1IP-XFRM(8) Linux IP-XFRM(8)
2
6 ip-xfrm - transform configuration
7
9 ip [ OPTIONS ] xfrm { COMMAND | help }
10 ip xfrm XFRM-OBJECT { COMMAND | help }
13 XFRM-OBJECT := state | policy | monitor
16 ip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE ] [ mark
19 MARK [ mask MASK ] ] [ reqid REQID ] [ seq SEQ ] [ replay-win‐
20 dow SIZE ] [ replay-seq SEQ ] [ replay-oseq SEQ ] [ replay-seq-
21 hi SEQ ] [ replay-oseq-hi SEQ ] [ flag FLAG-LIST ] [ sel SELEC‐
22 TOR ] [ LIMIT-LIST ] [ encap ENCAP ] [ coa ADDR[/PLEN] ] [ ctx
23 CTX ] [ extra-flag EXTRA-FLAG-LIST ] [ output-mark OUTPUT-MARK
24 [ mask MASK ] ] [ if_id IF-ID ] [ tfcpad LENGTH ]
25 ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ] [
27 reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]
28 ip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]
30 ip [ -4 | -6 ] xfrm state deleteall [ ID ] [ mode MODE ] [ reqid REQID
32 ] [ flag FLAG-LIST ]
33 ip [ -4 | -6 ] xfrm state list [ ID ] [ nokeys ] [ mode MODE ] [ reqid
35 REQID ] [ flag FLAG-LIST ]
36 ip xfrm state flush [ proto XFRM-PROTO ]
38 ip xfrm state count
40 ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]
42 XFRM-PROTO := esp | ah | comp | route2 | hao
44 ALGO-LIST := [ ALGO-LIST ] ALGO
46 ALGO := { enc | auth } ALGO-NAME ALGO-KEYMAT |
48 auth-trunc ALGO-NAME ALGO-KEYMAT ALGO-TRUNC-LEN |
49 aead ALGO-NAME ALGO-KEYMAT ALGO-ICV-LEN |
50 comp ALGO-NAME
51 MODE := transport | tunnel | beet | ro | in_trigger
53 FLAG-LIST := [ FLAG-LIST ] FLAG
55 FLAG := noecn | decap-dscp | nopmtudisc | wildrecv | icmp | af-unspec |
57 align4 | esn
58 SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ]
60 [ UPSPEC ]
61 UPSPEC := proto { PROTO |
63 { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
64 { icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code
65 NUMBER ] |
66 gre [ key { DOTTED-QUAD | NUMBER } ] }
67 LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
69 LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SEC‐
71 ONDS |
72 { byte-soft | byte-hard } SIZE |
73 { packet-soft | packet-hard } COUNT
74 ENCAP := { espinudp | espinudp-nonike | espintcp } SPORT DPORT OADDR
76 EXTRA-FLAG-LIST := [ EXTRA-FLAG-LIST ] EXTRA-FLAG
78 EXTRA-FLAG := dont-encap-dscp | oseq-may-wrap
80 ip xfrm policy { add | update } SELECTOR dir DIR [ ctx CTX ] [ mark
82 MARK [ mask MASK ] ] [ index INDEX ] [ ptype PTYPE ] [ action
83 ACTION ] [ priority PRIORITY ] [ flag FLAG-LIST ] [ if_id IF-ID
84 ] [ LIMIT-LIST ] [ TMPL-LIST ]
85 ip xfrm policy { delete | get } { SELECTOR | index INDEX } dir DIR [
87 ctx CTX ] [ mark MARK [ mask MASK ] ] [ ptype PTYPE ] [ if_id
88 IF-ID ]
89 ip [ -4 | -6 ] xfrm policy { deleteall | list } [ nosock ] [ SELECTOR ]
91 [ dir DIR ] [ index INDEX ] [ ptype PTYPE ] [ action ACTION ] [
92 priority PRIORITY ] [ flag FLAG-LIST]
93 ip xfrm policy flush [ ptype PTYPE ]
95 ip xfrm policy count
97 ip xfrm policy set [ hthresh4 LBITS RBITS ] [ hthresh6 LBITS RBITS ]
99 ip xfrm policy setdefault DIR ACTION [ DIR ACTION ] [ DIR ACTION ]
101 ip xfrm policy getdefault
103 SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ] [ UP‐
105 SPEC ]
106 UPSPEC := proto { PROTO |
108 { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
109 { icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code
110 NUMBER ] |
111 gre [ key { DOTTED-QUAD | NUMBER } ] }
112 DIR := in | out | fwd
114 PTYPE := main | sub
116 ACTION := allow | block
118 FLAG-LIST := [ FLAG-LIST ] FLAG
120 FLAG := localok | icmp
122 LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
124 LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SEC‐
126 ONDS |
127 { byte-soft | byte-hard } SIZE |
128 { packet-soft | packet-hard } COUNT
