2013.10.24

[uclinux-h8/uClinux-dist.git] / freeswan / doc / manpage.d / ipsec_eroute.5.html

Content-type: text/html

<HTML><HEAD><TITLE>Manpage of IPSEC_EROUTE</TITLE>
</HEAD><BODY>
<H1>IPSEC_EROUTE</H1>
Section: File Formats (5)<BR>Updated: 26 Jun 2000<BR><A HREF="#index">Index</A>
<A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR>




<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>

ipsec_eroute - list of existing eroutes
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>

<B>ipsec</B>

<B>eroute</B>

<P>

<B>cat</B>

<B>/proc/net/ipsec_eroute</B>

<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>

<I>/proc/net/ipsec_eroute</I>

lists the IPSEC extended routing tables,
which control what (if any) processing is applied
to non-encrypted packets arriving for IPSEC processing and forwarding.
At this point it is a read-only file.
<P>

A table entry consists of:
<DL COMPACT>
<DT>+<DD>
packet count,
<DT>+<DD>
source address with mask,
<DT>+<DD>
a '-&gt;' separator for visual and automated parsing between src and dst
<DT>+<DD>
destination address with mask
<DT>+<DD>
a '=&gt;' separator for visual and automated parsing between selection
criteria and SAID to use
<DT>+<DD>
SAID (Security Association IDentifier), comprised of:
<DT>+<DD>
protocol
(<I>proto</I>),
<DT>+<DD>
address family
(<I>af</I>),
where '.' stands for IPv4 and ':' for IPv6
<DT>+<DD>
Security Parameters Index
(<I>SPI</I>),
<DT>+<DD>
effective destination
(<I>edst</I>),
where the packet should be forwarded after processing
(normally the other security gateway)
together indicate which Security Association should be used to process the packet
</DL>
<P>

Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
protocol is one of &quot;ah&quot;, &quot;esp&quot;, &quot;comp&quot; or &quot;tun&quot;
and
SPIs are prefixed hexadecimal numbers where the prefix '.' is for IPv4 and the prefix ':' is for IPv6
<P>

SAIDs are written as &quot;<A HREF="mailto:protoafSPI@edst">protoafSPI@edst</A>&quot;.  There are also 5
&quot;magic&quot; SAIDs which have special meaning:
<DL COMPACT>
<DT>+<DD>
<B>%drop</B>

means that matches are to be dropped
<DT>+<DD>
<B>%reject</B>

means that matches are to be dropped and an ICMP returned, if
possible to inform
<DT>+<DD>
<B>%trap</B>

means that matches are to trigger an ACQUIRE message to the Key
Management daemon(s) and a hold eroute will be put in place to
prevent subsequent packets also triggering ACQUIRE messages.
<DT>+<DD>
<B>%hold</B>

means that matches are to stored until the eroute is replaced or
until that eroute gets reaped
<DT>+<DD>
<B>%pass</B>

means that matches are to allowed to pass without IPSEC processing
<BR>


</DL>
<A NAME="lbAE">&nbsp;</A>
<H2>EXAMPLES</H2>

<P>

<B>1867     172.31.252.0/24    -&gt; 0.0.0.0/0          =&gt; <A HREF="mailto:tun.130@192.168.43.1">tun.130@192.168.43.1</A></B>

<P>

means that 1,867 packets have been sent to an
<B>eroute</B>

that has been set up to protect traffic between the subnet
<B>172.31.252.0</B>

with a subnet mask of
<B>24</B>

bits and the default address/mask represented by an address of
<B>0.0.0.0</B>

with a subnet mask of
<B>0</B>

bits using the local machine as a security gateway on this end of the
tunnel and the machine
<B>192.168.43.1</B>

on the other end of the tunnel with a Security Association IDentifier of
<B><A HREF="mailto:tun0x130@192.168.43.1">tun0x130@192.168.43.1</A></B>

which means that it is a tunnel mode connection (4, IPPROTO_IPIP) with a
Security Parameters Index of
<B>130</B>

in hexadecimal.
<P>

<B>125      3049:1::/64    -&gt; 0:0/0          =&gt; tun:<A HREF="mailto:130@3058">130@3058</A>:4::5</B>

