FreeBSD Manual Pages
CHARON-CMD(8) strongSwan CHARON-CMD(8) NAME charon-cmd - Simple IKE client (IPsec VPN client) SYNOPSIS charon-cmd --host hostname --identity identity [ options ] DESCRIPTION charon-cmd is a program for setting up IPsec VPN connections using the Internet Key Exchange protocol (IKE) in version 1 and 2. It supports a number of different road-warrior scenarios. Like the IKE daemon charon, charon-cmd has to be run as root (or more specifically as a user with CAP_NET_ADMIN capability). Of the following options at least --host and --identity are required. Depending on the selected authentication profile credentials also have to be provided with their respective options. Many of the charon-specific configuration options in strongswan.conf also apply to charon-cmd. For instance, to configure customized log- ging to stdout the following snippet can be used: charon-cmd { filelog { stdout { default = 1 ike = 2 cfg = 2 } } } OPTIONS --help Prints usage information and a short summary of the available options. --version Prints the strongSwan version. --debug level Sets the default log level (defaults to 1). level is a number between -1 and 4. Refer to strongswan.conf for options that al- low a more fine-grained configuration of the logging output. --host hostname DNS name or IP address to connect to. --identity identity Identity the client uses for the IKE exchange. --eap-identity identity Identity the client uses for EAP authentication. --xauth-username username Username the client uses for XAuth authentication. --remote-identity identity Server identity to expect, defaults to hostname. --cert path Trusted certificate, either for authentication or trust chain validation. To provide more than one certificate multiple --cert options can be used. --rsa path RSA private key to use for authentication (if a password is re- quired, it will be requested on demand). For other key types use --priv. --priv path Private key to use for authentication (if a password is re- quired, it will be requested on demand). --p12 path PKCS#12 file with private key and certificates to use for au- thentication and trust chain validation (if a password is re- quired it will be requested on demand). --agent[=socket] Use SSH agent for authentication. If socket is not specified it is read from the SSH_AUTH_SOCK environment variable. --local-ts subnet Additional traffic selector to propose for our side, the re- quested virtual IP address will always be proposed. --remote-ts subnet Traffic selector to propose for remote side, defaults to 0.0.0.0/0. --ike-proposal proposal IKE proposal to offer instead of default. For IKEv1, a single proposal consists of one encryption algorithm, an integrity/PRF algorithm and a DH group. IKEv2 can propose multiple algorithms of the same kind. To specify multiple proposals, repeat the op- tion. --esp-proposal proposal ESP proposal to offer instead of default. For IKEv1, a single proposal consists of one encryption algorithm, an integrity al- gorithm and an optional DH group for Perfect Forward Secrecy rekeying. IKEv2 can propose multiple algorithms of the same kind. To specify multiple proposals, repeat the option. --ah-proposal proposal AH proposal to offer instead of ESP. For IKEv1, a single pro- posal consists of an integrity algorithm and an optional DH group for Perfect Forward Secrecy rekeying. IKEv2 can propose multiple algorithms of the same kind. To specify multiple pro- posals, repeat the option. --profile name Authentication profile to use, the list of supported profiles can be found in the Authentication Profiles sections below. De- faults to ikev2-pub if a private key was supplied, and to ikev2-eap otherwise. IKEv2 Authentication Profiles ikev2-pub IKEv2 with public key client and server authentication ikev2-eap IKEv2 with EAP client authentication and public key server au- thentication ikev2-pub-eap IKEv2 with public key and EAP client authentication (RFC 4739) and public key server authentication IKEv1 Authentication Profiles The following authentication profiles use either Main Mode or Aggres- sive Mode, the latter is denoted with a -am suffix. ikev1-pub, ikev1-pub-am IKEv1 with public key client and server authentication ikev1-xauth, ikev1-xauth-am IKEv1 with public key client and server authentication, followed by client XAuth authentication ikev1-xauth-psk, ikev1-xauth-psk-am IKEv1 with pre-shared key (PSK) client and server authentica- tion, followed by client XAuth authentication (INSECURE!) ikev1-hybrid, ikev1-hybrid-am IKEv1 with public key server authentication only, followed by client XAuth authentication SEE ALSO strongswan.conf(5), ipsec(8) 6.0.0 2013-06-21 CHARON-CMD(8)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | SEE ALSO
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=charon-cmd&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>