Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (Debian-5.0)
Apropos / Subsearch:
optional field

IPSEC_SPI(5)                                                      IPSEC_SPI(5)

       ipsec_spi - list IPSEC Security Associations

       ipsec spi

       Note  that  eroute  is only supported on the classic KLIPS stack. It is
       not supported on any other stack and will be completely removed in  fu-
       ture versions. A replacement command still needs to be designed

       /proc/net/ipsec_spi  is  a  read-only file that lists the current IPSEC
       Security Associations. A  Security  Association  (SA)  is  a  transform
       through which packet contents are to be processed before being forward-
       ed. A transform can be an IPv4-in-IPv4 or  IPv6-in-IPv6  encapsulation,
       an  IPSEC Authentication Header (authentication with no encryption), or
       an IPSEC Encapsulation Security Payload (encryption, possibly including

       When a packet is passed from a higher networking layer through an IPSEC
       virtual  interface,  a  search  in  the  extended  routing  table  (see
       ipsec_eroute(5))  yields  a  IP protocol number , a Security Parameters
       Index (SPI) and an effective destination address When an  IPSEC  packet
       arrives  from the network, its ostensible destination, an SPI and an IP
       protocol specified by its outermost IPSEC header are used. The destina-
       tion/SPI/protocol  combination  is  used  to select a relevant SA. (See
       ipsec_spigrp(5) for discussion of  how  multiple  transforms  are  com-

       An  spi  ,  proto,  daddr and address_family arguments specify an SAID.
       Proto is an ASCII string, "ah", "esp", "comp" or "tun", specifying  the
       IP  protocol.  Spi  is a number, preceded by '.' indicating hexadecimal
       and IPv4 or by ':' indicating hexadecimal and IPv6, where each hexadec-
       imal digit represents 4 bits, between 0x100 and 0xffffffff; values from
       0x0 to 0xff are reserved. Daddr is a  dotted-decimal  IPv4  destination
       address or a coloned hex IPv6 destination address.

       An SAID combines the three parameters above, such as: "tun.101AT1.4"
       for IPv4 or "tun:101@3049:1::1" for IPv6

       A table entry consists of:

       +      SAID

       +      <transform name (proto,encalg,authalg)>:

       +      direction (dir=)

       +      source address (src=)

       +      source and destination addresses and masks for inner header pol-
              icy  check  addresses (policy=), as dotted-quads or coloned hex,
              separated by '->', for IPv4-in-IPv4 or IPv6-in-IPv6 SAs only

       +      initialisation  vector  length  and  value  (iv_bits=,  iv=)  if

       +      out-of-order  window  size,  number  of out-of-order errors, se-
              quence number, recently received packet bitmask, maximum differ-
              ence  between  sequence numbers (ooowin=, ooo_errs=, seq=, bit=,
              max_seq_diff=) if SA is AH or ESP and if  individual  items  are

       +      extra flags (flags=) if any are set

       +      authenticator length in bits (alen=) if non-zero

       +      authentication key length in bits (aklen=) if non-zero

       +      authentication errors (auth_errs=) if non-zero

       +      encryption key length in bits (eklen=) if non-zero

       +      encryption size errors (encr_size_errs=) if non-zero

       +      encryption padding error warnings (encr_pad_errs=) if non-zero

       +      lifetimes  legend,  c=Current status, s=Soft limit when exceeded
              will initiate rekeying, h=Hard limit will cause  termination  of
              SA (life(c,s,h)=)

       +      number  of  connections  to  which the SA is allocated (c), that
              will cause a rekey (s), that will cause an expiry (h)  (alloc=),
              if any value is non-zero

       +      number  of  bytes  processesd  by this SA (c), that will cause a
              rekey (s), that will cause an expiry (h) (bytes=), if any  value
              is non-zero

       +      time  since  the SA was added (c), until rekey (s), until expiry
              (h), in seconds (add=)

       +      time since the SA was first used (c), until rekey (s), until ex-
              piry (h), in seconds (used=), if any value is non-zero

       +      number  of  packets processesd by this SA (c), that will cause a
              rekey (s), that will cause an expiry (h) (packets=), if any val-
              ue is non-zero

       +      time since the last packet was processed, in seconds (idle=), if
              SA has been used

              average compression ratio (ratio=)

       tun.12a@       IPIP:        dir=out        src=
       life(c,s,h)=bytes(14073,0,0)add(269,0,0)              use(149,0,0)pack-
       ets(14,0,0)     idle=23

       is an outbound IPv4-in-IPv4 (protocol 4) tunnel-mode SA set up  between
       machines and with an SPI of 12a in hexadeci-
       mal that has passed about 14 kilobytes of traffic in 14  packets  since
       it  was  created,  269  seconds ago, first used 149 seconds ago and has
       been idle for 23 seconds.

       esp:9a35fc02@3049:1::1          ESP_3DES_HMAC_MD5:               dir=in
       src=9a35fc02@3049:1::2         ooowin=32     seq=7149    bit=0xffffffff
       alen=128                      aklen=128                       eklen=192
       life(c,s,h)=bytes(1222304,0,0)add(4593,0,0)          use(3858,0,0)pack-
       ets(7149,0,0)     idle=23

       is an inbound Encapsulating Security Payload (protocol 50)  SA  on  ma-
       chine  3049:1::1  with an SPI of 9a35fc02 that uses 3DES as the encryp-
       tion cipher, HMAC MD5 as the authentication algorithm, an  out-of-order
       window  of  32 packets, a present sequence number of 7149, every one of
       the last 32 sequence numbers was received, the authenticator length and
       keys is 128 bits, the encryption key is 192 bits (actually 168 for 3DES
       since 1 of 8 bits is a parity bit), has passed 1.2 Mbytes  of  data  in
       7149  packets,  was added 4593 seconds ago, first used 3858 seconds ago
       and has been idle for 23 seconds.

       /proc/net/ipsec_spi, /usr/bin/ipsec

       ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5),  ipsec_spi-
       grp(5),     ipsec_klipsdebug(5),     ipsec_spi(8),    ipsec_version(5),

       Written for  the  Linux  FreeS/WAN  project  <http://www.freeswan.org/:
       http://www.freeswan.org/> by Richard Guy Briggs.

       The  add  and use times are awkward, displayed in seconds since machine
       start. It would be better to display them in seconds before now for hu-
       man readability.