1
<?xml version="1.0" encoding="ISO-8859-1"?>
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
3
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
4
<!-- lifted from troff+man by doclifter -->
7
<refentrytitle>IPSEC_SETUP</refentrytitle>
8
<manvolnum>8</manvolnum>
9
<refmiscinfo class='date'>23 July 2001</refmiscinfo>
11
<refnamediv id='name'>
12
<refname>ipsec setup</refname>
13
<refpurpose>control IPsec subsystem</refpurpose>
15
<!-- body begins here -->
16
<refsynopsisdiv id='synopsis'>
18
<command>ipsec</command>
19
<arg choice='plain'><replaceable>setup</replaceable></arg>
20
<group choice='opt'><arg choice='plain'>--show </arg><arg choice='plain'>--showonly </arg></group>
21
<arg choice='plain'><replaceable>command</replaceable></arg>
26
<refsect1 id='description'><title>DESCRIPTION</title>
27
<para><emphasis remap='I'>Setup</emphasis>
28
controls the FreeS/WAN IPsec subsystem,
29
including both the Klips kernel code and the Pluto key-negotiation daemon.
30
(It is a synonym for the “rc” script for the subsystem;
31
the system runs the equivalent of
32
<emphasis remap='B'>ipsec setup start</emphasis>
35
<emphasis remap='B'>ipsec setup stop</emphasis>
36
at shutdown time, more or less.)</para>
38
<para>The action taken depends on the specific
39
<emphasis remap='I'>command</emphasis>,
40
and on the contents of the
41
<emphasis remap='B'>config</emphasis>
42
<emphasis remap='B'>setup</emphasis>
44
IPsec configuration file (<filename>/etc/ipsec.conf</filename>,
46
<citerefentry><refentrytitle>ipsec.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
48
<emphasis remap='I'>command</emphasis>s
50
<variablelist remap='TP'>
52
<term><emphasis remap='B'>start</emphasis></term>
54
<para>start Klips and Pluto,
55
including setting up Klips to do crypto operations on the
56
interface(s) specified in the configuration file,
57
and (if the configuration file so specifies)
58
setting up manually-keyed connections and/or
59
asking Pluto to negotiate automatically-keyed connections
60
to other security gateways</para>
64
<term><emphasis remap='B'>stop</emphasis></term>
66
<para>shut down Klips and Pluto,
67
including tearing down all existing crypto connections</para>
71
<term><emphasis remap='B'>restart</emphasis></term>
74
<emphasis remap='B'>stop</emphasis>
76
<emphasis remap='B'>start</emphasis></para>
80
<term><emphasis remap='B'>status</emphasis></term>
82
<para>report the status of the subsystem;
84
<emphasis remap='B'>IPsec running</emphasis>
86
<emphasis remap='B'>pluto pid </emphasis><emphasis remap='I'>nnn</emphasis><emphasis remap='P->B'></emphasis>,
88
<emphasis remap='B'>IPsec stopped</emphasis>,
89
and exits with status 0,
90
but will go into more detail (and exit with status 1)
91
if something strange is found.
92
(An “illicit” Pluto is one that does not match the process ID in
94
an “orphaned” Pluto is one with no lock file.)</para>
100
<emphasis remap='B'>stop</emphasis>
101
operation tries to clean up properly even if assorted accidents
103
e.g. Pluto having died without removing its lock file.
105
<emphasis remap='B'>stop</emphasis>
106
discovers that the subsystem is (supposedly) not running,
108
but will do its cleanup anyway before exiting with status 1.</para>
110
<para>Although a number of configuration-file parameters influence
111
<emphasis remap='I'>setup</emphasis>'s
112
operations, the key one is the
113
<emphasis remap='B'>interfaces</emphasis>
114
parameter, which must be right or chaos will ensue.</para>
117
<option>--show</option>
119
<option>--showonly</option>
121
<emphasis remap='I'>setup</emphasis>
122
to display the shell commands that it would execute.
123
<option>--showonly</option>
124
suppresses their execution.
126
<emphasis remap='B'>start</emphasis>,
127
<emphasis remap='B'>stop</emphasis>,
129
<emphasis remap='B'>restart</emphasis>
130
commands recognize these flags.</para>
133
<refsect1 id='files'><title>FILES</title>
134
<!-- .ta \w'/proc/sys/net/ipv4/ip_forward'u+2n -->
135
<para>/etc/rc.d/init.d/ipsec the script itself
137
/etc/init.d/ipsec alternate location for the script
139
/etc/ipsec.conf IPsec configuration file
141
/proc/sys/net/ipv4/ip_forward forwarding control
143
/var/run/ipsec.info saved information
145
/var/run/pluto.pid Pluto lock file
147
/var/run/ipsec_setup.pid IPsec lock file</para>
150
<refsect1 id='see_also'><title>SEE ALSO</title>
151
<para>ipsec.<citerefentry><refentrytitle>conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, <citerefentry><refentrytitle>ipsec</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>ipsec_manual</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>ipsec_auto</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>route</refentrytitle><manvolnum>8</manvolnum></citerefentry></para>
154
<refsect1 id='diagnostics'><title>DIAGNOSTICS</title>
155
<para>All output from the commands
156
<emphasis remap='B'>start</emphasis>
158
<emphasis remap='B'>stop</emphasis>
159
goes both to standard
161
<citerefentry><refentrytitle>syslogd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
163
<citerefentry><refentrytitle>logger</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
164
Selected additional information is logged only to
165
<citerefentry><refentrytitle>syslogd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
168
<refsect1 id='history'><title>HISTORY</title>
169
<para>Written for the FreeS/WAN project
170
<<ulink url='http://www.freeswan.org'>http://www.freeswan.org</ulink>>
171
by Henry Spencer.</para>
174
<refsect1 id='bugs'><title>BUGS</title>
175
<para>Old versions of
176
<citerefentry><refentrytitle>logger</refentrytitle><manvolnum>1</manvolnum></citerefentry>
177
inject spurious extra newlines onto standard output.</para>