1IP-XFRM(8) Linux IP-XFRM(8)
2
6 ip-xfrm - transform configuration
7
9 ip [ OPTIONS ] xfrm { COMMAND | help }
10 ip xfrm XFRM-OBJECT { COMMAND | help }
13 XFRM-OBJECT := state | policy | monitor
16 ip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE ] [ mark
19 MARK [ mask MASK ] ] [ reqid REQID ] [ seq SEQ ] [ replay-win‐
20 dow SIZE ] [ replay-seq SEQ ] [ replay-oseq SEQ ] [ replay-seq-
21 hi SEQ ] [ replay-oseq-hi SEQ ] [ flag FLAG-LIST ] [ sel SELEC‐
22 TOR ] [ LIMIT-LIST ] [ encap ENCAP ] [ coa ADDR[/PLEN] ] [ ctx
23 CTX ] [ extra-flag EXTRA-FLAG-LIST ] [ output-mark OUTPUT-MARK
24 [ mask MASK ] ] [ if_id IF-ID ] [ offload [ crypto|packet ] dev
25 DEV dir DIR ] [ tfcpad LENGTH ]
26 ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ] [
28 reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]
29 ip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]
31 ip [ -4 | -6 ] xfrm state deleteall [ ID ] [ mode MODE ] [ reqid REQID
33 ] [ flag FLAG-LIST ]
34 ip [ -4 | -6 ] xfrm state list [ ID ] [ nokeys ] [ mode MODE ] [ reqid
36 REQID ] [ flag FLAG-LIST ]
37 ip xfrm state flush [ proto XFRM-PROTO ]
39 ip xfrm state count
41 ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]
43 XFRM-PROTO := esp | ah | comp | route2 | hao
45 ALGO-LIST := [ ALGO-LIST ] ALGO
47 ALGO := { enc | auth } ALGO-NAME ALGO-KEYMAT |
49 auth-trunc ALGO-NAME ALGO-KEYMAT ALGO-TRUNC-LEN |
50 aead ALGO-NAME ALGO-KEYMAT ALGO-ICV-LEN |
51 comp ALGO-NAME
52 MODE := transport | tunnel | beet | ro | in_trigger
54 FLAG-LIST := [ FLAG-LIST ] FLAG
56 FLAG := noecn | decap-dscp | nopmtudisc | wildrecv | icmp | af-unspec |
58 align4 | esn
59 SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ]
61 [ UPSPEC ]
62 UPSPEC := proto { PROTO |
64 { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
65 { icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code
66 NUMBER ] |
67 gre [ key { DOTTED-QUAD | NUMBER } ] }
68 LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
70 LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SEC‐
72 ONDS |
73 { byte-soft | byte-hard } SIZE |
74 { packet-soft | packet-hard } COUNT
75 ENCAP := { espinudp | espinudp-nonike | espintcp } SPORT DPORT OADDR
77 EXTRA-FLAG-LIST := [ EXTRA-FLAG-LIST ] EXTRA-FLAG
79 EXTRA-FLAG := dont-encap-dscp | oseq-may-wrap
81 ip xfrm policy { add | update } SELECTOR dir DIR [ ctx CTX ] [ mark
83 MARK [ mask MASK ] ] [ index INDEX ] [ ptype PTYPE ] [ action
84 ACTION ] [ priority PRIORITY ] [ flag FLAG-LIST ] [ if_id IF-ID
85 ] [ offload packet dev DEV ] [ LIMIT-LIST ] [ TMPL-LIST ]
86 ip xfrm policy { delete | get } { SELECTOR | index INDEX } dir DIR [
88 ctx CTX ] [ mark MARK [ mask MASK ] ] [ ptype PTYPE ] [ if_id
89 IF-ID ]
90 ip [ -4 | -6 ] xfrm policy { deleteall | list } [ nosock ] [ SELECTOR ]
92 [ dir DIR ] [ index INDEX ] [ ptype PTYPE ] [ action ACTION ] [
93 priority PRIORITY ] [ flag FLAG-LIST]
94 ip xfrm policy flush [ ptype PTYPE ]
96 ip xfrm policy count
98 ip xfrm policy set [ hthresh4 LBITS RBITS ] [ hthresh6 LBITS RBITS ]
100 ip xfrm policy setdefault DIR ACTION [ DIR ACTION ] [ DIR ACTION ]
102 ip xfrm policy getdefault
104 SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ] [ UP‐
106 SPEC ]
107 UPSPEC := proto { PROTO |
109 { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
110 { icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code
111 NUMBER ] |
112 gre [ key { DOTTED-QUAD | NUMBER } ] }
113 DIR := in | out | fwd
115 PTYPE := main | sub
117 ACTION := allow | block
119 FLAG-LIST := [ FLAG-LIST ] FLAG
121 FLAG := localok | icmp
123 LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
125 LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SEC‐
127 ONDS |
128 { byte-soft | byte-hard } SIZE |
