Disable/Enable IPSEC VPN via CLI?

thund3rsh0ck · Apr 12, 2019, 3:20 PM

Hi, quick question in case this is possible.. is there a way to enable or disable IPSEC VPN tunnels via CLI? Thanks!

Konstanti · Apr 12, 2019, 4:03 PM

@thund3rsh0ck
https://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand

ipsec up <name>

tells the IKE daemon to start up connection <name>. Implemented by calling the ipsec stroke up <name> command.

ipsec down <name>

tells the IKE daemon to terminate connection <name>. Implemented by calling the ipsec stroke down <name> command.

Derelict · Apr 13, 2019, 8:03 PM

Look at swanctl instead. It is the path forward.

strongSwan 5.7.1 swanctl
loaded plugins: unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac curl
usage:
  swanctl --reload-settings  (-r)  reload daemon strongswan.conf
  swanctl --stats            (-S)  show daemon stats information
  swanctl --version          (-v)  show version information
  swanctl --log              (-T)  trace logging output
  swanctl --load-pools       (-a)  (re-)load pool configuration
  swanctl --load-creds       (-s)  (re-)load credentials
  swanctl --load-conns       (-c)  (re-)load connection configuration
  swanctl --load-authorities (-b)  (re-)load authority configuration
  swanctl --load-all         (-q)  load credentials, authorities, pools and connections
  swanctl --flush-certs      (-f)  flush cached certificates
  swanctl --list-algs        (-g)  show loaded algorithms
  swanctl --list-pools       (-A)  list loaded pool configurations
  swanctl --list-certs       (-x)  list stored certificates
  swanctl --list-conns       (-L)  list loaded configurations
  swanctl --list-authorities (-B)  list loaded authority configurations
  swanctl --list-pols        (-P)  list currently installed policies
  swanctl --monitor-sa       (-m)  monitor for IKE_SA and CHILD_SA changes
  swanctl --list-sas         (-l)  list currently active IKE_SAs
  swanctl --install          (-p)  install a trap or shunt policy
  swanctl --uninstall        (-u)  uninstall a trap or shunt policy
  swanctl --redirect         (-d)  redirect an IKE_SA
  swanctl --rekey            (-R)  rekey an SA
  swanctl --terminate        (-t)  terminate a connection
  swanctl --initiate         (-i)  initiate a connection
  swanctl --counters         (-C)  list or reset IKE event counters
  swanctl --help             (-h)  show usage information

thund3rsh0ck · Apr 15, 2019, 1:15 PM

Thanks for the help @Derelict and @Konstanti
What ended up working for me is

pfSsh.php playback svc start ipsec

along with some of the ipsec down and up commands. Hadn't tried swanctl but definitely appreciate all of the suggestions!