IPSEC_SETUP(8) IPSEC_SETUP(8)
NAME
ipsec(5,8) setup(2,8) - control IPsec subsystem
SYNOPSIS
ipsec(5,8) setup(2,8) [ --show | --showonly ] command
DESCRIPTION
Setup controls the FreeS/WAN IPsec subsystem, including both the Klips
kernel code and the Pluto key-negotiation daemon. (It is a synonym for
the ``rc'' script for the subsystem; the system runs the equivalent of
ipsec(5,8) setup(2,8) start at boot time(1,2,n), and ipsec(5,8) setup(2,8) stop at shutdown(2,8) time(1,2,n),
more or less.)
The action taken depends on the specific command, and on the contents
of the config(1,5) setup(2,8) section of the IPsec configuration file(1,n)
(/etc/ipsec.conf, see ipsec.conf(5)). Current commands are:
start start Klips and Pluto, including setting up Klips to do
crypto operations on the interface(s) specified in(1,8) the con-
figuration file(1,n), and (if(3,n) the configuration file(1,n) so specifies)
setting up manually-keyed connections and/or asking Pluto to
negotiate automatically-keyed connections to other security
gateways
stop shut down Klips and Pluto, including tearing down all exist-
ing crypto connections
restart equivalent to stop followed by start
status report the status of the subsystem; normally just reports
IPsec running and pluto pid nnn, or IPsec stopped, and exits
with status 0, but will go into more detail (and exit(3,n,1 builtins) with
status 1) if(3,n) something strange is found. (An ``illicit''
Pluto is one that does not match the process ID in(1,8) Pluto's
lock file(1,n); an ``orphaned'' Pluto is one with no lock file.)
The stop operation tries to clean up properly even if(3,n) assorted acci-
dents have occurred, e.g. Pluto having died without removing its lock
file. If stop discovers that the subsystem is (supposedly) not run-
ning, it will complain, but will do its cleanup anyway before exiting
with status 1.
Although a number of configuration-file parameters influence setup(2,8)'s
operations, the key one is the interfaces parameter, which must be
right or chaos will ensue.
The --show and --showonly options cause setup(2,8) to display the shell com-
mands that it would execute. --showonly suppresses their execution.
Only start, stop, and restart commands recognize these flags.
FILES
/etc/rc.d/init.d/ipsec(5,8) the script itself
/etc/init.d/ipsec(5,8) alternate location for the script
/etc/ipsec.conf IPsec configuration file(1,n)
/proc(5,n)/sys/net/ipv4/ip_forward forwarding control
/var/run/ipsec.info saved information
/var/run/pluto.pid Pluto lock file(1,n)
/var/run/ipsec_setup.pid IPsec lock file(1,n)
SEE ALSO
ipsec.conf(5), ipsec(5,8)(8), ipsec_manual(8), ipsec_auto(8), route(8)
DIAGNOSTICS
All output from the commands start and stop goes both to standard out-
put and to syslogd(8), via logger(1). Selected additional information
is logged only to syslogd(8).
HISTORY
Written for the FreeS/WAN project <http://www.freeswan.org> by Henry
Spencer.
BUGS
Old versions of logger(1) inject spurious extra newlines onto standard
output.
23 July 2001 IPSEC_SETUP(8)