129 TMPL-LIST := [ TMPL-LIST ] tmpl TMPL
131 TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]
133 ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]
135 XFRM-PROTO := esp | ah | comp | route2 | hao
137 MODE := transport | tunnel | beet | ro | in_trigger
139 LEVEL := required | use
141 ip xfrm monitor [ all-nsid ] [ nokeys ] [ all
143 | LISTofXFRM-OBJECTS ]
144 LISTofXFRM-OBJECTS := [ LISTofXFRM-OBJECTS ] XFRM-OBJECT
146 XFRM-OBJECT := acquire | expire | SA | policy | aevent | report
148
152 xfrm is an IP framework for transforming packets (such as encrypting
153 their payloads). This framework is used to implement the IPsec protocol
154 suite (with the state object operating on the Security Association
155 Database, and the policy object operating on the Security Policy Data‐
156 base). It is also used for the IP Payload Compression Protocol and fea‐
157 tures of Mobile IPv6.
158 ip xfrm state add add new state into xfrm
161 ip xfrm state update update existing state in xfrm
162 ip xfrm state allocspi allocate an SPI value
163 ip xfrm state delete delete existing state in xfrm
164 ip xfrm state get get existing state in xfrm
165 ip xfrm state deleteall delete all existing state in xfrm
166 ip xfrm state list print out the list of existing state in xfrm
167 ip xfrm state flush flush all state in xfrm
168 ip xfrm state count count all existing state in xfrm
169 ID is specified by a source address, destination address, transform
172 protocol XFRM-PROTO, and/or Security Parameter Index SPI. (For
173 IP Payload Compression, the Compression Parameter Index or CPI
174 is used for SPI.)
175 XFRM-PROTO
178 specifies a transform protocol: IPsec Encapsulating Security
179 Payload (esp), IPsec Authentication Header (ah), IP Payload Com‐
180 pression (comp), Mobile IPv6 Type 2 Routing Header (route2), or
181 Mobile IPv6 Home Address Option (hao).
182 ALGO-LIST
185 contains one or more algorithms to use. Each algorithm ALGO is
186 specified by:
187 • the algorithm type: encryption (enc), authentication
189 (auth or auth-trunc), authenticated encryption with asso‐
190 ciated data (aead), or compression (comp)
191 • the algorithm name ALGO-NAME (see below)
193 • (for all except comp) the keying material ALGO-KEYMAT,
195 which may include both a key and a salt or nonce value;
196 refer to the corresponding RFC
197 • (for auth-trunc only) the truncation length ALGO-TRUNC-
199 LEN in bits
200 • (for aead only) the Integrity Check Value length ALGO-
202 ICV-LEN in bits
203 Encryption algorithms include ecb(cipher_null), cbc(des),
205 cbc(des3_ede), cbc(cast5), cbc(blowfish), cbc(aes),
206 cbc(serpent), cbc(camellia), cbc(twofish), and
207 rfc3686(ctr(aes)).
208 Authentication algorithms include digest_null, hmac(md5),
210 hmac(sha1), hmac(sha256), hmac(sha384), hmac(sha512),
211 hmac(rmd160), and xcbc(aes).
212 Authenticated encryption with associated data (AEAD) algorithms
214 include rfc4106(gcm(aes)), rfc4309(ccm(aes)), and
215 rfc4543(gcm(aes)).
216 Compression algorithms include deflate, lzs, and lzjh.
218 MODE specifies a mode of operation for the transform protocol. IPsec
221 and IP Payload Compression modes are transport, tunnel, and (for
222 IPsec ESP only) Bound End-to-End Tunnel (beet). Mobile IPv6
223 modes are route optimization (ro) and inbound trigger (in_trig‐
224 ger).
225 FLAG-LIST
228 contains one or more of the following optional flags: noecn, de‐
229 cap-dscp, nopmtudisc, wildrecv, icmp, af-unspec, align4, or esn.
230 SELECTOR
233 selects the traffic that will be controlled by the policy, based
234 on the source address, the destination address, the network de‐
235 vice, and/or UPSPEC.
