1IPSEC_SPI(5) Executable programs IPSEC_SPI(5)
2
6 ipsec_spi - list IPSEC Security Associations
7
9 ipsec spi
10 cat/proc/net/ipsec_spi
11
14 Note that eroute is only supported on the classic KLIPS stack. It is
15 not supported on any other stack and will be completely removed in
16 future versions. A replacement command still needs to be designed
17
19 /proc/net/ipsec_spi is a read-only file that lists the current IPSEC
20 Security Associations. A Security Association (SA) is a transform
21 through which packet contents are to be processed before being
22 forwarded. A transform can be an IPv4-in-IPv4 or IPv6-in-IPv6
23 encapsulation, an IPSEC Authentication Header (authentication with no
24 encryption), or an IPSEC Encapsulation Security Payload (encryption,
25 possibly including authentication).
26 When a packet is passed from a higher networking layer through an IPSEC
28 virtual interface, a search in the extended routing table (see
29 ipsec_eroute(5)) yields a IP protocol number , a Security Parameters
30 Index (SPI) and an effective destination address When an IPSEC packet
31 arrives from the network, its ostensible destination, an SPI and an IP
32 protocol specified by its outermost IPSEC header are used. The
33 destination/SPI/protocol combination is used to select a relevant SA.
34 (See ipsec_spigrp(5) for discussion of how multiple transforms are
35 combined.)
36 An spi, proto, daddr and address_family arguments specify an SAID.
38 Proto is an ASCII string, "ah", "esp", "comp" or "tun", specifying the
39 IP protocol. Spi is a number, preceded by '.' indicating hexadecimal
40 and IPv4 or by ':' indicating hexadecimal and IPv6, where each
41 hexadecimal digit represents 4 bits, between 0x100 and 0xffffffff;
42 values from 0x0 to 0xff are reserved. Daddr is a dotted-decimal IPv4
43 destination address or a coloned hex IPv6 destination address.
44 An SAID combines the three parameters above, such as: "tun.101@1.2.3.4"
46 for IPv4 or "tun:101@3049:1::1" for IPv6
47 A table entry consists of:
49 +
51 SAID
52 +
54 <transform name (proto,encalg,authalg)>:
55 +
57 direction (dir=)
58 +
60 source address (src=)
61 +
63 source and destination addresses and masks for inner header policy
64 check addresses (policy=), as dotted-quads or coloned hex,
65 separated by '->', for IPv4-in-IPv4 or IPv6-in-IPv6 SAs only
66 +
68 initialisation vector length and value (iv_bits=, iv=) if non-zero
69 +
71 out-of-order window size, number of out-of-order errors, sequence
72 number, recently received packet bitmask, maximum difference
73 between sequence numbers (ooowin=, ooo_errs=, seq=, bit=,
74 max_seq_diff=) if SA is AH or ESP and if individual items are
75 non-zero
76 +
78 extra flags (flags=) if any are set
79 +
81 authenticator length in bits (alen=) if non-zero
82 +
84 authentication key length in bits (aklen=) if non-zero
85 +
87 authentication errors (auth_errs=) if non-zero
88 +
90 encryption key length in bits (eklen=) if non-zero
91 +
93 encryption size errors (encr_size_errs=) if non-zero
94 +
96 encryption padding error warnings (encr_pad_errs=) if non-zero
97 +
99 lifetimes legend, c=Current status, s=Soft limit when exceeded will
100 initiate rekeying, h=Hard limit will cause termination of SA
101 (life(c,s,h)=)
102 +
104 number of connections to which the SA is allocated (c), that will
105 cause a rekey (s), that will cause an expiry (h) (alloc=), if any
106 value is non-zero
107 +
109 number of bytes processesd by this SA (c), that will cause a rekey
110 (s), that will cause an expiry (h) (bytes=), if any value is
111 non-zero
112 +
114 time since the SA was added (c), until rekey (s), until expiry (h),
115 in seconds (add=)
116 +
118 time since the SA was first used (c), until rekey (s), until expiry
119 (h), in seconds (used=), if any value is non-zero
120 +
122 number of packets processesd by this SA (c), that will cause a
123 rekey (s), that will cause an expiry (h) (packets=), if any value
124 is non-zero
125 +
127 time since the last packet was processed, in seconds (idle=), if SA
128 has been used
129 average compression ratio (ratio=)
131
133 tun.12a@192.168.43.1 IPIP: dir=out src=192.168.43.2
134 life(c,s,h)=bytes(14073,0,0)add(269,0,0) use(149,0,0)packets(14,0,0)
135 idle=23
136 is an outbound IPv4-in-IPv4 (protocol 4) tunnel-mode SA set up between
138 machines 192.168.43.2 and 192.168.43.1 with an SPI of 12a in
139 hexadecimal that has passed about 14 kilobytes of traffic in 14 packets
140 since it was created, 269 seconds ago, first used 149 seconds ago and
141 has been idle for 23 seconds.
142 esp:9a35fc02@3049:1::1 ESP_3DES_HMAC_MD5: dir=in src=9a35fc02@3049:1::2
144 ooowin=32 seq=7149 bit=0xffffffff alen=128 aklen=128 eklen=192
145 life(c,s,h)=bytes(1222304,0,0)add(4593,0,0)
146 use(3858,0,0)packets(7149,0,0) idle=23
147 is an inbound Encapsulating Security Payload (protocol 50) SA on
149 machine 3049:1::1 with an SPI of 9a35fc02 that uses 3DES as the
150 encryption cipher, HMAC MD5 as the authentication algorithm, an
151 out-of-order window of 32 packets, a present sequence number of 7149,
152 every one of the last 32 sequence numbers was received, the
153 authenticator length and keys is 128 bits, the encryption key is 192
154 bits (actually 168 for 3DES since 1 of 8 bits is a parity bit), has
155 passed 1.2 Mbytes of data in 7149 packets, was added 4593 seconds ago,
156 first used 3858 seconds ago and has been idle for 23 seconds.
157
159 /proc/net/ipsec_spi, /usr/local/bin/ipsec
160
162 ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5),
163 ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_spi(8), ipsec_version(5),
164 ipsec_pf_key(5)
165
167 Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by
168 Richard Guy Briggs.
169
171 The add and use times are awkward, displayed in seconds since machine
172 start. It would be better to display them in seconds before now for
173 human readability.
174
176 Paul Wouters
177 placeholder to suppress warning
178libreswan 02/01/2019 IPSEC_SPI(5)