racoonctl —
racoon administrative control tool
  
    | racoonctl | [opts] reload-config | 
  
    | racoonctl | [opts] show-schedule | 
  
    | racoonctl | [opts] show-sa [isakmp|esp|ah|ipsec] | 
  
    | racoonctl | [opts] get-sa-cert [inet|inet6] src dst | 
  
    | racoonctl | [opts] flush-sa [isakmp|esp|ah|ipsec] | 
  
    | racoonctl | [opts] delete-sa saopts | 
  
    | racoonctl | [opts] establish-sa [ -w]
      [-nremoteconf]
      [-uidentity]
      saopts | 
  
    | racoonctl | [opts] vpn-connect [ -uidentity] vpn_gateway | 
  
    | racoonctl | [opts] vpn-disconnect vpn_gateway | 
  
    | racoonctl | [opts] show-event | 
  
    | racoonctl | [opts] logout-user login | 
racoonctl is used to control
  racoon(8) operation, if
  ipsec-tools was configured with adminport support. Communication between
  racoonctl and
  racoon(8) is done through a UNIX
  socket. By changing the default mode and ownership of the socket, you can
  allow non-root users to alter
  racoon(8) behavior, so do that
  with caution.
The following general options are available:
  - -d
- Debug mode. Hexdump sent admin port commands.
- -l
- Increase verbosity. Mainly for show-sa command.
- -ssocket
- Specify unix socket name used to connecting racoon.
The following commands are available:
  - reload-config
- This should cause racoon(8)
      to reload its configuration file.
- show-schedule
- Unknown command.
- show-sa [isakmp|esp|ah|ipsec]
- Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs,
      IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. Use
      -lto increase verbosity.
- get-sa-cert [inet|inet6] src dst
- Output the raw certificate that was used to authenticate the phase 1
      matching src and dst.
- flush-sa [isakmp|esp|ah|ipsec]
- is used to flush all SAs if no SA class is provided, or a class of SAs,
      either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
- establish-sa [-w] [-nremoteconf] [-uusername] saopts
- Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA. The
      optional -uusername can be
      used when establishing an ISAKMP SA while hybrid auth is in use. The exact
      remote block to use can be specified with-nremoteconf.racoonctlwill
      prompt you for the password associated with username
      and these credentials will be used in the Xauth exchange.Specifying -wwill make racoonctl wait
        until the SA is actually established or an error occurs.
 saopts has the following format: 
      - isakmp {inet|inet6} src
        dst
-  
- {esp|ah} {inet|inet6} src/prefixlen/port
        dst/prefixlen/port
- {icmp|tcp|udp|gre|any}
 
- vpn-connect [-uusername]
    vpn_gateway
- This is a particular case of the previous command. It will establish an
      ISAKMP SA with vpn_gateway.
- delete-sa saopts
- Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
- vpn-disconnect vpn_gateway
- This is a particular case of the previous command. It will kill all SAs
      associated with vpn_gateway.
- show-event
- Listen for all events reported by
      racoon(8).
- logout-user login
- Delete all SA established on behalf of the Xauth user
      login.
Command shortcuts are available:
  - rc
- reload-config
- ss
- show-sa
- sc
- show-schedule
- fs
- flush-sa
- ds
- delete-sa
- es
- establish-sa
- vc
- vpn-connect
- vd
- vpn-disconnect
- se
- show-event
- lu
- logout-user
 
The command should exit with 0 on success, and non-zero on errors.
  - /var/racoon/racoon.sock
    or
-  
- /var/run/racoon.sock
- racoon(8) control
    socket.
Once waskmpstat in the KAME project. It turned into
  racoonctl but remained undocumented for a while.
  Emmanuel Dreyfus
  <manu@NetBSD.org> wrote
  this man page.