1IPSEC_SPIGRP(5)               Executable programs              IPSEC_SPIGRP(5)
2
3
4

NAME

6       ipsec_spigrp - list IPSEC Security Association groupings
7

SYNOPSIS

9       ipsec spigrp
10             cat/proc/net/ipsec_spigrp
11
12

OBSOLETE

14       Note that spigrp is only supported on the classic KLIPS stack. It is
15       not supported on any other stack and will be completely removed in
16       future versions. A replacement command still needs to be designed
17

DESCRIPTION

19       /proc/net/ipsec_spigrp is a read-only file that lists groups of IPSEC
20       Security Associations (SAs).
21
22       An entry in the IPSEC extended routing table can only point (via an
23       SAID) to one SA. If more than one transform must be applied to a given
24       type of packet, this can be accomplished by setting up several SAs with
25       the same destination address but potentially different SPIs and
26       protocols, and grouping them with ipsec_spigrp(8).
27
28       The SA groups are listed, one line per connection/group, as a sequence
29       of SAs to be applied (or that should have been applied, in the case of
30       an incoming packet) from inside to outside the packet. An SA is
31       identified by its SAID, which consists of protocol ("ah", "esp", "comp"
32       or "tun"), SPI (with '.' for IPv4 or ':' for IPv6 prefixed hexadecimal
33       number ) and destination address (IPv4 dotted quad or IPv6 coloned hex)
34       prefixed by '@', in the format <proto><af><spi>@<dest>.
35

EXAMPLES

37       tun.3d0@192.168.2.110
38           comp.3d0@192.168.2.110esp.187a101b@192.168.2.110ah.187a101a@192.168.2.110
39
40       is a group of 3 SAs, destined for 192.168.2.110 with an IPv4-in-IPv4
41       tunnel SA applied first with an SPI of 3d0 in hexadecimal, followed by
42       a Deflate compression header to compress the packet with CPI of 3d0 in
43       hexadecimal, followed by an Encapsulating Security Payload header to
44       encrypt the packet with SPI 187a101b in hexadecimal, followed by an
45       Authentication Header to authenticate the packet with SPI 187a101a in
46       hexadecimal, applied from inside to outside the packet. This could be
47       an incoming or outgoing group, depending on the address of the local
48       machine.
49
50       tun:3d0@3049:1::2
51           comp:3d0@3049:1::2esp:187a101b@3049:1::2ah:187a101a@3049:1::2
52
53       is a group of 3 SAs, destined for 3049:1::2 with an IPv6-in-IPv6 tunnel
54       SA applied first with an SPI of 3d0 in hexadecimal, followed by a
55       Deflate compression header to compress the packet with CPI of 3d0 in
56       hexadecimal, followed by an Encapsulating Security Payload header to
57       encrypt the packet with SPI 187a101b in hexadecimal, followed by an
58       Authentication Header to authenticate the packet with SPI 187a101a in
59       hexadecimal, applied from inside to outside the packet. This could be
60       an incoming or outgoing group, depending on the address of the local
61       machine.
62

FILES

64       /proc/net/ipsec_spigrp, /usr/local/bin/ipsec
65

SEE ALSO

67       ipsec(8), ipsec_tncfg(5), ipsec_eroute(5), ipsec_spi(5),
68       ipsec_klipsdebug(5), ipsec_spigrp(8), ipsec_version(5), ipsec_pf_key(5)
69

HISTORY

71       Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by
72       Richard Guy Briggs.
73

BUGS

75       :-)
76

AUTHOR

78       Paul Wouters
79           placeholder to suppress warning
80
81
82
83libreswan                         02/01/2019                   IPSEC_SPIGRP(5)
Impressum