1IPSEC_EROUTE(5)               Executable programs              IPSEC_EROUTE(5)
2
3
4

NAME

6       ipsec_eroute - list of existing eroutes
7

SYNOPSIS

9       ipsec eroute
10             cat/proc/net/ipsec_eroute
11

OBSOLETE

13       Note that eroute is only supported on the classic KLIPS stack. It is
14       not supported on any other stack and will be completely removed in
15       future versions. On the mast stack, use ipsec policy, on the netkey
16       stack, use ip xfrm
17

DESCRIPTION

19       /proc/net/ipsec_eroute lists the IPSEC extended routing tables, which
20       control what (if any) processing is applied to non-encrypted packets
21       arriving for IPSEC processing and forwarding. At this point it is a
22       read-only file.
23
24       A table entry consists of:
25
26       +
27           packet count,
28
29       +
30           source address with mask and source port (0 if all ports or not
31           applicable)
32
33       +
34           a ´->´ separator for visual and automated parsing between src and
35           dst
36
37       +
38           destination address with mask and destination port (0 if all ports
39           or not applicable)
40
41       +
42           a ´=>´ separator for visual and automated parsing between selection
43           criteria and SAID to use
44
45       +
46           SAID (Security Association IDentifier), comprised of:
47
48       +
49           protocol (proto),
50
51       +
52           address family (af), where ´.´ stands for IPv4 and ´:´ for IPv6
53
54       +
55           Security Parameters Index (SPI),
56
57       +
58           effective destination (edst), where the packet should be forwarded
59           after processing (normally the other security gateway) together
60           indicate which Security Association should be used to process the
61           packet,
62
63       +
64           a ´:´ separating the SAID from the transport protocol (0 if all
65           protocols)
66
67       +
68           source identity text string with no whitespace, in parens,
69
70       +
71           destination identity text string with no whitespace, in parens
72
73       Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
74       protocol is one of "ah", "esp", "comp" or "tun" and SPIs are prefixed
75       hexadecimal numbers where the prefix ´.´ is for IPv4 and the prefix ´:´
76       is for IPv6
77
78       SAIDs are written as "protoafSPI@edst". There are also 5 "magic" SAIDs
79       which have special meaning:
80
81       +
82           %drop means that matches are to be dropped
83
84       +
85           %reject means that matches are to be dropped and an ICMP returned,
86           if possible to inform
87
88       +
89           %trap means that matches are to trigger an ACQUIRE message to the
90           Key Management daemon(s) and a hold eroute will be put in place to
91           prevent subsequent packets also triggering ACQUIRE messages.
92
93       +
94           %hold means that matches are to stored until the eroute is replaced
95           or until that eroute gets reaped
96
97       +
98           %pass means that matches are to allowed to pass without IPSEC
99           processing
100

EXAMPLES

102       1867 172.31.252.0/24:0 -> 0.0.0.0/0:0 => tun0x130@192.168.43.1:0
103
104        () ()
105
106       means that 1,867 packets have been sent to an eroute that has been set
107       up to protect traffic between the subnet 172.31.252.0 with a subnet
108       mask of 24 bits and the default address/mask represented by an address
109       of 0.0.0.0 with a subnet mask of 0 bits using the local machine as a
110       security gateway on this end of the tunnel and the machine 192.168.43.1
111       on the other end of the tunnel with a Security Association IDentifier
112       of tun0x130@192.168.43.1 which means that it is a tunnel mode
113       connection (4, IPPROTO_IPIP) with a Security Parameters Index of 130 in
114       hexadecimal with no identies defined for either end.
115
116       746 192.168.2.110/32:0 -> 192.168.2.120/32:25 =>
117       esp0x130@192.168.2.120:6
118
119        () ()
120
121       means that 746 packets have been sent to an eroute that has been set up
122       to protect traffic sent from any port on the host 192.168.2.110 to the
123       SMTP (TCP, port 25) port on the host 192.168.2.120 with a Security
124       Association IDentifier of tun0x130@192.168.2.120 which means that it is
125       a transport mode connection with a Security Parameters Index of 130 in
126       hexadecimal with no identies defined for either end.
127
128       125 3049:1::/64 -> 0:0/0 => tun:130@3058:4::5 () ()
129
130       means that 125 packets have been sent to an eroute that has been set up
131       to protect traffic between the subnet 3049:1:: with a subnet mask of 64
132       bits and the default address/mask represented by an address of 0:0 with
133       a subnet mask of 0 bits using the local machine as a security gateway
134       on this end of the tunnel and the machine 3058:4::5 on the other end of
135       the tunnel with a Security Association IDentifier of tun:130@3058:4::5
136       which means that it is a tunnel mode connection with a Security
137       Parameters Index of 130 in hexadecimal with no identies defined for
138       either end.
139
140       42 192.168.6.0/24:0 -> 192.168.7.0/24:0 => %passthrough
141
142       means that 42 packets have been sent to an eroute that has been set up
143       to pass the traffic from the subnet 192.168.6.0 with a subnet mask of
144       24 bits and to subnet 192.168.7.0 with a subnet mask of 24 bits without
145       any IPSEC processing with no identies defined for either end.
146
147       2112 192.168.8.55/32:0 -> 192.168.9.47/24:0 => %hold (east) ()
148
149       means that 2112 packets have been sent to an eroute that has been set
150       up to hold the traffic from the host 192.168.8.55 and to host
151       192.168.9.47 until a key exchange from a Key Management daemon succeeds
152       and puts in an SA or fails and puts in a pass or drop eroute depending
153       on the default configuration with the local client defined as "east"
154       and no identy defined for the remote end.
155
156       2001 192.168.2.110/32:0 -> 192.168.2.120/32:0 =>
157
158        esp0xe6de@192.168.2.120:0 () ()
159
160       means that 2001 packets have been sent to an eroute that has been set
161       up to protect traffic between the host 192.168.2.110 and the host
162       192.168.2.120 using 192.168.2.110 as a security gateway on this end of
163       the connection and the machine 192.168.2.120 on the other end of the
164       connection with a Security Association IDentifier of
165       esp0xe6de@192.168.2.120 which means that it is a transport mode
166       connection with a Security Parameters Index of e6de in hexadecimal
167       using Encapsuation Security Payload protocol (50, IPPROTO_ESP) with no
168       identies defined for either end.
169
170       1984 3049:1::110/128 -> 3049:1::120/128 =>
171
172        ah:f5ed@3049:1::120 () ()
173
174       means that 1984 packets have been sent to an eroute that has been set
175       up to authenticate traffic between the host 3049:1::110 and the host
176       3049:1::120 using 3049:1::110 as a security gateway on this end of the
177       connection and the machine 3049:1::120 on the other end of the
178       connection with a Security Association IDentifier of
179       ah:f5ed@3049:1::120 which means that it is a transport mode connection
180       with a Security Parameters Index of f5ed in hexadecimal using
181       Authentication Header protocol (51, IPPROTO_AH) with no identies
182       defined for either end.
183

FILES

185       /proc/net/ipsec_eroute, /usr/local/bin/ipsec
186

SEE ALSO

188       ipsec(8), ipsec_tncfg(5), ipsec_spi(5), ipsec_spigrp(5),
189       ipsec_klipsdebug(5), ipsec_eroute(8), ipsec_version(5), ipsec_pf_key(5)
190

HISTORY

192       Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by
193       Richard Guy Briggs.
194

AUTHOR

196       Paul Wouters
197           placeholder to suppress warning
198
199
200
201libreswan                         10/04/2017                   IPSEC_EROUTE(5)
Impressum