Package libreswan

IPsec implementation with IKEv1 and IKEv2 keying protocols

https://libreswan.org/

Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is
the Internet Protocol Security and uses strong cryptography to provide
both authentication and encryption services. These services allow you
to build secure tunnels through untrusted networks. Everything passing
through the untrusted net is encrypted by the ipsec gateway machine and
decrypted by the gateway at the other end of the tunnel. The resulting
tunnel is a virtual private network or VPN.

This package contains the daemons and userland tools for setting up
Libreswan. To build KLIPS, see the kmod-libreswan.spec file.

Libreswan also supports IKEv2 (RFC4309) and Secure Labeling

Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04

File Formats (Section 5)
ipsec.conf
The ipsec.conf file specifies most configuration and control information for the Libreswan IPsec subsystem. (The major exception is secrets for authentication...
ipsec_eroute
/proc/net/ipsec_eroute lists the IPSEC extended routing tables, which control what (if any) processing is applied to non-encrypted packets arriving for IPSEC...
ipsec_klipsdebug
/proc/net/ipsec_klipsdebug lists flags that control various parts of the debugging output of KLIPS and MAST, two of the IPsec stacks supported by Libreswan. At...
ipsec_pf_key
/proc/net/pf_key is a read-only file which lists the presently open PF_KEY sockets on the local system and their parameters. Each line lists one PF_KEY socket...
ipsec.secrets
The file ipsec.secrets contains a list of secrets. Currently supported secrets are preshared secrets (PSKs), RSA keys and XAUTH passwords. These secrets are...
ipsec_spi
/proc/net/ipsec_spi is a read-only file that lists the current IPSEC Security Associations. A Security Association (SA) is a transform through which packet...
ipsec_spigrp
/proc/net/ipsec_spigrp is a read-only file that lists groups of IPSEC Security Associations (SAs). An entry in the IPSEC extended routing table can only point...
ipsec_tncfg
/proc/net/ipsec_tncfg is a read-only file which lists which IPSEC virtual interfaces are attached to which real interfaces, through which packets will be...
ipsec_trap_count
/proc/net/ipsec/stats/trap_count is a read-only file. It contains a hexadecimal number which records the number of attempts to send PF_ACQUIRE messages. Only...
ipsec_trap_sendcount
/proc/net/ipsec/stats/trap_sendcount is a read-only file. It contains a hexadecimal number which records the number of successful PF_ACQUIRE messages that were...
ipsec_version
/proc/net/ipsec_version is a read-only file which lists the currently running KLIPS version information.
System Administration (Section 8)
ipsec
ipsec invokes any of several utilities involved in controlling the IPsec encryption/authentication system, running the specified command with the specified...
ipsec_addconn
ipsec addconn takes a config file (or stdin) containing the format of ipsec.conf, or the format of individual "conn" sections, and uses that information to load...
ipsec_auto
Auto manipulates automatically-keyed Libreswan IPsec connections, setting them up and shutting them down based on the information in the IPsec configuration...
ipsec_barf
Barf outputs (on standard output) a collection of debugging information (contents of files, selections from logs, etc.) related to the IPsec...
ipsec_eroute
Eroute manages the IPSEC extended routing tables, which control what (if any) processing is applied to non-encrypted packets arriving for IPSEC processing and...
ipsec_import
ipsec import Import PKCS#12 files into the IPsec NSS database located at the ipsec data directory (default: /etc/ipsec.d/)
ipsec__import_crl
_import_crl is spawned by pluto in order to add or update a CRL in the NSS database (default: /etc/ipsec.d)
ipsec_initnss
Initnss initialises the NSS database where all private keys for RSA and certificate keypairs are stored. If already initialised, it will return an error. To...
ipsec__keycensor
_keycensor is used by ipsec barf to process the /etc/ipsec.secrets file, removing private key info.
ipsec_klipsdebug
Klipsdebug sets and clears flags that control various parts of the debugging output of Klips (the kernel portion of FreeS/WAN IPSEC). The form with no...
ipsec_look
Look is used to get a quick overview of what the status of Libreswan is. It is the equivalent to running the commands ipsec eroute, ipsec spigrp, ipsec tncfg...
ipsec_newhostkey
newhostkeygenerates an RSA public/private key pair suitable for authenticating this host is generated and stored in the NSS database. See ipsec_showhostkey(8)...
ipsec_pf_key
pf_key is a program to open a PF_KEY socket and print all messages that are received from it. With no options, it will register itself to receive key requests...
ipsec_pluto
pluto is an IKE ("IPsec Key Exchange") daemon. whack is an auxiliary program to allow requests to be made to a running pluto. pluto is used to automatically...
ipsec__plutorun
_plutorun is called by _realsetup to configure and bring up pluto(8). It invokes pluto, and watches to makes sure that pluto is restarted if it fails, as the...
ipsec_readwriteconf
This program reads the given ipsec.conf style configuration file, interpreting the also= options, and outputs an equivalent ipsec.conf file. The purpose of this...
ipsec_rsasigkey
Rsasigkey generates an RSA public/private key pair, suitable for digital signatures, of (exactly) nbits bits (that is, two primes each of exactly nbits/2 bits...
ipsec__secretcensor
_secretcensor is called by ipsec barf to process the /etc/ipsec.secrets file to remove the private key components from the file prior to revealing the contents.
ipsec_setup
setup is called (via ipsec setup) by the system administrator to perform init system related tasks to Libreswan, such as start, stop, status, reload, etc for...
ipsec_showhostkey
Showhostkey outputs (on standard output) a public key suitable for this host, in the format specified, using the host key information stored in the NSS...
ipsec_spi
Spi creates and deletes IPSEC Security Associations. A Security Association (SA) is a transform through which packet contents are to be processed before being...
ipsec_spigrp
Spigrp groups IPSEC Security Associations (SAs) together or ungroups previously grouped SAs. An entry in the IPSEC extended routing table can only point (via a...
ipsec__stackmanager
ipsec _stackmanager is called from within the init sub-system (systemd, upstart, sysv initscripts) to bring up the Libreswan kernel component as configured via...
ipsec_tncfg
The purpose of tncfg is to attach/detach IPsec virtual interfaces (e.g. ipsec0) to/from physical interfaces (e.g. eth0) through which packets will be forwarded...
ipsec__updown
_updown is invoked by pluto when it has brought up a new connection. This script is used to insert the appropriate routing entries for IPsec operation on some...
ipsec__updown.klips
_updown is invoked by pluto when it has brought up a new connection. This script is used to insert the appropriate routing entries for IPsec operation. The...
ipsec__updown.netkey
_updown is invoked by pluto when it has brought up a new connection. This script is used to insert the appropriate routing entries for IPsec operation. The...
ipsec_verify
The ipsec verify examines the local system for a number of common system faults and configuration mistakes.