236 UPSPEC selects traffic by protocol. For the tcp, udp, sctp, or dccp
239 protocols, the source and destination port can optionally be
240 specified. For the icmp, ipv6-icmp, or mobility-header proto‐
241 cols, the type and code numbers can optionally be specified.
242 For the gre protocol, the key can optionally be specified as a
243 dotted-quad or number. Other protocols can be selected by name
244 or number PROTO.
245 LIMIT-LIST
248 sets limits in seconds, bytes, or numbers of packets.
249 ENCAP encapsulates packets with protocol espinudp, espinudp-nonike, or
252 espintcp, using source port SPORT, destination port DPORT , and
253 original address OADDR.
254 MARK used to match xfrm policies and states
257 OUTPUT-MARK
260 used to set the output mark to influence the routing of the
261 packets emitted by the state
262 IF-ID xfrm interface identifier used to in both xfrm policies and
265 states
266 ip xfrm policy add add a new policy
270 ip xfrm policy update update an existing policy
271 ip xfrm policy delete delete an existing policy
272 ip xfrm policy get get an existing policy
273 ip xfrm policy deleteall delete all existing xfrm policies
274 ip xfrm policy list print out the list of xfrm policies
275 ip xfrm policy flush flush policies
276 nosock filter (remove) all socket policies from the output.
279 SELECTOR
282 selects the traffic that will be controlled by the policy, based
283 on the source address, the destination address, the network de‐
284 vice, and/or UPSPEC.
285 UPSPEC selects traffic by protocol. For the tcp, udp, sctp, or dccp
288 protocols, the source and destination port can optionally be
289 specified. For the icmp, ipv6-icmp, or mobility-header proto‐
290 cols, the type and code numbers can optionally be specified.
291 For the gre protocol, the key can optionally be specified as a
292 dotted-quad or number. Other protocols can be selected by name
293 or number PROTO.
294 DIR selects the policy direction as in, out, or fwd.
297 CTX sets the security context.
300 PTYPE can be main (default) or sub.
303 ACTION can be allow (default) or block.
306 PRIORITY
309 is a number that defaults to zero.
310 FLAG-LIST
313 contains one or both of the following optional flags: local or
314 icmp.
315 LIMIT-LIST
318 sets limits in seconds, bytes, or numbers of packets.
319 TMPL-LIST
322 is a template list specified using ID, MODE, REQID, and/or LEV‐
323 EL.
324 ID is specified by a source address, destination address, transform
327 protocol XFRM-PROTO, and/or Security Parameter Index SPI. (For
328 IP Payload Compression, the Compression Parameter Index or CPI
329 is used for SPI.)
330 XFRM-PROTO
333 specifies a transform protocol: IPsec Encapsulating Security
334 Payload (esp), IPsec Authentication Header (ah), IP Payload Com‐
335 pression (comp), Mobile IPv6 Type 2 Routing Header (route2), or
336 Mobile IPv6 Home Address Option (hao).
337 MODE specifies a mode of operation for the transform protocol. IPsec
340 and IP Payload Compression modes are transport, tunnel, and (for
341 IPsec ESP only) Bound End-to-End Tunnel (beet). Mobile IPv6
342 modes are route optimization (ro) and inbound trigger (in_trig‐
343 ger).
344 LEVEL can be required (default) or use.
347 ip xfrm policy count count existing policies
351 Use one or more -s options to display more details, including policy
354 hash table information.
355 ip xfrm policy set configure the policy hash table
359 Security policies whose address prefix lengths are greater than or
362 equal policy hash table thresholds are hashed. Others are stored in the
363 policy_inexact chained list.
364 LBITS specifies the minimum local address prefix length of policies
367 that are stored in the Security Policy Database hash table.
368 RBITS specifies the minimum remote address prefix length of policies
371 that are stored in the Security Policy Database hash table.
372 ip xfrm monitor state monitoring for xfrm objects
376 The xfrm objects to monitor can be optionally specified.
379 If the all-nsid option is set, the program listens to all network name‐
382 spaces that have a nsid assigned into the network namespace were the
383 program is running. A prefix is displayed to show the network name‐
384 space where the message originates. Example:
385 [nsid 1]Flushed state proto 0
387
391 Manpage revised by David Ward <david.ward@ll.mit.edu>
392 Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
393 Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>
394iproute2 20 Dec 2011 IP-XFRM(8)