1 Content-type: text/html
3 <HTML><HEAD><TITLE>Manpage of IPSEC_SPI</TITLE>
6 Section: Maintenance Commands (8)<BR>Updated: 21 Jun 2000<BR><A HREF="#index">Index</A>
7 <A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR>
12 <A NAME="lbAB"> </A>
15 ipsec spi - manage IPSEC Security Associations
16 <A NAME="lbAC"> </A>
21 Note: In the following,
59 <B>hmac-md5-96</B>|<B>hmac-sha1-96</B>
62 <B>--replay_window</B>
84 <B>--replay_window</B>
103 <B>3des-md5-96</B>|<B>3des-sha1-96</B>
106 <B>--replay_window</B>
198 <A NAME="lbAD"> </A>
203 creates and deletes IPSEC Security Associations.
204 A Security Association (SA) is a transform through which packet
205 contents are to be processed before being forwarded.
206 A transform can be an IPv4-in-IPv4 or an IPv6-in-IPv6 encapsulation,
207 an IPSEC Authentication Header (authentication with no encryption),
208 or an IPSEC Encapsulation Security Payload (encryption, possibly
209 including authentication).
212 When a packet is passed from a higher networking layer
213 through an IPSEC virtual interface,
214 a search in the extended routing table (see
215 <I><A HREF="ipsec_eroute.8.html">ipsec_eroute</A></I>(8))
217 yields an effective destination address, a
218 Security Parameters Index (SPI) and a IP protocol number.
219 When an IPSEC packet arrives from the network,
220 its ostensible destination, an SPI and an IP protocol
221 specified by its outermost IPSEC header are used.
222 The destination/SPI/protocol combination is used to select a relevant SA.
224 <I><A HREF="ipsec_spigrp.8.html">ipsec_spigrp</A></I>(8)
226 for discussion of how multiple transforms are combined.)
239 arguments specify the SA to be created or deleted.
242 is the address family (inet for IPv4, inet6 for IPv6).
245 is a destination address
246 in dotted-decimal notation for IPv4
247 or in a coloned hex notation for IPv6.
250 is a number, preceded by '0x' for hexadecimal,
266 is an ASCII string, "ah", "esp", "comp" or "tun", specifying the IP protocol.
267 The protocol must agree with the algorithm selected.
273 argument can also specify an SA to be created or deleted.
276 combines the three parameters above, such as: "<A HREF="mailto:tun.101@1.2.3.4">tun.101@1.2.3.4</A>" or "tun:101@1:2::3:4",
277 where the address family is specified by "." for IPv4 and ":" for IPv6. The address
278 family indicators substitute the "0x" for hexadecimal.
284 must also be provided for the inbound policy check to
285 function. The source address does not need to be included if inbound
286 policy checking has been disabled.
289 Keys vectors must be entered as hexadecimal or base64 numbers.
290 They should be cryptographically strong random numbers.
293 All hexadecimal numbers are entered as strings of hexadecimal digits
294 (0-9 and a-f), without spaces, preceded by '0x', where each hexadecimal
295 digit represents 4 bits.
296 All base64 numbers are entered as strings of base64 digits
297 <BR> (0-9, A-Z, a-z, '+' and '/'), without spaces, preceded by '0s',
298 where each hexadecimal digit represents 6 bits and '=' is used for padding.
301 The deletion of an SA which has been grouped will result in the entire chain
305 The form with no additional arguments lists the contents of
306 /proc/net/ipsec_spi. The format of /proc/net/ipsec_spi is discussed in
307 <A HREF="ipsec_spi.5.html">ipsec_spi</A>(5).