<P>

means that 125 packets have been sent to an
<B>eroute</B>

that has been set up to protect traffic between the subnet
<B>3049:1::</B>

with a subnet mask of
<B>64</B>

bits and the default address/mask represented by an address of
<B>0:0</B>

with a subnet mask of
<B>0</B>

bits using the local machine as a security gateway on this end of the
tunnel and the machine
<B>3058:4::5</B>

on the other end of the tunnel with a Security Association IDentifier of
<B>tun:<A HREF="mailto:130@3058">130@3058</A>:4::5</B>

which means that it is a tunnel mode connection with a
Security Parameters Index of
<B>130</B>

in hexadecimal.
<P>

<B>42         192.168.6.0/24     -&gt; 192.168.7.0/24     =&gt; %passthrough</B>

<P>

means that 42 packets have been sent to an
<B>eroute</B>

that has been set up to pass the traffic from the subnet
<B>192.168.6.0</B>

with a subnet mask of
<B>24</B>

bits and to subnet
<B>192.168.7.0</B>

with a subnet mask of
<B>24</B>

bits without any IPSEC processing.
<P>

<B>2112     192.168.8.55/32    -&gt; 192.168.9.47/24    =&gt; %hold</B>

<P>

means that 2112 packets have been sent to an
<B>eroute</B>

that has been set up to hold the traffic from the host
<B>192.168.8.55</B>

and to host
<B>192.168.9.47</B>

until a key exchange from a Key Management daemon
succeeds and puts in an SA or fails and puts in a pass
or drop eroute depending on the default configuration.
<P>

<B>2001     192.168.2.110/32   -&gt; 192.168.2.120/32   =&gt; </B>

<BR>

<B>        <A HREF="mailto:esp.e6de@192.168.2.120">esp.e6de@192.168.2.120</A></B>

<P>

means that 2001 packets have been sent to an
<B>eroute</B>

that has been set up to protect traffic between the host
<B>192.168.2.110</B>

and the host
<B>192.168.2.120</B>

using
<B>192.168.2.110</B>

as a security gateway on this end of the
connection and the machine
<B>192.168.2.120</B>

on the other end of the connection with a Security Association IDentifier of
<B><A HREF="mailto:esp.e6de@192.168.2.120">esp.e6de@192.168.2.120</A></B>

which means that it is a transport mode connection with a Security
Parameters Index of
<B>e6de</B>

in hexadecimal using Encapsuation Security Payload protocol (50,
IPPROTO_ESP).
<P>

<B>1984     3049:1::110/128   -&gt; 3049:1::120/128   =&gt; </B>

<BR>

<B>        ah:<A HREF="mailto:f5ed@3049">f5ed@3049</A>:1::120</B>

<P>

means that 1984 packets have been sent to an
<B>eroute</B>

that has been set up to authenticate traffic between the host
<B>3049:1::110</B>

and the host
<B>3049:1::120</B>

using
<B>3049:1::110</B>

as a security gateway on this end of the
connection and the machine
<B>3049:1::120</B>

on the other end of the connection with a Security Association IDentifier of
<B>ah:<A HREF="mailto:f5ed@3049">f5ed@3049</A>:1::120</B>

which means that it is a transport mode connection with a Security
Parameters Index of
<B>f5ed</B>

in hexadecimal using Authentication Header protocol (51,
IPPROTO_AH).
<A NAME="lbAF">&nbsp;</A>
<H2>FILES</H2>

/proc/net/ipsec_eroute, /usr/local/bin/ipsec
<A NAME="lbAG">&nbsp;</A>
<H2>SEE ALSO</H2>

<A HREF="ipsec.8.html">ipsec</A>(8), <A HREF="ipsec_manual.8.html">ipsec_manual</A>(8), <A HREF="ipsec_tncfg.5.html">ipsec_tncfg</A>(5), <A HREF="ipsec_spi.5.html">ipsec_spi</A>(5),
<A HREF="ipsec_spigrp.5.html">ipsec_spigrp</A>(5), <A HREF="ipsec_klipsdebug.5.html">ipsec_klipsdebug</A>(5), <A HREF="ipsec_eroute.8.html">ipsec_eroute</A>(8), <A HREF="ipsec_version.5.html">ipsec_version</A>(5),
<A HREF="ipsec_pf_key.5.html">ipsec_pf_key</A>(5)
<A NAME="lbAH">&nbsp;</A>
<H2>HISTORY</H2>

Written for the Linux FreeS/WAN project
&lt;<A HREF="http://www.freeswan.org/">http://www.freeswan.org/</A>&gt;
by Richard Guy Briggs.





























<P>

<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT><A HREF="#lbAB">NAME</A><DD>
<DT><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT><A HREF="#lbAE">EXAMPLES</A><DD>
<DT><A HREF="#lbAF">FILES</A><DD>
<DT><A HREF="#lbAG">SEE ALSO</A><DD>
<DT><A HREF="#lbAH">HISTORY</A><DD>
</DL>
<HR>
This document was created by
<A HREF="http://localhost/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 05:09:31 GMT, June 19, 2001
</BODY>
</HTML>