1IPSEC_SPI(5) IPSEC_SPI(5)
2
6 ipsec_spi - list IPSEC Security Associations
7
9 ipsec spi
10 cat/proc/net/ipsec_spi
11
15 Note that eroute is only supported on the classic KLIPS stack. It is
16 not supported on any other stack and will be completely removed in fu‐
17 ture versions. A replacement command still needs to be designed
18
21 /proc/net/ipsec_spi is a read-only file that lists the current IPSEC
22 Security Associations. A Security Association (SA) is a transform
23 through which packet contents are to be processed before being forward‐
24 ed. A transform can be an IPv4-in-IPv4 or IPv6-in-IPv6 encapsulation,
25 an IPSEC Authentication Header (authentication with no encryption), or
26 an IPSEC Encapsulation Security Payload (encryption, possibly including
27 authentication).
28 When a packet is passed from a higher networking layer through an IPSEC
31 virtual interface, a search in the extended routing table (see
32 ipsec_eroute(5)) yields a IP protocol number , a Security Parameters
33 Index (SPI) and an effective destination address When an IPSEC packet
34 arrives from the network, its ostensible destination, an SPI and an IP
35 protocol specified by its outermost IPSEC header are used. The destina‐
36 tion/SPI/protocol combination is used to select a relevant SA. (See
37 ipsec_spigrp(5) for discussion of how multiple transforms are com‐
38 bined.)
39 An spi , proto, daddr and address_family arguments specify an SAID.
42 Proto is an ASCII string, "ah", "esp", "comp" or "tun", specifying the
43 IP protocol. Spi is a number, preceded by '.' indicating hexadecimal
44 and IPv4 or by ':' indicating hexadecimal and IPv6, where each hexadec‐
45 imal digit represents 4 bits, between 0x100 and 0xffffffff; values from
46 0x0 to 0xff are reserved. Daddr is a dotted-decimal IPv4 destination
47 address or a coloned hex IPv6 destination address.
48 An SAID combines the three parameters above, such as: "tun.101@1.2.3.4"
51 for IPv4 or "tun:101@3049:1::1" for IPv6
52 A table entry consists of:
55 + SAID
58 + <transform name (proto,encalg,authalg)>:
61 + direction (dir=)
64 + source address (src=)
67 + source and destination addresses and masks for inner header pol‐
70 icy check addresses (policy=), as dotted-quads or coloned hex,
71 separated by '->', for IPv4-in-IPv4 or IPv6-in-IPv6 SAs only
72 + initialisation vector length and value (iv_bits=, iv=) if
75 non-zero
76 + out-of-order window size, number of out-of-order errors, se‐
79 quence number, recently received packet bitmask, maximum differ‐
80 ence between sequence numbers (ooowin=, ooo_errs=, seq=, bit=,
81 max_seq_diff=) if SA is AH or ESP and if individual items are
82 non-zero
83 + extra flags (flags=) if any are set
86 + authenticator length in bits (alen=) if non-zero
89 + authentication key length in bits (aklen=) if non-zero
92 + authentication errors (auth_errs=) if non-zero
95 + encryption key length in bits (eklen=) if non-zero
98 + encryption size errors (encr_size_errs=) if non-zero
101 + encryption padding error warnings (encr_pad_errs=) if non-zero
104 + lifetimes legend, c=Current status, s=Soft limit when exceeded
107 will initiate rekeying, h=Hard limit will cause termination of
108 SA (life(c,s,h)=)
109 + number of connections to which the SA is allocated (c), that
112 will cause a rekey (s), that will cause an expiry (h) (alloc=),
113 if any value is non-zero
114 + number of bytes processesd by this SA (c), that will cause a
117 rekey (s), that will cause an expiry (h) (bytes=), if any value
118 is non-zero
119 + time since the SA was added (c), until rekey (s), until expiry
122 (h), in seconds (add=)
123 + time since the SA was first used (c), until rekey (s), until ex‐
126 piry (h), in seconds (used=), if any value is non-zero
127 + number of packets processesd by this SA (c), that will cause a
130 rekey (s), that will cause an expiry (h) (packets=), if any val‐
131 ue is non-zero
132 + time since the last packet was processed, in seconds (idle=), if
135 SA has been used
136 average compression ratio (ratio=)
138
141 tun.12a@192.168.43.1 IPIP: dir=out src=192.168.43.2
142 life(c,s,h)=bytes(14073,0,0)add(269,0,0) use(149,0,0)pack‐
143 ets(14,0,0) idle=23
144 is an outbound IPv4-in-IPv4 (protocol 4) tunnel-mode SA set up between
147 machines 192.168.43.2 and 192.168.43.1 with an SPI of 12a in hexadeci‐
148 mal that has passed about 14 kilobytes of traffic in 14 packets since
149 it was created, 269 seconds ago, first used 149 seconds ago and has
150 been idle for 23 seconds.
151 esp:9a35fc02@3049:1::1 ESP_3DES_HMAC_MD5: dir=in
154 src=9a35fc02@3049:1::2 ooowin=32 seq=7149 bit=0xffffffff
155 alen=128 aklen=128 eklen=192
156 life(c,s,h)=bytes(1222304,0,0)add(4593,0,0) use(3858,0,0)pack‐
157 ets(7149,0,0) idle=23
158 is an inbound Encapsulating Security Payload (protocol 50) SA on ma‐
161 chine 3049:1::1 with an SPI of 9a35fc02 that uses 3DES as the encryp‐
162 tion cipher, HMAC MD5 as the authentication algorithm, an out-of-order
163 window of 32 packets, a present sequence number of 7149, every one of
164 the last 32 sequence numbers was received, the authenticator length and
165 keys is 128 bits, the encryption key is 192 bits (actually 168 for 3DES
166 since 1 of 8 bits is a parity bit), has passed 1.2 Mbytes of data in
167 7149 packets, was added 4593 seconds ago, first used 3858 seconds ago
168 and has been idle for 23 seconds.
169
172 /proc/net/ipsec_spi, /usr/local/bin/ipsec
173
176 ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5), ipsec_spi‐
177 grp(5), ipsec_klipsdebug(5), ipsec_spi(8), ipsec_version(5),
178 ipsec_pf_key(5)
179
182 Written for the Linux FreeS/WAN project <http://www.freeswan.org/:
183 http://www.freeswan.org/> by Richard Guy Briggs.
184
187 The add and use times are awkward, displayed in seconds since machine
188 start. It would be better to display them in seconds before now for hu‐
189 man readability.
190 IPSEC_SPI(5)