IPSEC_EROUTE(8) | [FIXME: manual] | IPSEC_EROUTE(8) |
NAME¶
ipsec_eroute - manipulate IPSEC extended routing tablesSYNOPSIS¶
ipsec
eroute --add --eraf (inet | inet6)
--src src/srcmaskbits|srcmask --dst
dst/dstmaskbits|dstmask [[ --transport-proto
transport-protocol]] [ --src-port source-port]
[--dst-port dest-port] [<SAID>]
ipsec
eroute --replace --eraf (inet | inet6)
--src src/srcmaskbits|srcmask --dst
dst/dstmaskbits|dstmask [[ --transport-proto
transport-protocol]] [ --src-port source-port]
[--dst-port dest-port] [<SAID>]
ipsec
eroute --del--del--eraf (inet | inet6)
--src
src/srcmaskbits|srcmask--dstdst/dstmaskbits|dstmask [[
--transport-proto transport-protocol]] [--src-port
source-port] [--dst-port dest-port]
[<SAID>]
ipsec
eroute --clear
ipsec
eroute --help
ipsec
eroute --version
SAID DESCRIPTION¶
Where <SAID> is --af (inet | inet6) --edst edst --spi spi --proto proto OR --said said OR --said (%passthrough | %passthrough4 | %passthrough6 | %drop | %reject | %trap | %hold | %pass )DESCRIPTION¶
Eroute manages the IPSEC extended routing tables, which control what (if any) processing is applied to non-encrypted packets arriving for IPSEC processing and forwarding. The form with no additional arguments lists the contents of /proc/net/ipsec_eroute. The --add form adds a table entry, the --replace form replaces a table entry, while the --del form deletes one. The --clear form deletes the entire table. A table entry consists of: +source and destination addresses, with masks,
source and destination ports and protocol for selection of packets. The source
and destination ports are only legal if the transport protocol is TCP
or UDP. A port can be specified as either decimal, hexadecimal (leading
0x), octal (leading 0) or a name listed in the first column of /etc/services.
A transport protocol can be specified as either decimal, hexadecimal (leading
0x), octal (leading 0) or a name listed in the first column of /etc/protocols.
If a transport protocol or port is not specified then it defaults to 0 which
means all protocols or all ports respectively.
+
Security Association IDentifier, comprised
of:
+
protocol (proto), indicating (together
with the effective destination and the security parameters index) which
Security Association should be used to process the packet
+
address family (af),
+
Security Parameters Index (spi),
indicating (together with the effective destination and protocol) which
Security Association should be used to process the packet (must be larger than
or equal to 0x100)
+
effective destination (edst), where the
packet should be forwarded after processing (normally the other security
gateway)
+
OR
+
SAID (said), indicating which Security
Association should be used to process the packet
Addresses are written as IPv4 dotted quads or IPv6 coloned hex, protocol is one
of "ah", "esp", "comp" or "tun" and
SPIs are prefixed hexadecimal numbers where ´.´ represents IPv4 and
´:´ stands for IPv6.
SAIDs are written as "protoafSPI@address". There are also 5
"magic" SAIDs which have special meaning:
+
%drop means that matches are to be
dropped
+
%reject means that matches are to be
dropped and an ICMP returned, if possible to inform
+
%trap means that matches are to trigger
an ACQUIRE message to the Key Management daemon(s) and a hold eroute will be
put in place to prevent subsequent packets also triggering ACQUIRE
messages.
+
%hold means that matches are to stored
until the eroute is replaced or until that eroute gets reaped
+
%pass means that matches are to allowed
to pass without IPSEC processing
The format of /proc/net/ipsec_eroute is listed in ipsec_eroute(5).
EXAMPLES¶
ipsec eroute --add --eraf inet --src 192.168.0.1/32 \FILES¶
/proc/net/ipsec_eroute, /usr/local/bin/ipsecSEE ALSO¶
ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_spi(8), ipsec_spigrp(8), ipsec_klipsdebug(8), ipsec_eroute(5)HISTORY¶
Written for the Linux FreeS/WAN project < http://www.freeswan.org/> by Richard Guy Briggs.03 April 2007 | [FIXME: source] |