This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

CLI Usage

MyIKEv2 CLI Usage

MyIKEv2 is command line based IKEv2/IPsec testing tool, it has following CLI commands:

MyIKEv2, an IKEv2/IPsec testing tool; Ver 4.7
https://www.myikev2.net
=======================
  = exec: execute a myikev2 test setup file
    - crlf: crash log file path
    - f: test setup file name
    - flush: flush interface and xfrm states at the begining
        default:true
    - i: enable interactive CLI
        default:false
    - j: result formated as json
        default:false
    - l: license file path
        default:/etc/myikev2.lic
    - lf: log file path
        default:myikev2.log
    - p: enable profiling, dev use only
        default:false
  = createpki: creates x.509v3 CA/EE certficates/keys
    - c: number of EE cert/key pairs
        default:1
    - cadir: CA certs folder
    - cakeytype: the CA key type/curve and key length, like rsa:2048, ecdsa:p-384 or ed25519
        default:rsa:4096
    - caprefix: prefix to CA cert's subject's CN
    - eedir: EE certs folder
    - eekeytype: the EE key type/curve and key length, like rsa:2048, ecdsa:p-384 or ed25519
        default:rsa:2048
    - eeprefix: prefix to EE cert's subject's CN
    - l: length of CA chain
        default:1
  = default: export default setup or freeradius user file
    = setup:
      - f: export file name
        default:default_myikev2.setup
    = freeradius:
      - c: the number of credentials
        default:10
      - f: export file name
        default:users
      - temp: freeradius user config template
        default:bob&d    Cleartext-Password := "bob"
  = cli: connect to a myikev2 instance's interactive CLI
    - svr:
        default:127.0.0.1:12330
  = daemon: start myikev2 test daemon
    - lf: log file path
        default:myikev2_daemon.log
    - loglvl: logging level
        default:2
    - p: enable profiling
        default:false
    - listen: listening address:port
        default:0.0.0.0:12240
  = control:
    = cli: enter myikev2 controller interactive CLI
      - c: config file for the controller
        default:/etc/myikev2_controller.conf
      - lf: log file path
        default:myikev2_controller.log
      - o: override existing test instance
        default:true
    = example: create an example recipe file
  = echosvr: start UDP echo server
    - count: number of listening address
        default:1
    - port: listening port
        default:9922
    - startip: starting listening addr
    - step: step
        default:1

myikev2 exec

myikev2 exec execute the test setup file specified by -f <setup_file_path>; test setup file is a single YAML file that defines the test, see setup file for details.

-l <license_file_path> specifies an alternative location for license file than default location (/etc/myikev2.lic); without a valid license file, MyIKEv2 will run in trial mode;

-lf <log_file_path> specifies log file path; default is myikev2.log at current directory.

With -i , an interactive shell will be opened after the setup file is loaded, which allows user to monitor running test;

With -j, the tunnel creation result will be printed in JSON format

With -flush false, MyIKEv2 will not flush the binding-interface and XFRM states/policy

-p is used for collecting MyIKEv2’s running information, used for troubleshoot MyIKEv2 itself

-crlf specifies crash log file

Example

  • myikev2 exec -f testcase1.setup : run test as defined in file testcase1.setup
  • myikev2 exec -f testcase1.setup -i -lf /var/log/testcase1.log : run test as defined in file testcase1.setup, open the interactive shell, and log to /var/log/testcase1.log

myikev2 createpki

myikev2 createpki creates PKI keys/certificates in batch, which could be used for IKEv2 authentication testing;

Basic usage is myikev2 createpki -c <number_of key/cert> -cadir <CA_certs_dirname> -eedir <EE_certs_dirname>, which will create following files:

  • under cadir:

    • rootca.cert: Root CA certificate
    • rootca.key: Root CA’s key
    • sub-lv-1_myikev2.cert: a sub-CA’s certificate, signed by Root CA
    • sub-lv-1_myikev2.key: sub-CA’s key

  • under eedir:

    • ee-<x>_myikev2.cert: A End Entitiy certificate, signed by sub-lv-1_myikev2, x is from 0 to number speicifed by -c
    • ee-<x>_myikev2.key: the key of corresponding certificate

  • note: the type of above cert/key are by default RSA

-keytype {rsa:<keylen>|ecdsa:<curve>|ed25519} is used to specify the type of key

-l <number> is used to specify the number of sub-CA in the CA chain, by default is 1, could be 0;

myikev2 default

myikev2 default setup -f <filename> export a default setup file to <filename>, which could be served as starting point of a new setup file.

myikev2 default freeradius -f <filename> -c <count> -temp <template_string> export a freeradius user config file with number of <count> entries, by using a template string; the &d in template string will be replaced by an increasing number start from zero; for example myikev2 default freeradius -f users -c 3 -temp "bob&d Cleartext-Password := \"bob\"" will export a users file with following content:

bob0    Cleartext-Password := "bob"
bob1    Cleartext-Password := "bob"
bob2    Cleartext-Password := "bob"

myikev2 daemon

run MyIKEv2 as daemon, which could be controlled by a controller, see controller doc for details

myikev2 control cli

Enter MyIKEv2 controller interactive CLI, see controller doc for details

myikev2 control example

creates example controller configuration and recipe files, see controller doc for details

myikev2 echosvr

run MyIKEv2 echo server, see ping doc for details