swanctl
The swanctl
command is a powerful tool in the strongSwan suite used for managing and configuring IPsec and IKEv2 connections. It allows you to load, list, initiate, terminate, and monitor VPN connections based on the configuration files in the /etc/swanctl/
directory.
Purpose
swanctl
provides a command-line interface for managing the strongSwan IPsec daemon (Charon). It interacts with the configurations defined in swanctl.conf
and other related files in /etc/swanctl/
.
Common swanctl
Commands
swanctl
CommandsLoading Configuration
Load all configurations: This command reads all configurations defined in
/etc/swanctl/
and loads them into the strongSwan daemon.sudo swanctl --load-all
Listing Configurations and Status
List all connection configurations: Displays the connection profiles defined in the configuration files.
sudo swanctl --list-conns
List active security associations (SAs): Shows currently active IPsec tunnels and their status.
sudo swanctl --list-sas
List loaded pools: Lists IP address pools loaded into strongSwan.
sudo swanctl --list-pools
Managing Connections
Initiate a connection: Manually start a VPN connection based on a specific child SA name.
sudo swanctl --initiate --child <child-sa-name>
Terminate a connection: Manually stop a VPN connection based on a specific child SA name.
sudo swanctl --terminate --child <child-sa-name>
Managing Certificates and Keys
List certificates: Display all loaded certificates.
sudo swanctl --list-certs
Load a certificate: Load a specific certificate file.
sudo swanctl --load-creds
Debugging and Logging
Show active log levels: Display the current logging levels and modules.
sudo swanctl --loglevel
Example Usage of swanctl
swanctl
Loading Configuration
To load all configurations, use:
sudo swanctl --load-all
Listing Connections
To list all configured connections:
sudo swanctl --list-conns
Example output:
myvpn: IKEv2, reauthentication every 14400s, no rekeying, dpd delay 30s
local: %any
remote: %any
local public key authentication:
id: "CN=myvpnserver"
cert: "CN=myvpnserver"
remote public key authentication:
id: "CN=myvpnclient"
cert: "CN=myvpnclient"
child: net, local_ts 10.0.0.0/24, remote_ts 0.0.0.0/0, dpd action restart
Initiating and Terminating Connections
To initiate a connection named net
:
sudo swanctl --initiate --child net
To terminate the same connection:
sudo swanctl --terminate --child net
Configuration in /etc/swanctl/
/etc/swanctl/
swanctl.conf
swanctl.conf
Here is a detailed example of a swanctl.conf
configuration file:
connections {
myvpn {
version = 2
local_addrs = 192.0.2.1
remote_addrs = 192.0.2.2
local {
auth = pubkey
certs = certs/mycert.pem
id = "CN=myvpnserver"
}
remote {
auth = pubkey
certs = certs/clientcert.pem
id = "CN=myvpnclient"
}
children {
net {
local_ts = 10.0.0.0/24
remote_ts = 0.0.0.0/0
dpd_action = restart
esp_proposals = aes256-sha256-modp2048
}
}
}
}
secrets {
private {
file = private/mykey.pem
}
eap {
id = "username"
secret = "password"
}
}
pools {
mypool {
addrs = 10.3.0.0/24
dns = 10.3.0.1
}
}
Conclusion
The swanctl
command is a crucial tool for managing strongSwan's IPsec and IKEv2 VPN connections. By leveraging the configurations defined in /etc/swanctl/
, administrators can easily load, initiate, and monitor secure VPN connections. Proper understanding and usage of swanctl
commands ensure efficient and secure management of VPN infrastructure.
Last updated