1.\" $OpenBSD: ipsecctl.8,v 1.29 2017/11/20 10:51:24 mpi Exp $ 2.\" 3.\" Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> 4.\" 5.\" Permission to use, copy, modify, and distribute this software for any 6.\" purpose with or without fee is hereby granted, provided that the above 7.\" copyright notice and this permission notice appear in all copies. 8.\" 9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16.\" 17.Dd $Mdocdate: November 20 2017 $ 18.Dt IPSECCTL 8 19.Os 20.Sh NAME 21.Nm ipsecctl 22.Nd control flows for IPsec 23.Sh SYNOPSIS 24.Nm ipsecctl 25.Op Fl cdFkmnv 26.Op Fl D Ar macro Ns = Ns Ar value 27.Op Fl f Ar file 28.Op Fl i Ar fifo 29.Op Fl s Ar modifier 30.Sh DESCRIPTION 31The 32.Nm 33utility controls flows that determine which packets are to be processed by 34IPsec. 35It allows ruleset configuration, and retrieval of status information from the 36kernel's SPD (Security Policy Database) and SAD (Security Association 37Database). 38It also can control 39.Xr isakmpd 8 40and establish tunnels using automatic keying with 41.Xr isakmpd 8 . 42The ruleset grammar is described in 43.Xr ipsec.conf 5 . 44.Pp 45The options are as follows: 46.Bl -tag -width Ds 47.It Fl c 48Use in combination with the 49.Fl s 50option to collapse flow output. 51.It Fl D Ar macro Ns = Ns Ar value 52Define 53.Ar macro 54to be set to 55.Ar value 56on the command line. 57Overrides the definition of 58.Ar macro 59in the ruleset. 60.It Fl d 61When the 62.Fl d 63option is set, specified flows will be deleted from the SPD. 64Otherwise, 65.Nm 66will add flows. 67.It Fl F 68The 69.Fl F 70option flushes the SPD and the SAD. 71.It Fl f Ar file 72Load the rules contained in 73.Ar file . 74.It Fl i Ar fifo 75If given, the 76.Fl i 77option specifies an alternate FIFO instead of 78.Pa /var/run/isakmpd.fifo , 79used to talk to 80.Xr isakmpd 8 . 81.It Fl k 82Show secret keying material when printing the active SAD entries. 83.It Fl m 84Continuously display all 85.Dv PF_KEY 86messages exchanged with the kernel. 87.It Fl n 88Do not actually load rules, just parse them. 89.It Fl s Ar modifier 90Show the kernel's databases, specified by 91.Ar modifier 92(may be abbreviated): 93.Pp 94.Bl -tag -width xxxxxxxxxxxxx -compact 95.It Fl s Cm flow 96Show the ruleset loaded into the SPD. 97.It Fl s Cm sa 98Show the active SAD entries. 99.It Fl s Cm all 100Show all of the above. 101.El 102.It Fl v 103Produce more verbose output. 104A second use of 105.Fl v 106will produce even more verbose output. 107.El 108.Sh SEE ALSO 109.Xr ipsec 4 , 110.Xr tcp 4 , 111.Xr ipsec.conf 5 , 112.Xr isakmpd 8 113.\" .Sh STANDARDS 114.\" .Sh HISTORY 115.\" .Sh AUTHORS 116.\" .Sh CAVEATS 117.\" .Sh BUGS 118.Sh HISTORY 119The 120.Nm ipsecctl 121program first appeared in 122.Ox 3.8 . 123