129 { packet-soft | packet-hard } COUNT
130 TMPL-LIST := [ TMPL-LIST ] tmpl TMPL
132 TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]
134 ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]
136 XFRM-PROTO := esp | ah | comp | route2 | hao
138 MODE := transport | tunnel | beet | ro | in_trigger
140 LEVEL := required | use
142 ip xfrm monitor [ all-nsid ] [ nokeys ] [ all
144 | LISTofXFRM-OBJECTS ]
145 LISTofXFRM-OBJECTS := [ LISTofXFRM-OBJECTS ] XFRM-OBJECT
147 XFRM-OBJECT := acquire | expire | SA | policy | aevent | report
149
153 xfrm is an IP framework for transforming packets (such as encrypting
154 their payloads). This framework is used to implement the IPsec protocol
155 suite (with the state object operating on the Security Association
156 Database, and the policy object operating on the Security Policy Data‐
157 base). It is also used for the IP Payload Compression Protocol and fea‐
158 tures of Mobile IPv6.
159 ip xfrm state add add new state into xfrm
162 ip xfrm state update update existing state in xfrm
163 ip xfrm state allocspi allocate an SPI value
164 ip xfrm state delete delete existing state in xfrm
165 ip xfrm state get get existing state in xfrm
166 ip xfrm state deleteall delete all existing state in xfrm
167 ip xfrm state list print out the list of existing state in xfrm
168 ip xfrm state flush flush all state in xfrm
169 ip xfrm state count count all existing state in xfrm
170 ID is specified by a source address, destination address, transform
173 protocol XFRM-PROTO, and/or Security Parameter Index SPI. (For
174 IP Payload Compression, the Compression Parameter Index or CPI
175 is used for SPI.)
176 XFRM-PROTO
179 specifies a transform protocol: IPsec Encapsulating Security
180 Payload (esp), IPsec Authentication Header (ah), IP Payload Com‐
181 pression (comp), Mobile IPv6 Type 2 Routing Header (route2), or
182 Mobile IPv6 Home Address Option (hao).
183 ALGO-LIST
186 contains one or more algorithms to use. Each algorithm ALGO is
187 specified by:
188 • the algorithm type: encryption (enc), authentication
190 (auth or auth-trunc), authenticated encryption with asso‐
191 ciated data (aead), or compression (comp)
192 • the algorithm name ALGO-NAME (see below)
194 • (for all except comp) the keying material ALGO-KEYMAT,
196 which may include both a key and a salt or nonce value;
197 refer to the corresponding RFC
198 • (for auth-trunc only) the truncation length ALGO-TRUNC-
200 LEN in bits
201 • (for aead only) the Integrity Check Value length ALGO-
203 ICV-LEN in bits
204 Encryption algorithms include ecb(cipher_null), cbc(des),
206 cbc(des3_ede), cbc(cast5), cbc(blowfish), cbc(aes),
207 cbc(serpent), cbc(camellia), cbc(twofish), and
208 rfc3686(ctr(aes)).
209 Authentication algorithms include digest_null, hmac(md5),
211 hmac(sha1), hmac(sha256), hmac(sha384), hmac(sha512),
212 hmac(rmd160), and xcbc(aes).
213 Authenticated encryption with associated data (AEAD) algorithms
215 include rfc4106(gcm(aes)), rfc4309(ccm(aes)), and
216 rfc4543(gcm(aes)).
217 Compression algorithms include deflate, lzs, and lzjh.
219 MODE specifies a mode of operation for the transform protocol. IPsec
222 and IP Payload Compression modes are transport, tunnel, and (for
223 IPsec ESP only) Bound End-to-End Tunnel (beet). Mobile IPv6
224 modes are route optimization (ro) and inbound trigger (in_trig‐
225 ger).
226 FLAG-LIST
229 contains one or more of the following optional flags: noecn, de‐
230 cap-dscp, nopmtudisc, wildrecv, icmp, af-unspec, align4, or esn.
231 SELECTOR
234 selects the traffic that will be controlled by the policy, based
235 on the source address, the destination address, the network de‐
236 vice, and/or UPSPEC.
