swanctl Tool

Synopsis

swanctl command [options]

commands:
        --initiate         (-i)  initiate a connection
        --terminate        (-t)  terminate a connection
        --rekey            (-R)  rekey an IKE or CHILD_SA
        --install          (-p)  install a trap or shunt policy
        --uninstall        (-U)  uninstall a trap or shunt policy
        --redirect         (-d)  redirect an IKE_SA
        --list-sas         (-l)  list currently active IKE_SAs
        --list-pols        (-P)  list currently installed policies
        --list-conns       (-L)  list loaded configurations
        --list-authorities (-B)  list loaded certification authorities information
        --list-certs       (-x)  list stored certificates
        --list-pools       (-A)  list loaded pool configurations
        --list-algs        (-g)  list loaded algorithms and their implementation
        --load-all         (-q)  (re-)load credentials, pools authorities and connections
        --load-authorities (-b)  (re-)load certification authorities information
        --load-conns       (-c)  (re-)load connection configuration
        --load-creds       (-s)  (re-)load credentials
        --load-pools       (-a)  (re-)load pool configuration
        --log              (-T)  trace logging output (levels 0 and 1 only)
        --flush-certs      (-f)  flush cached certificates
        --reload-settings  (-r)  reload strongswan.conf(5) configuration
        --stats            (-S)  show daemon infos and statistics
        --counters         (-C)  list or reset IKE event counters
        --version          (-V)  show version information
        --help             (-h)  show usage, version and plugin information

global options:
        --debug            (-v)  set debug level, default: 1
        --options          (-+)  read command line options from file
        --uri              (-u)  service URI to connect to

Description

swanctl is a command line utility to configure, control and monitor the IKE charon daemon via the vici interface plugin.

With version 6.0.5, the short option for --version was changed to -V and the one for --uninstall to -U to avoid conflicts with the short options for --debug (-v) and --uri (-u), which can be used globally since then.

Commands

swanctl --initiate

swanctl --list-sas

swanctl --load-all

swanctl --terminate

swanctl --list-conns

swanctl --load-conns

swanctl --rekey

swanctl --list-certs

swanctl --load-creds

swanctl --redirect

swanctl --list-algs

swanctl --flush-certs

swanctl --install

swanctl --list-authorities

swanctl --load-authorities

swanctl --uninstall

swanctl --list-pools

swanctl --load-pools

swanctl --log

swanctl --list-pols

swanctl --reload-settings

swanctl --stats

swanctl --version

swanctl --counters

Each command has additional options. Pass --help to a command to get additional information.

swanctl.conf

The swanctl --load-…​ commands read connections, secrets and IP address pools from swanctl.conf located in the swanctl configuration directory, usually /etc/swanctl.

The configuration file to be loaded may be specified for each command explicitly via the --file argument, e.g. to use separate files for the connections and secrets sections.

The path to the swanctl directory can also be set with the SWANCTL_DIR environment variable.

Credential directories

The --load-creds command also reads file-based credentials, such as private keys and certificates from a set of pre-defined sub-directories in the swanctl configuration directory.

The credential directories are accessed relative to the swanctl.conf file actually loaded (see above) and the default directory may be changed at runtime via the SWANCTL_DIR environment variable.