1IPSEC_SPIGRP(5)                 [FIXME: manual]                IPSEC_SPIGRP(5)
2
3
4

NAME

6       ipsec_spigrp - list IPSEC Security Association groupings
7

SYNOPSIS

9       ipsec spigrp
10             cat/proc/net/ipsec_spigrp
11
12

OBSOLETE

14       Note that spigrp is only supported on the classic KLIPS stack. It is
15       not supported on any other stack and will be completely removed in
16       future versions. A replacement command still needs to be designed
17

DESCRIPTION

19       /proc/net/ipsec_spigrp is a read-only file that lists groups of IPSEC
20       Security Associations (SAs).
21
22       An entry in the IPSEC extended routing table can only point (via an
23       SAID) to one SA. If more than one transform must be applied to a given
24       type of packet, this can be accomplished by setting up several SAs with
25       the same destination address but potentially different SPIs and
26       protocols, and grouping them with ipsec_spigrp(8).
27
28       The SA groups are listed, one line per connection/group, as a sequence
29       of SAs to be applied (or that should have been applied, in the case of
30       an incoming packet) from inside to outside the packet. An SA is
31       identified by its SAID, which consists of protocol ("ah", "esp", "comp"
32       or "tun"), SPI (with ´.´ for IPv4 or ´:´ for IPv6 prefixed hexadecimal
33       number ) and destination address (IPv4 dotted quad or IPv6 coloned hex)
34       prefixed by ´@´, in the format <proto><af><spi>@<dest>.
35

EXAMPLES

37       tun.3d0@192.168.2.110
38           comp.3d0@192.168.2.110 esp.187a101b@192.168.2.110
39           ah.187a101a@192.168.2.110
40
41       is a group of 3 SAs, destined for 192.168.2.110 with an IPv4-in-IPv4
42       tunnel SA applied first with an SPI of 3d0 in hexadecimal, followed by
43       a Deflate compression header to compress the packet with CPI of 3d0 in
44       hexadecimal, followed by an Encapsulating Security Payload header to
45       encrypt the packet with SPI 187a101b in hexadecimal, followed by an
46       Authentication Header to authenticate the packet with SPI 187a101a in
47       hexadecimal, applied from inside to outside the packet. This could be
48       an incoming or outgoing group, depending on the address of the local
49       machine.
50
51       tun:3d0@3049:1::2
52           comp:3d0@3049:1::2 esp:187a101b@3049:1::2 ah:187a101a@3049:1::2
53
54       is a group of 3 SAs, destined for 3049:1::2 with an IPv6-in-IPv6 tunnel
55       SA applied first with an SPI of 3d0 in hexadecimal, followed by a
56       Deflate compression header to compress the packet with CPI of 3d0 in
57       hexadecimal, followed by an Encapsulating Security Payload header to
58       encrypt the packet with SPI 187a101b in hexadecimal, followed by an
59       Authentication Header to authenticate the packet with SPI 187a101a in
60       hexadecimal, applied from inside to outside the packet. This could be
61       an incoming or outgoing group, depending on the address of the local
62       machine.
63

FILES

65       /proc/net/ipsec_spigrp, /usr/local/bin/ipsec
66

SEE ALSO

68       ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5),
69       ipsec_spi(5), ipsec_klipsdebug(5), ipsec_spigrp(8), ipsec_version(5),
70       ipsec_pf_key(5)
71

HISTORY

73       Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by
74       Richard Guy Briggs.
75

BUGS

77       :-)
78
79
80
81[FIXME: source]                   10/06/2010                   IPSEC_SPIGRP(5)
Impressum