swanctl Tool


swanctl --initiate         (-i)  initiate a connection
        --terminate        (-t)  terminate a connection
        --rekey            (-R)  rekey an IKE or CHILD_SA
        --install          (-p)  install a trap or shunt policy
        --uninstall        (-u)  uninstall a trap or shunt policy
        --redirect         (-d)  redirect an IKE_SA
        --list-sas         (-l)  list currently active IKE_SAs
        --list-pols        (-P)  list currently installed policies
        --list-conns       (-L)  list loaded configurations
        --list-authorities (-B)  list loaded certification authorities information
        --list-certs       (-x)  list stored certificates
        --list-pools       (-A)  list loaded pool configurations
        --list-algs        (-g)  list loaded algorithms and their implementation
        --load-all         (-q)  (re-)load credentials, pools authorities and connections
        --load-authorities (-b)  (re-)load certification authorities information
        --load-conns       (-c)  (re-)load connection configuration
        --load-creds       (-s)  (re-)load credentials
        --load-pools       (-a)  (re-)load pool configuration
        --log              (-T)  trace logging output
        --flush-certs      (-f)  flush cached certificates
        --reload-settings  (-r)  reload strongswan.conf(5) configuration
        --stats            (-S)  show daemon infos and statistics
        --counters         (-C)  list or reset IKE event counters
        --version          (-v)  show version information
        --help             (-h)  show usage information


swanctl is a command line utility to configure, control and monitor the IKE charon daemon via the vici interface plugin.


The swanctl --load-…​ commands read connections, secrets and IP address pools from swanctl.conf located in the swanctl configuration directory, usually /etc/swanctl.

The configuration file to be loaded may be specified for each command explicitly via the --file argument, e.g. to use separate files for the connections and secrets sections.

The path to the swanctl directory can also be set with the SWANCTL_DIR environment variable.

Credential directories

The --load-creds command also reads file-based credentials, such as private keys and certificates from a set of pre-defined sub-directories in the swanctl configuration directory.

The credential directories are accessed relative to the swanctl.conf file actually loaded (see above) and the default directory may be changed at runtime via the SWANCTL_DIR environment variable.