ipsec manual [ options ] --union operation part ...
The --up operation brings the specified connection up, including establishing a suitable route for it if necessary.
The --route operation just establishes the route for a connection. Unless and until an --up operation is done, packets routed by that route will simply be discarded.
The --down operation tears the specified connection down, except that it leaves the route in place. Unless and until an --unroute operation is done, packets routed by that route will simply be discarded. This permits establishing another connection to the same destination without any ``window'' in which packets can pass without encryption.
The --unroute operation (and only the --unroute operation) deletes any route established for a connection.
In the --union usage, each part is the name of a partial connection specification in the configuration file, and the union of all the partial specifications is the connection specification used. The effect is as if the contents of the partial specifications were concatenated together; restrictions on duplicate parameters, etc., do apply to the result. (The same effect can now be had, more gracefully, using the also parameter in connection descriptions; see ipsec.conf(5) for details.)
The --show option turns on the -x option of the shell used to execute the commands, so each command is shown as it is executed.
The --showonly option causes manual to show the commands it would run, on standard output, and not run them.
The --other option causes manual to pretend it is the other end of the connection. This is probably not useful except in combination with --showonly.
The --iam option causes manual to believe it is running on the host with the specified IP address, and that it should use the specified interface (normally it determines all this automatically, based on what IPsec interfaces are up and how they are configured).
The --config option specifies a non-standard location for the FreeS/WAN IPsec configuration file (default /etc/ipsec.conf).
See ipsec.conf(5) for details of the configuration file. Apart from the basic parameters which specify the endpoints and routing of a connection (left and right, plus possibly leftsubnet, leftnexthop, leftfirewall, their right equivalents, and perhaps type), a non-passthrough manual connection needs an spi or spibase parameter and some parameters specifying encryption, authentication, or both, most simply esp, espenckey, and espauthkey. Moderately-secure keys can be obtained from ipsec_ranbits(8). For production use of manually-keyed connections, it is strongly recommended that the keys be kept in a separate file (with permissions rw-------) using the include and also facilities of the configuration file (see ipsec.conf(5)).
If an spi parameter is given, manual uses that value as the SPI number for all the SAs (which are in separate number spaces anyway). If an spibase parameter is given instead, manual assigns SPI values by altering the bottom digit of that value; SAs going from left to right get even digits starting at 0, SAs going from right to left get odd digits starting at 1. Either way, it is suggested that manually-keyed connections use three-digit SPIs with the first digit non-zero, i.e. in the range 0x100 through 0xfff; FreeS/WAN reserves those for manual keying and will not attempt to use them for automatic keying (unless requested to, presumably by a non-FreeS/WAN other end).
If the connection specification for a connection is changed between an --up and the ensuing --down, chaos may ensue.
The --up operation is not smart enough to notice whether the connection is already up.
Manual is not smart enough to reject insecure combinations of algorithms, e.g. encryption with no authentication at all.
Any non-IPsec route to the other end which is replaced by the --up or --route operation will not be re-established by --unroute. Whether this is a feature or a bug depends on your viewpoint.
The optional parameters which override the automatic spibase-based SPI assignment are a messy area of the code and bugs are likely.
``Road warrior'' handling, and other special forms of setup which require negotiation between the two security gateways, inherently cannot be done with manual.
Manual generally lags behind auto in support of various features, even when implementation would be possible. For example, currently it does not do IPComp content compression.