1 Content-type: text/html
3 <HTML><HEAD><TITLE>Manpage of IPSEC_EROUTE</TITLE>
6 Section: Maintenance Commands (8)<BR>Updated: 21 Jun 2000<BR><A HREF="#index">Index</A>
7 <A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR>
12 <A NAME="lbAB"> </A>
15 ipsec eroute - manipulate IPSEC extended routing tables
16 <A NAME="lbAC"> </A>
31 <B>--eraf (inet | inet6)</B>
35 src/srcmaskbits|srcmask
38 dst/dstmaskbits|dstmask
48 <B>--eraf (inet | inet6)</B>
52 src/srcmaskbits|srcmask
55 dst/dstmaskbits|dstmask
65 <B>--eraf (inet | inet6)</B>
69 src/srcmaskbits|srcmask
72 dst/dstmaskbits|dstmask
119 <B>(%passthrough | %passthrough4 | %passthrough6)</B>
121 <A NAME="lbAD"> </A>
126 manages the IPSEC extended routing tables,
127 which control what (if any) processing is applied
128 to non-encrypted packets arriving for IPSEC processing and forwarding.
129 The form with no additional arguments lists the contents of
130 /proc/net/ipsec_eroute.
134 form adds a table entry, the
137 form replaces a table entry, while the
140 form deletes one. The
143 form deletes the entire table.
146 A table entry consists of:
149 source and destination addresses,
151 for selection of packets
153 Security Association IDentifier, comprised of:
156 (<I>proto</I>), indicating (together with the
157 effective destination and the security parameters index)
158 which Security Association should be used to process the packet
163 Security Parameters Index
164 (<I>spi</I>), indicating (together with the
165 effective destination and protocol)
166 which Security Association should be used to process the packet
167 (must be larger than or equal to 0x100)
169 effective destination
171 where the packet should be forwarded after processing
172 (normally the other security gateway)
177 (<I>said</I>), indicating
178 which Security Association should be used to process the packet
182 Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
183 protocol is one of "ah", "esp", "comp" or "tun" and SPIs are
184 prefixed hexadecimal numbers where '.' represents IPv4 and ':'
188 SAIDs are written as "<A HREF="mailto:protoafSPI@address">protoafSPI@address</A>". There are also 5
189 "magic" SAIDs which have special meaning:
194 means that matches are to be dropped
198 means that matches are to be dropped and an ICMP returned, if
203 means that matches are to trigger an ACQUIRE message to the Key
204 Management daemon(s) and a hold eroute will be put in place to
205 prevent subsequent packets also triggering ACQUIRE messages.
209 means that matches are to stored until the eroute is replaced or
210 until that eroute gets reaped
214 means that matches are to allowed to pass without IPSEC processing
218 The format of /proc/net/ipsec_eroute is listed in <A HREF="ipsec_eroute.5.html">ipsec_eroute</A>(5).
222 <A NAME="lbAE"> </A>
227 <B>ipsec eroute --add --eraf inet --src 192.168.0.1/32 \</B>
231 <B> --dst 192.168.2.0/24 --af inet --edst 192.168.0.2 \</B>
235 <B> --spi 0x135 --proto tun</B>
242 on a Security Gateway to protect traffic between the host
251 bits of subnet mask via Security Gateway
254 using the Security Association with address
257 Security Parameters Index
266 <B>ipsec eroute --add --eraf inet6 --src 3049:1::1/128 \</B>
270 <B> --dst 3049:2::/64 --af inet6 --edst 3049:1::2 \</B>
274 <B> --spi 0x145 --proto tun</B>
281 on a Security Gateway to protect traffic between the host
290 bits of subnet mask via Security Gateway
293 using the Security Association with address
296 Security Parameters Index
305 <B>ipsec eroute --replace --eraf inet --src company.com/24 \</B>
309 <B> --dst <A HREF="ftp://ftp.ngo.org">ftp.ngo.org</A>/32 --said <A HREF="mailto:tun.135@gw.ngo.org">tun.135@gw.ngo.org</A></B>
316 on a Security Gateway to protect traffic between the subnet
322 bits of subnet mask and the host
323 <B><A HREF="ftp://ftp.ngo.org">ftp.ngo.org</A></B>
328 using the Security Association with Security Association ID
329 <B><A HREF="mailto:tun0x135@gw.ngo.org">tun0x135@gw.ngo.org</A></B>
333 <B>ipsec eroute --del --eraf inet --src company.com/24 \</B>
337 <B> --dst <A HREF="http://www.ietf.org">www.ietf.org</A>/32 --said %passthrough4</B>
344 on a Security Gateway that allowed traffic between the subnet
350 bits of subnet mask and the host
351 <B><A HREF="http://www.ietf.org">www.ietf.org</A></B>
353 to pass in the clear, unprocessed.
354 <A NAME="lbAF"> </A>
357 /proc/net/ipsec_eroute, /usr/local/bin/ipsec
358 <A NAME="lbAG"> </A>
361 <A HREF="ipsec.8.html">ipsec</A>(8), <A HREF="ipsec_manual.8.html">ipsec_manual</A>(8), <A HREF="ipsec_tncfg.8.html">ipsec_tncfg</A>(8), <A HREF="ipsec_spi.8.html">ipsec_spi</A>(8),
362 <A HREF="ipsec_spigrp.8.html">ipsec_spigrp</A>(8), <A HREF="ipsec_klipsdebug.8.html">ipsec_klipsdebug</A>(8), <A HREF="ipsec_eroute.5.html">ipsec_eroute</A>(5)
363 <A NAME="lbAH"> </A>
366 Written for the Linux FreeS/WAN project
367 <<A HREF="http://www.freeswan.org/">http://www.freeswan.org/</A>>
368 by Richard Guy Briggs.
402 <A NAME="index"> </A><H2>Index</H2>
404 <DT><A HREF="#lbAB">NAME</A><DD>
405 <DT><A HREF="#lbAC">SYNOPSIS</A><DD>
406 <DT><A HREF="#lbAD">DESCRIPTION</A><DD>
407 <DT><A HREF="#lbAE">EXAMPLES</A><DD>
408 <DT><A HREF="#lbAF">FILES</A><DD>
409 <DT><A HREF="#lbAG">SEE ALSO</A><DD>
410 <DT><A HREF="#lbAH">HISTORY</A><DD>
413 This document was created by
414 <A HREF="http://localhost/cgi-bin/man/man2html">man2html</A>,
415 using the manual pages.<BR>
416 Time: 05:09:31 GMT, June 19, 2001