1IPSEC_EROUTE(5) [FIXME: manual] IPSEC_EROUTE(5)
2
6 ipsec_eroute - list of existing eroutes
7
9 ipsec eroute
10 cat/proc/net/ipsec_eroute
11
13 Note that eroute is only supported on the classic KLIPS stack. It is
14 not supported on any other stack and will be completely removed in
15 future versions. On the mast stack, use ipsec policy, on the netkey
16 stack, use ip xfrm
17
19 /proc/net/ipsec_eroute lists the IPSEC extended routing tables, which
20 control what (if any) processing is applied to non-encrypted packets
21 arriving for IPSEC processing and forwarding. At this point it is a
22 read-only file.
23 A table entry consists of:
25 +
27 packet count,
28 +
30 source address with mask and source port (0 if all ports or not
31 applicable)
32 +
34 a ´->´ separator for visual and automated parsing between src and
35 dst
36 +
38 destination address with mask and destination port (0 if all ports
39 or not applicable)
40 +
42 a ´=>´ separator for visual and automated parsing between selection
43 criteria and SAID to use
44 +
46 SAID (Security Association IDentifier), comprised of:
47 +
49 protocol (proto),
50 +
52 address family (af), where ´.´ stands for IPv4 and ´:´ for IPv6
53 +
55 Security Parameters Index (SPI),
56 +
58 effective destination (edst), where the packet should be forwarded
59 after processing (normally the other security gateway) together
60 indicate which Security Association should be used to process the
61 packet,
62 +
64 a ´:´ separating the SAID from the transport protocol (0 if all
65 protocols)
66 +
68 source identity text string with no whitespace, in parens,
69 +
71 destination identity text string with no whitespace, in parens
72 Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
74 protocol is one of "ah", "esp", "comp" or "tun" and SPIs are prefixed
75 hexadecimal numbers where the prefix ´.´ is for IPv4 and the prefix ´:´
76 is for IPv6
77 SAIDs are written as "protoafSPI@edst". There are also 5 "magic" SAIDs
79 which have special meaning:
80 +
82 %drop means that matches are to be dropped
83 +
85 %reject means that matches are to be dropped and an ICMP returned,
86 if possible to inform
87 +
89 %trap means that matches are to trigger an ACQUIRE message to the
90 Key Management daemon(s) and a hold eroute will be put in place to
91 prevent subsequent packets also triggering ACQUIRE messages.
92 +
94 %hold means that matches are to stored until the eroute is replaced
95 or until that eroute gets reaped
96 +
98 %pass means that matches are to allowed to pass without IPSEC
99 processing
100
102 1867 172.31.252.0/24:0 -> 0.0.0.0/0:0 => tun0x130@192.168.43.1:0
103 () ()
105 means that 1,867 packets have been sent to an eroute that has been set
107 up to protect traffic between the subnet 172.31.252.0 with a subnet
108 mask of 24 bits and the default address/mask represented by an address
109 of 0.0.0.0 with a subnet mask of 0 bits using the local machine as a
110 security gateway on this end of the tunnel and the machine 192.168.43.1
111 on the other end of the tunnel with a Security Association IDentifier
112 of tun0x130@192.168.43.1 which means that it is a tunnel mode
113 connection (4, IPPROTO_IPIP) with a Security Parameters Index of 130 in
114 hexadecimal with no identies defined for either end.
115 746 192.168.2.110/32:0 -> 192.168.2.120/32:25 =>
117 esp0x130@192.168.2.120:6
118 () ()
120 means that 746 packets have been sent to an eroute that has been set up
122 to protect traffic sent from any port on the host 192.168.2.110 to the
123 SMTP (TCP, port 25) port on the host 192.168.2.120 with a Security
124 Association IDentifier of tun0x130@192.168.2.120 which means that it is
125 a transport mode connection with a Security Parameters Index of 130 in
126 hexadecimal with no identies defined for either end.
127 125 3049:1::/64 -> 0:0/0 => tun:130@3058:4::5 () ()
129 means that 125 packets have been sent to an eroute that has been set up
131 to protect traffic between the subnet 3049:1:: with a subnet mask of 64
132 bits and the default address/mask represented by an address of 0:0 with
133 a subnet mask of 0 bits using the local machine as a security gateway
134 on this end of the tunnel and the machine 3058:4::5 on the other end of
135 the tunnel with a Security Association IDentifier of tun:130@3058:4::5
136 which means that it is a tunnel mode connection with a Security
137 Parameters Index of 130 in hexadecimal with no identies defined for
138 either end.
139 42 192.168.6.0/24:0 -> 192.168.7.0/24:0 => %passthrough
141 means that 42 packets have been sent to an eroute that has been set up
143 to pass the traffic from the subnet 192.168.6.0 with a subnet mask of
144 24 bits and to subnet 192.168.7.0 with a subnet mask of 24 bits without
145 any IPSEC processing with no identies defined for either end.
146 2112 192.168.8.55/32:0 -> 192.168.9.47/24:0 => %hold (east) ()
148 means that 2112 packets have been sent to an eroute that has been set
150 up to hold the traffic from the host 192.168.8.55 and to host
151 192.168.9.47 until a key exchange from a Key Management daemon succeeds
152 and puts in an SA or fails and puts in a pass or drop eroute depending
153 on the default configuration with the local client defined as "east"
154 and no identy defined for the remote end.
155 2001 192.168.2.110/32:0 -> 192.168.2.120/32:0 =>
157 esp0xe6de@192.168.2.120:0 () ()
159 means that 2001 packets have been sent to an eroute that has been set
161 up to protect traffic between the host 192.168.2.110 and the host
162 192.168.2.120 using 192.168.2.110 as a security gateway on this end of
163 the connection and the machine 192.168.2.120 on the other end of the
164 connection with a Security Association IDentifier of
165 esp0xe6de@192.168.2.120 which means that it is a transport mode
166 connection with a Security Parameters Index of e6de in hexadecimal
167 using Encapsuation Security Payload protocol (50, IPPROTO_ESP) with no
168 identies defined for either end.
169 1984 3049:1::110/128 -> 3049:1::120/128 =>
171 ah:f5ed@3049:1::120 () ()
173 means that 1984 packets have been sent to an eroute that has been set
175 up to authenticate traffic between the host 3049:1::110 and the host
176 3049:1::120 using 3049:1::110 as a security gateway on this end of the
177 connection and the machine 3049:1::120 on the other end of the
178 connection with a Security Association IDentifier of
179 ah:f5ed@3049:1::120 which means that it is a transport mode connection
180 with a Security Parameters Index of f5ed in hexadecimal using
181 Authentication Header protocol (51, IPPROTO_AH) with no identies
182 defined for either end.
183
185 /proc/net/ipsec_eroute, /usr/local/bin/ipsec
186
188 ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_spi(5),
189 ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_eroute(8),
190 ipsec_version(5), ipsec_pf_key(5)
191
193 Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by
194 Richard Guy Briggs.
195[FIXME: source] 10/06/2010 IPSEC_EROUTE(5)