Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disable/Enable IPSEC VPN via CLI?

    Scheduled Pinned Locked Moved
    IPsec
    3
    4
    3.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thund3rsh0ck
      last edited by

      Hi, quick question in case this is possible.. is there a way to enable or disable IPSEC VPN tunnels via CLI? Thanks!

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @thund3rsh0ck
        last edited by

        @thund3rsh0ck
        https://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand

        ipsec up <name>

        tells the IKE daemon to start up connection <name>. Implemented by calling the ipsec stroke up <name> command.

        ipsec down <name>

        tells the IKE daemon to terminate connection <name>. Implemented by calling the ipsec stroke down <name> command.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Look at swanctl instead. It is the path forward.

          strongSwan 5.7.1 swanctl
loaded plugins: unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac curl
usage:
  swanctl --reload-settings  (-r)  reload daemon strongswan.conf
  swanctl --stats            (-S)  show daemon stats information
  swanctl --version          (-v)  show version information
  swanctl --log              (-T)  trace logging output
  swanctl --load-pools       (-a)  (re-)load pool configuration
  swanctl --load-creds       (-s)  (re-)load credentials
  swanctl --load-conns       (-c)  (re-)load connection configuration
  swanctl --load-authorities (-b)  (re-)load authority configuration
  swanctl --load-all         (-q)  load credentials, authorities, pools and connections
  swanctl --flush-certs      (-f)  flush cached certificates
  swanctl --list-algs        (-g)  show loaded algorithms
  swanctl --list-pools       (-A)  list loaded pool configurations
  swanctl --list-certs       (-x)  list stored certificates
  swanctl --list-conns       (-L)  list loaded configurations
  swanctl --list-authorities (-B)  list loaded authority configurations
  swanctl --list-pols        (-P)  list currently installed policies
  swanctl --monitor-sa       (-m)  monitor for IKE_SA and CHILD_SA changes
  swanctl --list-sas         (-l)  list currently active IKE_SAs
  swanctl --install          (-p)  install a trap or shunt policy
  swanctl --uninstall        (-u)  uninstall a trap or shunt policy
  swanctl --redirect         (-d)  redirect an IKE_SA
  swanctl --rekey            (-R)  rekey an SA
  swanctl --terminate        (-t)  terminate a connection
  swanctl --initiate         (-i)  initiate a connection
  swanctl --counters         (-C)  list or reset IKE event counters
  swanctl --help             (-h)  show usage information

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          T 1 Reply Last reply Reply Quote 0
          • T
            thund3rsh0ck @Derelict
            last edited by

            Thanks for the help @Derelict and @Konstanti
            What ended up working for me is

            pfSsh.php playback svc start ipsec

            along with some of the ipsec down and up commands. Hadn't tried swanctl but definitely appreciate all of the suggestions!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.