Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/strongswan/strongswan/llms.txt

Use this file to discover all available pages before exploring further.

The --initiate command tells the strongSwan IKE daemon (charon) to establish a new Security Association. You can target a specific CHILD_SA configuration by name, optionally scoped to a parent IKE_SA.

Synopsis

swanctl --initiate [--child <name>] [--ike <name>] [--timeout <s>]
                   [--loglevel <level>] [--raw|--pretty]
Either --child or --ike must be specified. If only --ike is given, the daemon initiates the IKE_SA itself without bringing up a CHILD_SA.

Options

--child
string
Name of the CHILD_SA configuration to initiate. The CHILD_SA is defined inside a connections.<name>.children block in swanctl.conf. Required unless --ike is given without a CHILD_SA target.
--ike
string
Name of the IKE_SA configuration. When used together with --child, this scopes the CHILD_SA lookup to a specific IKE connection. When used alone, initiates only the IKE_SA.
--timeout
integer
default:"0"
Time in seconds to wait for the operation to complete before detaching. 0 (default) waits indefinitely. Use a positive value to detach after the given number of seconds and let the daemon continue in the background.
--loglevel
integer
default:"1"
Verbosity of log messages streamed back over the control-log VICI event during the operation. Range: 0 (errors only) to 4 (full debug output).
--raw
boolean
Print the raw VICI response message instead of the formatted summary.
--pretty
boolean
Print the raw VICI response with pretty-print indentation. Implies --raw.
--uri
string
VICI socket URI to connect to. Overrides the default socket path (unix:///var/run/charon.vici). Useful when running multiple daemon instances or connecting over TCP.

Examples

Initiate a site-to-site CHILD_SA

swanctl --initiate --child net-net
Typical output while the negotiation is in progress: 
[IKE] initiating IKE_SA net-net[1] to 192.168.0.2
[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
[IKE] authentication of 'C=CH, O=strongSwan, CN=moon.strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
[IKE] IKE_SA net-net[1] established between 192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
[CHD] CHILD_SA net-net{1} established with SPIs c1234567_i c89abcdef_o and TS 10.1.0.0/16 === 10.2.0.0/16
initiate completed successfully

Initiate a CHILD_SA under a named IKE_SA

When a connection has multiple CHILD_SA configurations, use --ike to disambiguate if two connections share a CHILD_SA name: 
swanctl --initiate --child home --ike roadwarrior

Initiate with verbose logging

swanctl --initiate --child net-net --loglevel 3

Non-blocking initiation

Pass a short timeout to detach immediately and let the daemon establish the tunnel in the background: 
swanctl --initiate --child net-net --timeout 1

Exit codes

CodeMeaning
0SA established successfully
1Initiation failed (error message printed to stderr)
otherConnection to VICI socket failed or unexpected error

See also