1 .TH IPSEC_EROUTE 5 "20 Sep 2001"
3 .\" RCSID $Id: eroute.5,v 1.8 2001/09/20 15:33:13 rgb Exp $
6 ipsec_eroute \- list of existing eroutes
12 .B /proc/net/ipsec_eroute
14 .I /proc/net/ipsec_eroute
15 lists the IPSEC extended routing tables,
16 which control what (if any) processing is applied
17 to non-encrypted packets arriving for IPSEC processing and forwarding.
18 At this point it is a read-only file.
20 A table entry consists of:
24 source address with mask,
26 a '->' separator for visual and automated parsing between src and dst
28 destination address with mask
30 a '=>' separator for visual and automated parsing between selection
31 criteria and SAID to use
33 SAID (Security Association IDentifier), comprised of:
40 where '.' stands for IPv4 and ':' for IPv6
42 Security Parameters Index
47 where the packet should be forwarded after processing
48 (normally the other security gateway)
49 together indicate which Security Association should be used to process
52 source identity text string with no whitespace, in parens,
54 destination identity text string with no whitespace, in parens
56 Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
57 protocol is one of "ah", "esp", "comp" or "tun"
59 SPIs are prefixed hexadecimal numbers where the prefix '.' is for IPv4 and the prefix ':' is for IPv6
62 SAIDs are written as "protoafSPI@edst". There are also 5
63 "magic" SAIDs which have special meaning:
66 means that matches are to be dropped
69 means that matches are to be dropped and an ICMP returned, if
73 means that matches are to trigger an ACQUIRE message to the Key
74 Management daemon(s) and a hold eroute will be put in place to
75 prevent subsequent packets also triggering ACQUIRE messages.
78 means that matches are to stored until the eroute is replaced or
79 until that eroute gets reaped
82 means that matches are to allowed to pass without IPSEC processing
87 .B "1867 172.31.252.0/24 -> 0.0.0.0/0 => tun.130@192.168.43.1 "
91 means that 1,867 packets have been sent to an
93 that has been set up to protect traffic between the subnet
97 bits and the default address/mask represented by an address of
101 bits using the local machine as a security gateway on this end of the
102 tunnel and the machine
104 on the other end of the tunnel with a Security Association IDentifier of
105 .BR tun0x130@192.168.43.1
106 which means that it is a tunnel mode connection (4, IPPROTO_IPIP) with a
107 Security Parameters Index of
109 in hexadecimal with no identies defined for either end.
111 .B 125 3049:1::/64 -> 0:0/0 => tun:130@3058:4::5 () ()
113 means that 125 packets have been sent to an
115 that has been set up to protect traffic between the subnet
117 with a subnet mask of
119 bits and the default address/mask represented by an address of
121 with a subnet mask of
123 bits using the local machine as a security gateway on this end of the
124 tunnel and the machine
126 on the other end of the tunnel with a Security Association IDentifier of
127 .BR tun:130@3058:4::5
128 which means that it is a tunnel mode connection with a
129 Security Parameters Index of
131 in hexadecimal with no identies defined for either end.
133 .B 42 192.168.6.0/24 -> 192.168.7.0/24 => %passthrough
135 means that 42 packets have been sent to an
137 that has been set up to pass the traffic from the subnet
139 with a subnet mask of
143 with a subnet mask of
145 bits without any IPSEC processing with no identies defined for either end.
147 .B 2112 192.168.8.55/32 -> 192.168.9.47/24 => %hold (east) ()
149 means that 2112 packets have been sent to an
151 that has been set up to hold the traffic from the host
155 until a key exchange from a Key Management daemon
156 succeeds and puts in an SA or fails and puts in a pass
157 or drop eroute depending on the default configuration with the local client
158 defined as "east" and no identy defined for the remote end.
160 .B "2001 192.168.2.110/32 -> 192.168.2.120/32 => "
162 .B " esp.e6de@192.168.2.120 () ()"
164 means that 2001 packets have been sent to an
166 that has been set up to protect traffic between the host
172 as a security gateway on this end of the
173 connection and the machine
175 on the other end of the connection with a Security Association IDentifier of
176 .BR esp.e6de@192.168.2.120
177 which means that it is a transport mode connection with a Security
180 in hexadecimal using Encapsuation Security Payload protocol (50,
181 IPPROTO_ESP) with no identies defined for either end.
183 .B "1984 3049:1::110/128 -> 3049:1::120/128 => "
185 .B " ah:f5ed@3049:1::120 () ()"
187 means that 1984 packets have been sent to an
189 that has been set up to authenticate traffic between the host
195 as a security gateway on this end of the
196 connection and the machine
198 on the other end of the connection with a Security Association IDentifier of
199 .BR ah:f5ed@3049:1::120
200 which means that it is a transport mode connection with a Security
203 in hexadecimal using Authentication Header protocol (51,
204 IPPROTO_AH) with no identies defined for either end.
206 /proc/net/ipsec_eroute, /usr/local/bin/ipsec
208 ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_spi(5),
209 ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_eroute(8), ipsec_version(5),
212 Written for the Linux FreeS/WAN project
213 <http://www.freeswan.org/>
214 by Richard Guy Briggs.
216 .\" $Log: eroute.5,v $
217 .\" Revision 1.8 2001/09/20 15:33:13 rgb
218 .\" PF_KEYv2 ident extension output documentation.
220 .\" Revision 1.7 2001/05/29 05:15:31 rgb
221 .\" Added packet count field at beginning of line.
223 .\" Revision 1.6 2001/02/26 19:58:32 rgb
224 .\" Put SAID elements in order they appear in SAID.
225 .\" Implement magic SAs %drop, %reject, %trap, %hold, %pass as part
226 .\" of the new SPD and to support opportunistic.
228 .\" Revision 1.5 2000/09/17 18:56:48 rgb
229 .\" Added IPCOMP support.
231 .\" Revision 1.4 2000/09/13 15:54:31 rgb
232 .\" Added Gerhard's ipv6 updates.
234 .\" Revision 1.3 2000/06/30 18:21:55 rgb
235 .\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
236 .\" and correct FILES sections to no longer refer to /dev/ipsec which has
237 .\" been removed since PF_KEY does not use it.
239 .\" Revision 1.2 2000/06/28 12:44:11 henry
242 .\" Revision 1.1 2000/06/28 05:43:00 rgb
243 .\" Added manpages for all 5 klips utils.