This document is a Mac OS X manual page. Manual pages are a command-line technology for providing documentation. You can view these manual pages locally using the man(1) command. These manual pages come from many different sources, and thus, have a variety of writing styles.

For more information about the manual page format, see the manual page for manpages(5).

RACOONCTL(8)              BSD System Manager's Manual             RACOONCTL(8)

NAME
     racoonctl -- racoon administrative control tool

SYNOPSIS
     racoonctl reload-config
     racoonctl show-schedule
     racoonctl [-l [-l]] show-sa [isakmp|esp|ah|ipsec]
     racoonctl flush-sa [isakmp|esp|ah|ipsec]
     racoonctl delete-sa saopts
     racoonctl establish-sa [-u identity] saopts
     racoonctl vpn-connect [-u -identity] vpn_gateway
     racoonctl vpn-disconnect vpn_gateway
     racoonctl show-event [-l]

DESCRIPTION
     racoonctl is used to control racoon(8) operation, if ipsec-tools was configured with adminport support.
     Communication between racoonctl and racoon(8) is done through a UNIX socket.  By changing the default
     mode and ownership of the socket, you can allow non-root users to alter racoon(8) behavior, so do that
     with caution.

     The following commands are available:

     reload-config
             This should cause racoon(8) to reload its configuration file.  This seems completely broken at
             the time this man page is written.

     show-schedule
             Unknown command.

     show-sa [isakmp|esp|ah|ipsec]
             Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs, IPsec ESP SAs, IPsec
             AH SAs, or all IPsec SAs.  Use -l to increase verbosity.

     flush-sa [isakmp|esp|ah|ipsec]
             is used to flush all SAs if no SA class is provided, or a class of SAs, either ISAKMP SAs,
             IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.

     establish-sa [-u username] saopts
             Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.  The optional -u username
             can be used when establishing an ISAKMP SA while hybrid auth is in use.  racoonctl will prompt
             you for the password associated with username and these credentials will be used in the Xauth
             exchange.

             saopts has the following format:

             isakmp {inet|inet6} src dst

             {esp|ah} {inet|inet6} src/prefixlen/port dst/prefixlen/port
               {icmp|tcp|udp|any}

     vpn-connect [-u username] vpn_gateway
             This is a particular case of the previous command.  It will establish an ISAKMP SA with
             vpn_gateway.

     delete-sa saopts
             Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.

     vpn-disconnect vpn_gateway
             This is a particular case of the previous command.  It will kill all SAs associated with
             vpn_gateway.

     show-event [-l]
             Dump all events reported by racoon(8), then quit.  The -l flag causes racoonctl to not stop
             once all the events have been read, but rather to loop awaiting and reporting new events.

     Command shortcuts are available:
           rc   reload-config
           ss   show-sa
           sc   show-schedule
           fs   flush-sa
           ds   delete-sa
           es   establish-sa
           vc   vpn-connect
           vd   vpn-disconnect
           se   show-event

RETURN VALUES
     The command should exit with 0 on success, and non-zero on errors.

FILES
     /var/racoon/racoon.sock or
     /var/run/racoon.sock            racoon(8) control socket.

SEE ALSO
     ipsec(4), racoon(8)

HISTORY
     Once was kmpstat in the KAME project.  It turned into racoonctl but remained undocumented for a while.
     Emmanuel Dreyfus <manu@NetBSD.org> wrote this man page.

BSD                            November 16, 2004                           BSD