1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
.TH IPSEC_SETUP 8 "23 July 2001"
.\" RCSID $Id: setup.8,v 1.34 2002/08/09 02:22:23 dhr Exp $
.SH NAME
ipsec setup \- control IPsec subsystem
.SH SYNOPSIS
.B ipsec
.B setup
[
.B \-\-show
|
.B \-\-showonly
]
command
.SH DESCRIPTION
.I Setup
controls the FreeS/WAN IPsec subsystem,
including both the Klips kernel code and the Pluto key-negotiation daemon.
(It is a synonym for the ``rc'' script for the subsystem;
the system runs the equivalent of
.B "ipsec setup start"
at boot time,
and
.B "ipsec setup stop"
at shutdown time, more or less.)
.PP
The action taken depends on the specific
.IR command ,
and on the contents of the
.B config
.B setup
section of the
IPsec configuration file (\c
.IR /etc/ipsec.conf ,
see
.IR ipsec.conf (5)).
Current
.IR command s
are:
.TP 10
.B start
start Klips and Pluto,
including setting up Klips to do crypto operations on the
interface(s) specified in the configuration file,
and (if the configuration file so specifies)
setting up manually-keyed connections and/or
asking Pluto to negotiate automatically-keyed connections
to other security gateways
.TP
.B stop
shut down Klips and Pluto,
including tearing down all existing crypto connections
.TP
.B restart
equivalent to
.B stop
followed by
.B start
.TP
.B status
report the status of the subsystem;
normally just reports
.B "IPsec running"
and
.BR "pluto pid \fInnn\fP" ,
or
.BR "IPsec stopped" ,
and exits with status 0,
but will go into more detail (and exit with status 1)
if something strange is found.
(An ``illicit'' Pluto is one that does not match the process ID in
Pluto's lock file;
an ``orphaned'' Pluto is one with no lock file.)
.PP
The
.B stop
operation tries to clean up properly even if assorted accidents
have occurred,
e.g. Pluto having died without removing its lock file.
If
.B stop
discovers that the subsystem is (supposedly) not running,
it will complain,
but will do its cleanup anyway before exiting with status 1.
.PP
Although a number of configuration-file parameters influence
.IR setup 's
operations, the key one is the
.B interfaces
parameter, which must be right or chaos will ensue.
.PP
The
.B \-\-show
and
.B \-\-showonly
options cause
.I setup
to display the shell commands that it would execute.
.B \-\-showonly
suppresses their execution.
Only
.BR start ,
.BR stop ,
and
.B restart
commands recognize these flags.
.SH FILES
.ta \w'/proc/sys/net/ipv4/ip_forward'u+2n
/etc/rc.d/init.d/ipsec the script itself
.br
/etc/init.d/ipsec alternate location for the script
.br
/etc/ipsec.conf IPsec configuration file
.br
/proc/sys/net/ipv4/ip_forward forwarding control
.br
/var/run/ipsec.info saved information
.br
/var/run/pluto.pid Pluto lock file
.br
/var/run/ipsec_setup.pid IPsec lock file
.SH SEE ALSO
ipsec.conf(5), ipsec(8), ipsec_manual(8), ipsec_auto(8), route(8)
.SH DIAGNOSTICS
All output from the commands
.B start
and
.B stop
goes both to standard
output and to
.IR syslogd (8),
via
.IR logger (1).
Selected additional information is logged only to
.IR syslogd (8).
.SH HISTORY
Written for the FreeS/WAN project
<http://www.freeswan.org>
by Henry Spencer.
.SH BUGS
Old versions of
.IR logger (1)
inject spurious extra newlines onto standard output.
|
