NAME

ipsecctl — control flows for IPsec

SYNOPSIS

DESCRIPTION

The ipsecctl utility controls flows that determine which packets are to be processed by IPsec. It allows ruleset configuration, and retrieval of status information from the kernel's SPD (Security Policy Database) and SAD (Security Association Database). It also can control isakmpd(8) and establish tunnels using automatic keying with isakmpd(8). The ruleset grammar is described in ipsec.conf(5).

The options are as follows:

-c

Use in combination with the -s option to collapse flow output.

-D macro=value

Define macro to be set to value on the command line. Overrides the definition of macro in the ruleset.

-d

When the -d option is set, specified flows will be deleted from the SPD. Otherwise, ipsecctl will add flows.

-F

The -F option flushes the SPD and the SAD.

-f file

Load the rules contained in file.

-i fifo

If given, the -i option specifies an alternate FIFO instead of /var/run/isakmpd.fifo, used to talk to isakmpd(8).

-k

Show secret keying material when printing the active SAD entries.

-m

Continuously display all PF_KEY messages exchanged with the kernel.

-n

Do not actually load rules, just parse them.

-s modifier

Show the kernel's databases, specified by modifier (may be abbreviated):

-s flow

Show the ruleset loaded into the SPD.

-s sa

Show the active SAD entries.

-s all

Show all of the above.

-v

Produce more verbose output. A second use of -v will produce even more verbose output.

SEE ALSO

ipsec(4), tcp(4), ipsec.conf(5), isakmpd(8)

HISTORY

The ipsecctl program first appeared in OpenBSD 3.8.