1 .TH IPSEC_AUTO 8 "31 Jan 2002"
2 .\" RCSID $Id: auto.8,v 1.39 2002/01/31 20:29:59 henry Exp $
4 ipsec auto \- control automatically-keyed IPsec connections
35 manipulates automatically-keyed FreeS/WAN IPsec connections,
36 setting them up and shutting them down
37 based on the information in the IPsec configuration file.
40 is the name of a connection specification in the configuration file;
53 .BR \-\-rereadsecrets ,
57 do not take a connection name.
60 commands and feeds them to a shell for execution.
64 operation adds a connection specification to the internal database
69 already has a specification by that name.
72 operation deletes a connection specification from
74 internal database (also tearing down any connections based on it);
75 it will fail if the specification does not exist.
78 operation is equivalent to
80 (if there is already a specification by the given name)
83 and is a convenience for updating
85 internal specification to match an external one.
89 None of the other operations alters the internal database.
95 to establish a connection based on an entry in its internal database.
100 to tear down such a connection.
104 establishes a route to the destination specified for a connection as
108 However, the route and only the route can be established with the
111 Until and unless an actual connection is established,
112 this discards any packets sent there,
113 which may be preferable to having them sent elsewhere based on a more
114 general route (e.g., a default route).
118 route to a destination remains in place when a
120 operation is used to take the connection down
121 (or if connection setup, or later automatic rekeying, fails).
122 This permits establishing a new connection (perhaps using a
123 different specification; the route is altered as necessary)
124 without having a ``window'' in which packets might go elsewhere
125 based on a more general route.
126 Such a route can be removed using the
129 (and is implicitly removed by
136 to listen for connection-setup requests from other hosts.
139 operation before doing
141 on both ends is futile and will not work,
142 although this is now automated as part of IPsec startup and
143 should not normally be an issue.
149 for current connection status.
150 The output format is ad-hoc and likely to change.
157 .I /etc/ipsec.secrets
159 which it normally reads only at startup time.
160 (This is currently a synonym for
162 but that may change.)
168 option of the shell used to execute the commands,
169 so each command is shown as it is executed.
175 to show the commands it would run, on standard output,
180 option, applicable only to the
185 to attempt to establish the connection,
186 but does not delay to report results.
187 This is especially useful to start multiple connections in parallel
188 when network links are slow.
194 to pass through all output from
196 including log output that is normally filtered out as uninteresting.
200 option specifies a non-standard location for the IPsec
201 configuration file (default
202 .IR /etc/ipsec.conf ).
206 for details of the configuration file.
207 Apart from the basic parameters which specify the endpoints and routing
208 of a connection (\fBleft\fR
222 connection almost certainly needs a
226 default is poorly chosen).
228 .ta \w'/var/run/ipsec.info'u+4n
229 /etc/ipsec.conf default IPSEC configuration file
231 /var/run/ipsec.info \fB%defaultroute\fR information
233 ipsec.conf(5), ipsec(8), ipsec_pluto(8), ipsec_whack(8), ipsec_manual(8)
235 Written for the FreeS/WAN project
236 <http://www.freeswan.org>
241 operation does connection setup on both ends,
243 tears only one end of the connection down
244 (although the orphaned end will eventually time out).
246 There is no support for
250 A connection description which uses
254 parameters but not the other may be falsely
255 rejected as erroneous in some circumstances.
259 does not always reflect errors discovered during processing of the request.
260 (This is fine for human inspection, but not so good for use in scripts.)