308 <A NAME="lbAE"> </A>
315 specifies the address family (inet for IPv4, inet6 for IPv6)
319 specifies the effective destination
322 of the Security Association
326 specifies the Security Parameters Index
329 of the Security Association
333 specifies the IP protocol
336 of the Security Association
340 specifies the Security Association in monolithic format
344 add an SA for an IPSEC Authentication Header,
345 specified by the following transform identifier
351 (RFC2402, obsoletes RFC1826)
352 <DT><B>hmac-md5-96</B>
355 transform following the HMAC and MD5 standards,
359 to produce a 96-bit authenticator (RFC2403)
360 <DT><B>hmac-sha1-96</B>
363 transform following the HMAC and SHA1 standards,
367 to produce a 96-bit authenticator (RFC2404)
371 add an SA for an IPSEC Encapsulation Security Payload,
372 specified by the following
373 transform identifier (<B>3des</B>,
378 (RFC2406, obsoletes RFC1827)
382 encryption transform following the Triple-DES standard in
383 Cipher-Block-Chaining mode using a 64-bit
386 (internally generated) and a 192-bit 3DES
390 <DT><B>3des-md5-96</B>
393 encryption transform following the Triple-DES standard in
394 Cipher-Block-Chaining mode with authentication provided by
396 (96-bit authenticator),
400 (internally generated), a 192-bit 3DES
403 and a 128-bit HMAC-MD5
407 <DT><B>3des-sha1-96</B>
410 encryption transform following the Triple-DES standard in
411 Cipher-Block-Chaining mode with authentication provided by
413 (96-bit authenticator),
417 (internally generated), a 192-bit 3DES
420 and a 160-bit HMAC-SHA1
424 <DT><B>--replay_window</B> replayw
427 sets the replay window size; valid values are decimal, 1 to 64
431 add an SA for IPSEC IP Compression,
432 specified by the following
433 transform identifier (<B>deflate</B>)
439 compression transform following the patent-free Deflate compression algorithm
444 add an SA for an IPv4-in-IPv4
454 add an SA for an IPv6-in-IPv6
464 specify the source end of an IP-in-IP tunnel from
470 and also specifies the source address of the Security Association to be
471 used in inbound policy checking and must be the same address
481 specify the destination end of an IP-in-IP tunnel from
490 delete the specified SA
504 display version information
506 <A NAME="lbAF"> </A>
509 To keep line lengths down and reduce clutter,
510 some of the long keys in these examples have been abbreviated
511 by replacing part of their text with
514 Keys used when the programs are actually run must,
515 of course, be the full length required for the particular algorithm.
518 <B>ipsec spi --af inet --edst gw2 --spi 0x125 --proto esp \</B>
526 <B> --esp 3des-md5-96 \</B>
530 <B> --enckey 0x6630</B><I>...</I><B>97ce \</B>
534 <B> --authkey 0x9941</B><I>...</I><B>71df</B>
553 encryption with integral
556 authentication transform, using an encryption key of
557 <B>0x6630</B><I>...</I><B>97ce</B>
559 and an authentication key of
560 <B>0x9941</B><I>...</I><B>71df</B>
562 (see note above about abbreviated keys).
565 <B>ipsec spi --af inet6 --edst 3049:9::9000:3100 --spi 0x150 --proto ah \</B>
569 <B> --src 3049:9::9000:3101 \</B>
573 <B> --ah hmac-md5-96 \</B>
577 <B> --authkey 0x1234</B><I>...</I><B>2eda \</B>
582 <B>3049:9::9000:3101</B>
585 <B>3049:9::9000:3100</B>
596 authentication transform, using an authentication key of
597 <B>0x1234</B><I>...</I><B>2eda</B>
599 (see note above about abbreviated keys).
602 <B>ipsec spi --said <A HREF="mailto:tun.987@192.168.100.100">tun.987@192.168.100.100</A> --del </B>
607 <B>192.168.100.100</B>
618 <B>ipsec spi --said tun:<A HREF="mailto:500@3049">500@3049</A>:9::1000:1 --del </B>
623 <B>3049:9::1000:1</B>
634 <A NAME="lbAG"> </A>
637 /proc/net/ipsec_spi, /usr/local/bin/ipsec
638 <A NAME="lbAH"> </A>
641 <A HREF="ipsec.8.html">ipsec</A>(8), <A HREF="ipsec_manual.8.html">ipsec_manual</A>(8), <A HREF="ipsec_tncfg.8.html">ipsec_tncfg</A>(8), <A HREF="ipsec_eroute.8.html">ipsec_eroute</A>(8),
642 <A HREF="ipsec_spigrp.8.html">ipsec_spigrp</A>(8), <A HREF="ipsec_klipsdebug.8.html">ipsec_klipsdebug</A>(8), <A HREF="ipsec_spi.5.html">ipsec_spi</A>(5)
643 <A NAME="lbAI"> </A>
646 Written for the Linux FreeS/WAN project
647 <<A HREF="http://www.freeswan.org/">http://www.freeswan.org/</A>>
648 by Richard Guy Briggs.
649 <A NAME="lbAJ"> </A>
652 The syntax is messy and the transform naming needs work.
696 <A NAME="index"> </A><H2>Index</H2>
698 <DT><A HREF="#lbAB">NAME</A><DD>
699 <DT><A HREF="#lbAC">SYNOPSIS</A><DD>
700 <DT><A HREF="#lbAD">DESCRIPTION</A><DD>
701 <DT><A HREF="#lbAE">OPTIONS</A><DD>
702 <DT><A HREF="#lbAF">EXAMPLES</A><DD>
703 <DT><A HREF="#lbAG">FILES</A><DD>
704 <DT><A HREF="#lbAH">SEE ALSO</A><DD>
705 <DT><A HREF="#lbAI">HISTORY</A><DD>
706 <DT><A HREF="#lbAJ">BUGS</A><DD>
709 This document was created by
710 <A HREF="http://localhost/cgi-bin/man/man2html">man2html</A>,
711 using the manual pages.<BR>
712 Time: 05:09:33 GMT, June 19, 2001