1 .TH IPSEC_EROUTE 8 "21 Jun 2000"
3 .\" RCSID $Id: eroute.8,v 1.24 2001/02/26 19:58:49 rgb Exp $
6 ipsec eroute \- manipulate IPSEC extended routing tables
14 .B \-\-eraf (inet | inet6)
16 src/srcmaskbits|srcmask
18 dst/dstmaskbits|dstmask
24 .B \-\-eraf (inet | inet6)
26 src/srcmaskbits|srcmask
28 dst/dstmaskbits|dstmask
34 .B \-\-eraf (inet | inet6)
36 src/srcmaskbits|srcmask
38 dst/dstmaskbits|dstmask
66 .B (%passthrough | %passthrough4 | %passthrough6)
69 manages the IPSEC extended routing tables,
70 which control what (if any) processing is applied
71 to non-encrypted packets arriving for IPSEC processing and forwarding.
72 The form with no additional arguments lists the contents of
73 /proc/net/ipsec_eroute.
76 form adds a table entry, the
78 form replaces a table entry, while the
82 form deletes the entire table.
84 A table entry consists of:
86 source and destination addresses,
88 for selection of packets
90 Security Association IDentifier, comprised of:
93 (\fIproto\fR), indicating (together with the
94 effective destination and the security parameters index)
95 which Security Association should be used to process the packet
100 Security Parameters Index
101 (\fIspi\fR), indicating (together with the
102 effective destination and protocol)
103 which Security Association should be used to process the packet
104 (must be larger than or equal to 0x100)
106 effective destination
108 where the packet should be forwarded after processing
109 (normally the other security gateway)
114 (\fIsaid\fR), indicating
115 which Security Association should be used to process the packet
117 Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
118 protocol is one of "ah", "esp", "comp" or "tun" and SPIs are
119 prefixed hexadecimal numbers where '.' represents IPv4 and ':'
122 SAIDs are written as "protoafSPI@address". There are also 5
123 "magic" SAIDs which have special meaning:
126 means that matches are to be dropped
129 means that matches are to be dropped and an ICMP returned, if
133 means that matches are to trigger an ACQUIRE message to the Key
134 Management daemon(s) and a hold eroute will be put in place to
135 prevent subsequent packets also triggering ACQUIRE messages.
138 means that matches are to stored until the eroute is replaced or
139 until that eroute gets reaped
142 means that matches are to allowed to pass without IPSEC processing
144 The format of /proc/net/ipsec_eroute is listed in ipsec_eroute(5).
149 .B "ipsec eroute \-\-add \-\-eraf inet \-\-src 192.168.0.1/32 \e"
151 .B " \-\-dst 192.168.2.0/24 \-\-af inet \-\-edst 192.168.0.2 \e"
153 .B " \-\-spi 0x135 \-\-proto tun"
157 on a Security Gateway to protect traffic between the host
163 bits of subnet mask via Security Gateway
165 using the Security Association with address
167 Security Parameters Index
173 .B "ipsec eroute \-\-add \-\-eraf inet6 \-\-src 3049:1::1/128 \e"
175 .B " \-\-dst 3049:2::/64 \-\-af inet6 \-\-edst 3049:1::2 \e"
177 .B " \-\-spi 0x145 \-\-proto tun"
181 on a Security Gateway to protect traffic between the host
187 bits of subnet mask via Security Gateway
189 using the Security Association with address
191 Security Parameters Index
197 .B "ipsec eroute \-\-replace \-\-eraf inet \-\-src company.com/24 \e"
199 .B " \-\-dst ftp.ngo.org/32 \-\-said tun.135@gw.ngo.org"
203 on a Security Gateway to protect traffic between the subnet
207 bits of subnet mask and the host
211 using the Security Association with Security Association ID
212 .BR tun0x135@gw.ngo.org
214 .B "ipsec eroute \-\-del \-\-eraf inet \-\-src company.com/24 \e"
216 .B " \-\-dst www.ietf.org/32 \-\-said %passthrough4"
220 on a Security Gateway that allowed traffic between the subnet
224 bits of subnet mask and the host
226 to pass in the clear, unprocessed.
228 /proc/net/ipsec_eroute, /usr/local/bin/ipsec
230 ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_spi(8),
231 ipsec_spigrp(8), ipsec_klipsdebug(8), ipsec_eroute(5)
233 Written for the Linux FreeS/WAN project
234 <http://www.freeswan.org/>
235 by Richard Guy Briggs.
237 .\" $Log: eroute.8,v $
238 .\" Revision 1.24 2001/02/26 19:58:49 rgb
239 .\" Added a comment on the restriction of spi > 0x100.
240 .\" Implement magic SAs %drop, %reject, %trap, %hold, %pass as part
241 .\" of the new SPD and to support opportunistic.
243 .\" Revision 1.23 2000/09/17 18:56:48 rgb
244 .\" Added IPCOMP support.
246 .\" Revision 1.22 2000/09/13 15:54:31 rgb
247 .\" Added Gerhard's ipv6 updates.
249 .\" Revision 1.21 2000/06/30 18:21:55 rgb
250 .\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
251 .\" and correct FILES sections to no longer refer to /dev/ipsec which has
252 .\" been removed since PF_KEY does not use it.
254 .\" Revision 1.20 2000/06/21 16:54:57 rgb
255 .\" Added 'no additional args' text for listing contents of
256 .\" /proc/net/ipsec_* files.
258 .\" Revision 1.19 1999/07/19 18:47:24 henry
259 .\" fix slightly-misformed comments
261 .\" Revision 1.18 1999/04/06 04:54:37 rgb
262 .\" Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes
263 .\" patch shell fixes.