2013-06-21 14:35:19 +00:00
|
|
|
.TH CHARON\-CMD 8 "2013-06-21" "@IPSEC_VERSION@" "strongSwan"
|
2013-06-16 17:06:40 +00:00
|
|
|
.SH "NAME"
|
|
|
|
charon\-cmd \- Simple IKE client (IPsec VPN client)
|
|
|
|
.SH SYNOPSIS
|
|
|
|
.B charon\-cmd
|
|
|
|
.B \-\-host
|
|
|
|
.I hostname
|
|
|
|
.B \-\-identity
|
|
|
|
.I identity
|
|
|
|
.B [ options ]
|
|
|
|
.PP
|
|
|
|
.SH "DESCRIPTION"
|
|
|
|
.B charon\-cmd
|
|
|
|
is a program for setting up IPsec VPN connections using the Internet Key
|
|
|
|
Exchange protocol (IKE) in version 1 and 2. It supports a number of different
|
|
|
|
road-warrior scenarios.
|
|
|
|
.PP
|
|
|
|
Like the IKE daemon
|
|
|
|
.BR charon ,
|
|
|
|
.B charon\-cmd
|
|
|
|
has to be run as
|
|
|
|
.B root
|
|
|
|
(or more specifically as a user with
|
|
|
|
.B CAP_NET_ADMIN
|
|
|
|
capability).
|
|
|
|
.PP
|
|
|
|
Of the following options at least
|
|
|
|
.I \-\-host
|
|
|
|
and
|
|
|
|
.I \-\-identity
|
|
|
|
are required. Depending on the selected authentication
|
|
|
|
.I profile
|
|
|
|
credentials also have to be provided with their respective options.
|
|
|
|
.PP
|
2013-06-21 14:35:19 +00:00
|
|
|
Many of the
|
|
|
|
.BR charon -specific
|
|
|
|
configuration options in
|
|
|
|
.I strongswan.conf
|
|
|
|
also apply to
|
|
|
|
.BR charon\-cmd .
|
|
|
|
For instance, to configure customized logging to
|
|
|
|
.B stdout
|
|
|
|
the following snippet can be used:
|
|
|
|
.PP
|
|
|
|
.EX
|
|
|
|
charon-cmd {
|
|
|
|
filelog {
|
|
|
|
stdout {
|
|
|
|
default = 1
|
|
|
|
ike = 2
|
|
|
|
cfg = 2
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
.EE
|
|
|
|
.PP
|
2013-06-16 17:06:40 +00:00
|
|
|
.SH "OPTIONS"
|
|
|
|
.TP
|
|
|
|
.BI "\-\-host " hostname
|
|
|
|
DNS name or IP address to connect to.
|
|
|
|
.TP
|
|
|
|
.BI "\-\-identity " identity
|
|
|
|
Identity the client uses for the IKE exchange.
|
|
|
|
.TP
|
|
|
|
.BI "\-\-remote\-identity " identity
|
|
|
|
Server identity to expect, defaults to
|
|
|
|
.IR hostname .
|
|
|
|
.TP
|
|
|
|
.BI "\-\-cert " path
|
|
|
|
Trusted certificate, either for authentication or trust chain validation.
|
|
|
|
To provide more than one certificate multiple
|
|
|
|
.B \-\-cert
|
|
|
|
options can be used.
|
|
|
|
.TP
|
|
|
|
.BI "\-\-rsa " path
|
|
|
|
RSA private key to use for authentication (if a password is required, it will
|
|
|
|
be requested on demand).
|
|
|
|
.TP
|
|
|
|
.BI "\-\-p12 " path
|
|
|
|
PKCS#12 file with private key and certificates to use for authentication and
|
|
|
|
trust chain validation (if a password is required it will be requested on
|
|
|
|
demand).
|
|
|
|
.TP
|
|
|
|
.RI "\fB\-\-agent\fR[=" socket ]
|
|
|
|
Use SSH agent for authentication. If
|
|
|
|
.I socket
|
|
|
|
is not specified it is read from the
|
|
|
|
.B SSH_AUTH_SOCK
|
|
|
|
environment variable.
|
|
|
|
.TP
|
|
|
|
.BI "\-\-local\-ts " subnet
|
|
|
|
Additional traffic selector to propose for our side, the requested virtual IP
|
|
|
|
address will always be proposed.
|
|
|
|
.TP
|
|
|
|
.BI "\-\-remote\-ts " subnet
|
|
|
|
Traffic selector to propose for remote side, defaults to 0.0.0.0/0.
|
|
|
|
.TP
|
|
|
|
.BI "\-\-profile " name
|
|
|
|
Authentication profile to use, the list of supported profiles can be found
|
|
|
|
in the
|
|
|
|
.B Authentication Profiles
|
2013-06-20 19:15:56 +00:00
|
|
|
sections below. Defaults to
|
2013-06-16 17:06:40 +00:00
|
|
|
.B ikev2\-pub
|
|
|
|
if a private key was supplied, and to
|
|
|
|
.B ikev2\-eap
|
|
|
|
otherwise.
|
|
|
|
.PP
|
2013-06-20 19:15:56 +00:00
|
|
|
.SS "IKEv2 Authentication Profiles"
|
2013-06-16 17:06:40 +00:00
|
|
|
.TP
|
|
|
|
.B "ikev2\-pub"
|
|
|
|
IKEv2 with public key client and server authentication
|
|
|
|
.TP
|
|
|
|
.B "ikev2\-eap"
|
|
|
|
IKEv2 with EAP client authentication and public key server authentication
|
|
|
|
.TP
|
|
|
|
.B "ikev2\-pub\-eap"
|
|
|
|
IKEv2 with public key and EAP client authentication (RFC 4739) and public key
|
|
|
|
server authentication
|
2013-06-20 19:15:56 +00:00
|
|
|
.PP
|
|
|
|
.SS "IKEv1 Authentication Profiles"
|
|
|
|
The following authentication profiles use either Main Mode or Aggressive Mode,
|
|
|
|
the latter is denoted with a \fB\-am\fR suffix.
|
2013-06-16 17:06:40 +00:00
|
|
|
.TP
|
2013-06-20 19:15:56 +00:00
|
|
|
.BR "ikev1\-pub" ", " "ikev1\-pub\-am"
|
2013-06-16 17:06:40 +00:00
|
|
|
IKEv1 with public key client and server authentication
|
|
|
|
.TP
|
2013-06-20 19:15:56 +00:00
|
|
|
.BR "ikev1\-xauth" ", " "ikev1\-xauth\-am"
|
2013-06-16 17:06:40 +00:00
|
|
|
IKEv1 with public key client and server authentication, followed by client XAuth
|
|
|
|
authentication
|
|
|
|
.TP
|
2013-06-20 19:15:56 +00:00
|
|
|
.BR "ikev1\-xauth\-psk" ", " "ikev1\-xauth\-psk\-am"
|
2013-06-16 17:06:40 +00:00
|
|
|
IKEv1 with pre-shared key (PSK) client and server authentication, followed by
|
|
|
|
client XAuth authentication (INSECURE!)
|
|
|
|
.TP
|
2013-06-20 19:15:56 +00:00
|
|
|
.BR "ikev1\-hybrid" ", " "ikev1\-hybrid\-am"
|
2013-06-16 17:06:40 +00:00
|
|
|
IKEv1 with public key server authentication only, followed by client XAuth
|
|
|
|
authentication
|
|
|
|
.PP
|
|
|
|
.SH "SEE ALSO"
|
2013-06-21 14:35:19 +00:00
|
|
|
\fBstrongswan.conf\fR(5), \fBipsec\fR(8)
|