Provided by: libreswan_5.2-2.2ubuntu1_amd64 
NAME
ipsec - invoke IPsec utilities
SYNOPSIS
ipsec command [argument...]
ipsec help
ipsec version
ipsec directory
DESCRIPTION
ipsec invokes any of several utilities involved in controlling the IPsec encryption/authentication
system, running the specified command with the specified argument as if it had been invoked directly.
This largely eliminates possible name collisions with other software, and also permits some centralized
services.
ipsec help lists the available commands. Most have their own manual pages.
ipsec version outputs the software version.
ipsec directory reports where the ipsec sub-commands are stored.
COMMANDS
To get a list of supported commands, use the command ipsec --help. The full set of commands are listed
below:
ipsec start, ipsec stop, ipsec restart, ipsec listen
Used to control the pluto daemon using the host init system. Supported init systems are sysv,
systemd, upstart and openrc.
See ipsec-start(8), ipsec-stop(8), ipsec-listen(8), and ipsec-restart(8).
ipsec add, ipsec up, ipsec start, ipsec route, ipsec unroute, ipsec ondemand, ipsec down, ipsec delete,
ipsec redirect, ipsec replace
Used to manually add, remove and manipulate connections.
See ipsec-add(8), ipsec-redirect(8), ipsec-up(8), ipsec-start(8), ipsec-route(8), ipsec-unroute(8),
ipsec-ondemand(8), ipsec-down(8), ipsec-replace(8), and ipsec-delete(8).
ipsec status, ipsec briefstatus, ipsec connectionstatus, ipsec briefconnectionstatus, ipsec
trafficstatus, ipsec shuntstatus
Used to display information about connections and their current status.
See ipsec-status(8), ipsec-briefstatus(8), ipsec-trafficstatus(8), ipsec-connectionstatus(8), ipsec-
shuntstatus(8), and ipsec-briefconnectionstatus(8).
ipsec initnss, ipsec checknss, ipsec import, ipsec listall, ipsec listcerts, ipsec rereadsecrets, ipsec
listpubkeys, ipsec rereadcerts, ipsec listcacerts, ipsec rereadall, ipsec rereadsecrets
Used to initialise, verify, and manipulate the NSS database that contains all the X.509 certificate
information and private RSA keys.
See ipsec-initnss(8), ipsec-rereadall(8), ipsec-rereadsecrets(8), ipsec-listall(8), ipsec-
checknss(8), ipsec-import(8), ipsec-rereadcerts(8), ipsec-listcerts(8), ipsec-listcacerts(8), ipsec-
fips(8), ipsec-rereadsecrets(8), ipsec-listpubkeys(8), and ipsec-pk12status(8).
ipsec fetchcrls, ipsec listcrls
Update and display the Certificate Revocation List.
See ipsec-fetchcrls(8), and ipsec-listcrls(8).
ipsec certutil, ipsec crlutil, ipsec modutil, ipsec pk12util, ipsec vfychain
Wrappers around the NSS pk12util, modutil, certutil, and crlutil that can be used to directly
manipulate Libreswan's NSS database.
See ipsec-certutil(8), ipsec-crlutil(8). ipsec-modutil(8), ipsec-pk12util(8), and ipsec-vfychain(8).
ipsec checkconfig, ipsec readwriteconf
Used to validate and dump the ipsec file (default /etc/ipsec.conf).
See ipsec-checkconfig(8), and ipsec-readwriteconf(8).
ipsec checknflog, ipsec stopnflog
Used to initialise and delete iptable rules for the nflog devices when specified via the nflog= or
nflog-all= configuration options.
See ipsec-checknflog(8), and ipsec-stopnflog(8).
ipsec whack
Low-level utility for manipulating Libreswan's daemon pluto.
See ipsec-whack(8).
ipsec pluto
Libreswan's daemon that implements the Internet Key Exchange protocols.
See ipsec-pluto(8).
ipsec showhostkey, ipsec newhostkey, ipsec ecdsasigkey, ipsec rsasigkey
Generate and display raw host keys stored in the NSS database.
See: ipsec-showhostkey(8), ipsec-newhostkey(8), ipsec-ecdsasigkey(8), ipsec-rsasigkey(8).
ipsec algparse
Utility for displaying and verifying cryptographic proposals.
See: ipsec-algparse(8).
ipsec showroute
Utility for displaying the routing information.
See: ipsec-showroute(8).
ipsec letsencrypt
Utility for generating letsencrypt keys.
See: ipsec-letsencrypt(8).
ipsec fipsstatus, ipsec cavp
Display FIPS status and run FIPS crypto tests for CAVP complance.
See: ipsec-fipsstatus(8), ipsec-cavp(8).
RETURN CODE
The ipsec command passes the return code of the sub-command back to the caller. The only exception is
when ipsec pluto is used without --nofork, as it will fork into the background and the ipsec command
returns success while the pluto daemon may in fact exit with an error code after the fork.
FILES
/usr/libexec/ipsec usual utilities directory
SEE ALSO
ipsec.conf(5), ipsec-add(8), ipsec-algparse(8), ipsec-briefconnectionstatus(8), ipsec-briefstatus(8),
ipsec-certutil(8), ipsec-checkconfig(8), ipsec-checknflog(8), ipsec-checknss(8), ipsec-
connectionstatus(8), ipsec-crlutil(8), ipsec-delete(8), ipsec-down(8), ipsec-ecdsasigkey(8), ipsec-
fetchcrls(8), ipsec-fipsstatus(8), ipsec-globalstatus(8), ipsec-import(8), ipsec-initnss(8), ipsec-
letsencrypt(8), ipsec-listall(8), ipsec-listcacerts(8), ipsec-listcerts(8), ipsec-listcrls(8), ipsec-
listen(8), ipsec-listpubkeys(8), ipsec-modutil(8), ipsec-newhostkey(8), ipsec-ondemand(8), ipsec-
pk12util(8), ipsec-pluto(8), ipsec-purgeocsp(8), ipsec-redirect(8), ipsec-replace(8), ipsec-rereadall(8),
ipsec-rereadcerts(8), ipsec-rereadsecrets(8), ipsec-restart(8), ipsec-route(8), ipsec-rsasigkey(8),
ipsec-setup(8), ipsec-showhostkey(8), ipsec-showroute(8), ipsec-showstates(8), ipsec-shuntstatus(8),
ipsec-start(8), ipsec-status(8), ipsec-stop(8), ipsec-trafficstatus(8), ipsec-unroute(8), ipsec-up(8),
ipsec-vfychain(8), ipsec-whack(8)
AUTHOR
Tuomo Soini Andrew Cagney
Libreswan 5.2 07/30/2025 IPSEC(8)