237 UPSPEC selects traffic by protocol. For the tcp, udp, sctp, or dccp
240 protocols, the source and destination port can optionally be
241 specified. For the icmp, ipv6-icmp, or mobility-header proto‐
242 cols, the type and code numbers can optionally be specified.
243 For the gre protocol, the key can optionally be specified as a
244 dotted-quad or number. Other protocols can be selected by name
245 or number PROTO.
246 LIMIT-LIST
249 sets limits in seconds, bytes, or numbers of packets.
250 ENCAP encapsulates packets with protocol espinudp, espinudp-nonike, or
253 espintcp, using source port SPORT, destination port DPORT , and
254 original address OADDR.
255 MARK used to match xfrm policies and states
258 OUTPUT-MARK
261 used to set the output mark to influence the routing of the
262 packets emitted by the state
263 IF-ID xfrm interface identifier used to in both xfrm policies and
266 states
267 DEV Network interface name used to offload policies and states
270 ip xfrm policy add add a new policy
274 ip xfrm policy update update an existing policy
275 ip xfrm policy delete delete an existing policy
276 ip xfrm policy get get an existing policy
277 ip xfrm policy deleteall delete all existing xfrm policies
278 ip xfrm policy list print out the list of xfrm policies
279 ip xfrm policy flush flush policies
280 nosock filter (remove) all socket policies from the output.
283 SELECTOR
286 selects the traffic that will be controlled by the policy, based
287 on the source address, the destination address, the network de‐
288 vice, and/or UPSPEC.
289 UPSPEC selects traffic by protocol. For the tcp, udp, sctp, or dccp
292 protocols, the source and destination port can optionally be
293 specified. For the icmp, ipv6-icmp, or mobility-header proto‐
294 cols, the type and code numbers can optionally be specified.
295 For the gre protocol, the key can optionally be specified as a
296 dotted-quad or number. Other protocols can be selected by name
297 or number PROTO.
298 DIR selects the policy direction as in, out, or fwd.
301 CTX sets the security context.
304 PTYPE can be main (default) or sub.
307 ACTION can be allow (default) or block.
310 PRIORITY
313 is a number that defaults to zero.
314 FLAG-LIST
317 contains one or both of the following optional flags: local or
318 icmp.
319 LIMIT-LIST
322 sets limits in seconds, bytes, or numbers of packets.
323 TMPL-LIST
326 is a template list specified using ID, MODE, REQID, and/or LEV‐
327 EL.
328 ID is specified by a source address, destination address, transform
331 protocol XFRM-PROTO, and/or Security Parameter Index SPI. (For
332 IP Payload Compression, the Compression Parameter Index or CPI
333 is used for SPI.)
334 XFRM-PROTO
337 specifies a transform protocol: IPsec Encapsulating Security
338 Payload (esp), IPsec Authentication Header (ah), IP Payload Com‐
339 pression (comp), Mobile IPv6 Type 2 Routing Header (route2), or
340 Mobile IPv6 Home Address Option (hao).
341 MODE specifies a mode of operation for the transform protocol. IPsec
344 and IP Payload Compression modes are transport, tunnel, and (for
345 IPsec ESP only) Bound End-to-End Tunnel (beet). Mobile IPv6
346 modes are route optimization (ro) and inbound trigger (in_trig‐
347 ger).
348 LEVEL can be required (default) or use.
351 ip xfrm policy count count existing policies
355 Use one or more -s options to display more details, including policy
358 hash table information.
359 ip xfrm policy set configure the policy hash table
363 Security policies whose address prefix lengths are greater than or
366 equal policy hash table thresholds are hashed. Others are stored in the
367 policy_inexact chained list.
368 LBITS specifies the minimum local address prefix length of policies
371 that are stored in the Security Policy Database hash table.
372 RBITS specifies the minimum remote address prefix length of policies
375 that are stored in the Security Policy Database hash table.
376 ip xfrm monitor state monitoring for xfrm objects
380 The xfrm objects to monitor can be optionally specified.
383 If the all-nsid option is set, the program listens to all network name‐
386 spaces that have a nsid assigned into the network namespace were the
387 program is running. A prefix is displayed to show the network name‐
388 space where the message originates. Example:
389 [nsid 1]Flushed state proto 0
391
395 Manpage revised by David Ward <david.ward@ll.mit.edu>
396 Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
397 Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>
398iproute2 20 Dec 2011 IP-XFRM(8)