route.
Such a route can be removed using the
<B>--unroute</B>

operation
(and is implicitly removed by
<B>--delete</B>).

<P>

The
<B>--ready</B>

operation tells
<I>pluto</I>

to listen for connection-setup requests from other hosts.
Doing an
<B>--up</B>

operation before doing
<B>--ready</B>

on both ends is futile and will not work,
although this is now automated as part of IPsec startup and
should not normally be an issue.
<P>

The
<B>--status</B>

operation asks
<I>pluto</I>

for current connection status.
The output format is ad-hoc and likely to change.
<P>

The
<B>--rereadsecrets</B>

operation tells
<I>pluto</I>

to re-read the
<I>/etc/ipsec.secrets</I>

secret-keys file,
which it normally reads only at startup time.
(This is currently a synonym for
<B>--ready</B>,

but that may change.)
<P>

The
<B>--show</B>

option turns on the
<B>-x</B>

option of the shell used to execute the commands,
so each command is shown as it is executed.
<P>

The
<B>--showonly</B>

option causes
<I>auto</I>

to show the commands it would run, on standard output,
and not run them.
<P>

The
<B>--asynchronous</B>

option, applicable only to the
<B>up</B>

operation,
tells
<I>pluto</I>

to attempt to establish the connection,
but does not delay to report results.
This is especially useful to start multiple connections in parallel
when network links are slow.
<P>

The
<B>--verbose</B>

option instructs
<I>auto</I>

to pass through all output from
<I><A HREF="ipsec_whack.8.html">ipsec_whack</A></I>(8),

including log output that is normally filtered out as uninteresting.
<P>

The
<B>--config</B>

option specifies a non-standard location for the IPsec
configuration file (default
<I>/etc/ipsec.conf</I>).

<P>

See
<I><A HREF="ipsec.conf.5.html">ipsec.conf</A></I>(5)

for details of the configuration file.
Apart from the basic parameters which specify the endpoints and routing
of a connection (<B>left</B>
and
<B>right</B>,

plus possibly
<B>leftsubnet</B>,

<B>leftnexthop</B>,

<B>leftfirewall</B>,

their
<B>right</B>

equivalents,
and perhaps
<B>type</B>),

an
<I>auto</I>

connection almost certainly needs a
<B>keyingtries</B>

parameter (since the
<B>keyingtries</B>

default is poorly chosen).
<A NAME="lbAE">&nbsp;</A>
<H2>FILES</H2>



/etc/ipsec.conf<TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</TT>default IPSEC configuration file<BR>
<BR>

/var/run/ipsec.info<TT>&nbsp;&nbsp;&nbsp;</TT><B>%defaultroute</B> information<BR>
<A NAME="lbAF">&nbsp;</A>
<H2>SEE ALSO</H2>

<A HREF="ipsec.conf.5.html">ipsec.conf</A>(5), <A HREF="ipsec.8.html">ipsec</A>(8), <A HREF="ipsec_pluto.8.html">ipsec_pluto</A>(8), <A HREF="ipsec_whack.8.html">ipsec_whack</A>(8), <A HREF="ipsec_manual.8.html">ipsec_manual</A>(8)
<A NAME="lbAG">&nbsp;</A>
<H2>HISTORY</H2>

Written for the FreeS/WAN project
&lt;<A HREF="http://www.freeswan.org">http://www.freeswan.org</A>&gt;
by Henry Spencer.
<A NAME="lbAH">&nbsp;</A>
<H2>BUGS</H2>

Although an
<B>--up</B>

operation does connection setup on both ends,
<B>--down</B>

tears only one end of the connection down
(although the orphaned end will eventually time out).
<P>

There is no support for
<B>passthrough</B>

connections.
<P>

A connection description which uses
<B>%defaultroute</B>

for one of its
<B>nexthop</B>

parameters but not the other may be falsely
rejected as erroneous in some circumstances.
<P>

<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT><A HREF="#lbAB">NAME</A><DD>
<DT><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT><A HREF="#lbAE">FILES</A><DD>
<DT><A HREF="#lbAF">SEE ALSO</A><DD>
<DT><A HREF="#lbAG">HISTORY</A><DD>
<DT><A HREF="#lbAH">BUGS</A><DD>
</DL>
<HR>
This document was created by
<A HREF="http://localhost/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 05:09:31 GMT, June 19, 2001
</BODY>
</HTML>