115 lines
2.9 KiB
Groff
115 lines
2.9 KiB
Groff
|
.TH CHARON\-CMD 8 "2013-06-16" "@IPSEC_VERSION@" "strongSwan"
|
||
|
|
.SH "NAME"
|
||
|
|
charon\-cmd \- Simple IKE client (IPsec VPN client)
|
||
|
|
.SH SYNOPSIS
|
||
|
|
.B charon\-cmd
|
||
|
|
.B \-\-host
|
||
|
|
.I hostname
|
||
|
|
.B \-\-identity
|
||
|
|
.I identity
|
||
|
|
.B [ options ]
|
||
|
|
.PP
|
||
|
|
.SH "DESCRIPTION"
|
||
|
|
.B charon\-cmd
|
||
|
|
is a program for setting up IPsec VPN connections using the Internet Key
|
||
|
|
Exchange protocol (IKE) in version 1 and 2. It supports a number of different
|
||
|
|
road-warrior scenarios.
|
||
|
|
.PP
|
||
|
|
Like the IKE daemon
|
||
|
|
.BR charon ,
|
||
|
|
.B charon\-cmd
|
||
|
|
has to be run as
|
||
|
|
.B root
|
||
|
|
(or more specifically as a user with
|
||
|
|
.B CAP_NET_ADMIN
|
||
|
|
capability).
|
||
|
|
.PP
|
||
|
|
Of the following options at least
|
||
|
|
.I \-\-host
|
||
|
|
and
|
||
|
|
.I \-\-identity
|
||
|
|
are required. Depending on the selected authentication
|
||
|
|
.I profile
|
||
|
|
credentials also have to be provided with their respective options.
|
||
|
|
.PP
|
||
|
|
.SH "OPTIONS"
|
||
|
|
.TP
|
||
|
|
.BI "\-\-host " hostname
|
||
|
|
DNS name or IP address to connect to.
|
||
|
|
.TP
|
||
|
|
.BI "\-\-identity " identity
|
||
|
|
Identity the client uses for the IKE exchange.
|
||
|
|
.TP
|
||
|
|
.BI "\-\-remote\-identity " identity
|
||
|
|
Server identity to expect, defaults to
|
||
|
|
.IR hostname .
|
||
|
|
.TP
|
||
|
|
.BI "\-\-cert " path
|
||
|
|
Trusted certificate, either for authentication or trust chain validation.
|
||
|
|
To provide more than one certificate multiple
|
||
|
|
.B \-\-cert
|
||
|
|
options can be used.
|
||
|
|
.TP
|
||
|
|
.BI "\-\-rsa " path
|
||
|
|
RSA private key to use for authentication (if a password is required, it will
|
||
|
|
be requested on demand).
|
||
|
|
.TP
|
||
|
|
.BI "\-\-p12 " path
|
||
|
|
PKCS#12 file with private key and certificates to use for authentication and
|
||
|
|
trust chain validation (if a password is required it will be requested on
|
||
|
|
demand).
|
||
|
|
.TP
|
||
|
|
.RI "\fB\-\-agent\fR[=" socket ]
|
||
|
|
Use SSH agent for authentication. If
|
||
|
|
.I socket
|
||
|
|
is not specified it is read from the
|
||
|
|
.B SSH_AUTH_SOCK
|
||
|
|
environment variable.
|
||
|
|
.TP
|
||
|
|
.BI "\-\-local\-ts " subnet
|
||
|
|
Additional traffic selector to propose for our side, the requested virtual IP
|
||
|
|
address will always be proposed.
|
||
|
|
.TP
|
||
|
|
.BI "\-\-remote\-ts " subnet
|
||
|
|
Traffic selector to propose for remote side, defaults to 0.0.0.0/0.
|
||
|
|
.TP
|
||
|
|
.BI "\-\-profile " name
|
||
|
|
Authentication profile to use, the list of supported profiles can be found
|
||
|
|
in the
|
||
|
|
.B Authentication Profiles
|
||
|
|
section below. Defaults to
|
||
|
|
.B ikev2\-pub
|
||
|
|
if a private key was supplied, and to
|
||
|
|
.B ikev2\-eap
|
||
|
|
otherwise.
|
||
|
|
.PP
|
||
|
|
.SS "Authentication Profiles"
|
||
|
|
.TP
|
||
|
|
.B "ikev2\-pub"
|
||
|
|
IKEv2 with public key client and server authentication
|
||
|
|
.TP
|
||
|
|
.B "ikev2\-eap"
|
||
|
|
IKEv2 with EAP client authentication and public key server authentication
|
||
|
|
.TP
|
||
|
|
.B "ikev2\-pub\-eap"
|
||
|
|
IKEv2 with public key and EAP client authentication (RFC 4739) and public key
|
||
|
|
server authentication
|
||
|
|
.TP
|
||
|
|
.B "ikev1\-pub"
|
||
|
|
IKEv1 with public key client and server authentication
|
||
|
|
.TP
|
||
|
|
.B "ikev1\-xauth"
|
||
|
|
IKEv1 with public key client and server authentication, followed by client XAuth
|
||
|
|
authentication
|
||
|
|
.TP
|
||
|
|
.B "ikev1\-xauth\-psk"
|
||
|
|
IKEv1 with pre-shared key (PSK) client and server authentication, followed by
|
||
|
|
client XAuth authentication (INSECURE!)
|
||
|
|
.TP
|
||
|
|
.B "ikev1\-hybrid"
|
||
|
|
IKEv1 with public key server authentication only, followed by client XAuth
|
||
|
|
authentication
|
||
|
|
.PP
|
||
|
|
.SH "SEE ALSO"
|
||
|
|
\fBipsec\fR(8)
|