unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (Debian-5.0)
Page:
Section:
Apropos / Subsearch:
optional field

IPSEC_EROUTE(5)                                                IPSEC_EROUTE(5)



NAME
       ipsec_eroute - list of existing eroutes

SYNOPSIS
       ipsec eroute
              cat/proc/net/ipsec_eroute


OBSOLETE
       Note  that  eroute  is only supported on the classic KLIPS stack. It is
       not supported on any other stack and will be completely removed in  fu-
       ture versions. A replacement command still needs to be designed


DESCRIPTION
       /proc/net/ipsec_eroute  lists  the IPSEC extended routing tables, which
       control what (if any) processing is applied  to  non-encrypted  packets
       arriving  for  IPSEC  processing  and forwarding. At this point it is a
       read-only file.


       A table entry consists of:


       +      packet count,


       +      source address with mask and source port (0 if all ports or  not
              applicable)


       +      a  '->'  separator  for visual and automated parsing between src
              and dst


       +      destination address with mask and destination  port  (0  if  all
              ports or not applicable)


       +      a '=>' separator for visual and automated parsing between selec-
              tion criteria and SAID to use


       +      SAID (Security Association IDentifier), comprised of:


       +      protocol (proto),


       +      address family (af), where '.' stands for IPv4 and ':' for IPv6


       +      Security Parameters Index (SPI),


       +      effective destination (edst), where the packet  should  be  for-
              warded  after  processing  (normally the other security gateway)
              together indicate which Security Association should be  used  to
              process the packet,


       +      a  ':' separating the SAID from the transport protocol (0 if all
              protocols)


       +      source identity text string with no whitespace, in parens,


       +      destination identity text string with no whitespace, in parens


       Addresses are written as IPv4 dotted quads or IPv6 coloned hex,  proto-
       col  is one of "ah", "esp", "comp" or "tun" and SPIs are prefixed hexa-
       decimal numbers where the prefix '.' is for IPv4 and the prefix ':'  is
       for IPv6


       SAIDs  are written as "protoafSPI@edst". There are also 5 "magic" SAIDs
       which have special meaning:


       +      %drop means that matches are to be dropped


       +      %reject means that matches are to be dropped  and  an  ICMP  re-
              turned, if possible to inform


       +      %trap  means  that  matches are to trigger an ACQUIRE message to
              the Key Management daemon(s) and a hold eroute will  be  put  in
              place to prevent subsequent packets also triggering ACQUIRE mes-
              sages.


       +      %hold means that matches are to stored until the eroute  is  re-
              placed or until that eroute gets reaped


       +      %pass  means  that  matches are to allowed to pass without IPSEC
              processing


EXAMPLES
       1867  172.31.252.0/24:0  ->  0.0.0.0/0:0   =>   tun0x130@192.168.43.1:0
       () ()


       means  that 1,867 packets have been sent to an eroute that has been set
       up to protect traffic between the subnet  172.31.252.0  with  a  subnet
       mask  of 24 bits and the default address/mask represented by an address
       of 0.0.0.0 with a subnet mask of 0 bits using the local  machine  as  a
       security gateway on this end of the tunnel and the machine 192.168.43.1
       on the other end of the tunnel with a Security  Association  IDentifier
       of  tun0x130@192.168.43.1  which means that it is a tunnel mode connec-
       tion (4, IPPROTO_IPIP) with a Security Parameters Index of 130 in hexa-
       decimal with no identies defined for either end.


       746       192.168.2.110/32:0       ->       192.168.2.120/32:25      =>
       esp0x130@192.168.2.120:6      () ()


       means that 746 packets have been sent to an eroute that has been set up
       to  protect traffic sent from any port on the host 192.168.2.110 to the
       SMTP (TCP, port 25) port on the host 192.168.2.120 with a Security  As-
       sociation IDentifier of tun0x130@192.168.2.120 which means that it is a
       transport mode connection with a Security Parameters Index  of  130  in
       hexadecimal with no identies defined for either end.


       125 3049:1::/64 -> 0:0/0 => tun:130@3058:4::5 () ()


       means that 125 packets have been sent to an eroute that has been set up
       to protect traffic between the subnet 3049:1:: with a subnet mask of 64
       bits and the default address/mask represented by an address of 0:0 with
       a subnet mask of 0 bits using the local machine as a  security  gateway
       on this end of the tunnel and the machine 3058:4::5 on the other end of
       the tunnel with a Security Association IDentifier of  tun:130@3058:4::5
       which means that it is a tunnel mode connection with a Security Parame-
       ters Index of 130 in hexadecimal with no identies  defined  for  either
       end.


       42 192.168.6.0/24:0 -> 192.168.7.0/24:0 => %passthrough


       means  that 42 packets have been sent to an eroute that has been set up
       to pass the traffic from the subnet 192.168.6.0 with a subnet  mask  of
       24 bits and to subnet 192.168.7.0 with a subnet mask of 24 bits without
       any IPSEC processing with no identies defined for either end.


       2112 192.168.8.55/32:0 -> 192.168.9.47/24:0 => %hold (east) ()


       means that 2112 packets have been sent to an eroute that has  been  set
       up  to  hold  the  traffic  from  the  host  192.168.8.55  and  to host
       192.168.9.47 until a key exchange from a Key Management daemon succeeds
       and  puts in an SA or fails and puts in a pass or drop eroute depending
       on the default configuration with the local client  defined  as  "east"
       and no identy defined for the remote end.


       2001       192.168.2.110/32:0       ->       192.168.2.120/32:0      =>
       esp0xe6de@192.168.2.120:0 () ()


       means that 2001 packets have been sent to an eroute that has  been  set
       up  to  protect  traffic  between  the  host 192.168.2.110 and the host
       192.168.2.120 using 192.168.2.110 as a security gateway on this end  of
       the  connection  and  the machine 192.168.2.120 on the other end of the
       connection    with    a    Security    Association    IDentifier     of
       esp0xe6de@192.168.2.120 which means that it is a transport mode connec-
       tion with a Security Parameters Index of e6de in hexadecimal using  En-
       capsuation Security Payload protocol (50, IPPROTO_ESP) with no identies
       defined for either end.


       1984 3049:1::110/128 -> 3049:1::120/128 =>      ah:f5ed@3049:1::120  ()
       ()


       means  that  1984 packets have been sent to an eroute that has been set
       up to authenticate traffic between the host 3049:1::110  and  the  host
       3049:1::120  using 3049:1::110 as a security gateway on this end of the
       connection and the machine 3049:1::120 on the other end of the  connec-
       tion  with  a  Security  Association  IDentifier of ah:f5ed@3049:1::120
       which means that it is a transport mode connection with a Security  Pa-
       rameters  Index of f5ed in hexadecimal using Authentication Header pro-
       tocol (51, IPPROTO_AH) with no identies defined for either end.


FILES
       /proc/net/ipsec_eroute, /usr/bin/ipsec


SEE ALSO
       ipsec(8),  ipsec_manual(8),  ipsec_tncfg(5),  ipsec_spi(5),  ipsec_spi-
       grp(5),    ipsec_klipsdebug(5),    ipsec_eroute(8),   ipsec_version(5),
       ipsec_pf_key(5)


HISTORY
       Written for  the  Linux  FreeS/WAN  project  <http://www.freeswan.org/:
       http://www.freeswan.org/> by Richard Guy Briggs.




                                                               IPSEC_EROUTE(5)