| Updated: April 19, 2023 |
racoon Administrative control tool
racoonctl [opts] reload-config racoonctl [opts] show-schedule racoonctl [opts] show-sa [isakmp|esp|ah|ipsec] racoonctl [opts] get-sa-cert [inet|inet6] src dst racoonctl [opts] flush-sa [isakmp|esp|ah|ipsec] racoonctl [opts] delete-sa saopts racoonctl [opts] establish-sa [-w] [-n remoteconf] [-u identity] saopts racoonctl [opts] vpn-connect [-u identity] vpn_gateway racoonctl [opts] vpn-disconnect vpn_gateway racoonctl [opts] show-event racoonctl [opts] logout-user login
QNX Neutrino
The racoonctl tool is used to control the racoon operation, if ipsec-tools was
configured with adminport support. Communication between racoonctl and
racoon is done through a UNIX socket. By changing the default mode
and ownership of the socket, you can allow non-root users to alter
racoon behavior, so do that with caution.
OPTIONS
-d
Debug mode. Hexdump sent admin port commands.
-l
Increase the verbosity. Mainly for show-sa command.
-s socket
Specify the unix socket name used to connecting racoon.
The following commands are available:
reload-config
This should cause racoon to reload its configuration file.
show-schedule
Unknown command.
show-sa [isakmp|esp|ah|ipsec]
Dump the SA: All the SAs if no SA class is provided, or either
ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. Use
-l to increase verbosity.
get-sa-cert [inet|inet6] src dst
Output the raw certificate that was used to authenticate the
phase 1 matching src and dst.
flush-sa [isakmp|esp|ah|ipsec]
Flush all SAs if no SA class is provided, or a class
of SAs, either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all
IPsec SAs.
establish-sa [-w] [-n remoteconf] [-u username] saopts
Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH
SA. The optional -u username can be used when establishing an
ISAKMP SA while hybrid auth is in use. The exact remote block to
use can be specified with -n remoteconf. The racoonctl utility will prompt
you for the password associated with username and these credentials
will be used in the Xauth exchange.
Specifying -w will make racoonctl wait until the SA is actually
established or an error occurs.
The saopts command has the following format:
isakmp {inet|inet6} src dst
{esp|ah} {inet|inet6} src/prefixlen/port dst/prefixlen/port
{icmp|tcp|udp|gre|any}
vpn-connect [-u username] vpn_gateway
This is a particular case of the previous command. It will
establish an ISAKMP SA with vpn_gateway.
delete-sa saopts
Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
vpn-disconnect vpn_gateway
This is a particular case of the previous command. It will kill
all SAs associated with vpn_gateway.
show-event
Listen for all events reported by racoon.
logout-user login
Delete all SA established on behalf of the Xauth user login.
Command shortcuts are available:
rc reload-config
ss show-sa
sc show-schedule
fs flush-sa
ds delete-sa
es establish-sa
vc vpn-connect
vd vpn-disconnect
se show-event
lu logout-user
RETURN VALUES
The command should exit with 0 on success, and non-zero on errors.
FILES
/var/racoon/racoon.sock or
/var/run/racoon.sock racoon control socket.
SEE ALSO
ipsec, racoon
HISTORY
Once was kmpstat in the KAME project. It turned into racoonctl but
remained undocumented for a while. Emmanuel Dreyfus <manu@NetBSD.org>
wrote this man page.