1IPSEC_SPIGRP(8) Executable programs IPSEC_SPIGRP(8)
2
3
4
6 ipsec_spigrp - group/ungroup IPSEC Security Associations
7
9 ipsec spigrp
10 ipsecspigrp [--label label] af1dst1spi1proto1
11 [af2dst2spi2proto2 [af3dst3spi3proto3 [af4dst4spi4proto4]]]
12 ipsecspigrp [--label label] --said SA1 [SA2 [SA3 [SA4]]]
13 ipsecspigrp --help
14 ipsecspigrp --version
15
16
18 Note that spi is only supported on the classic KLIPS stack. It is not
19 supported on any other stack and will be completely removed in future
20 versions. A replacement command still needs to be designed
21
23 Spigrp groups IPSEC Security Associations (SAs) together or ungroups
24 previously grouped SAs. An entry in the IPSEC extended routing table
25 can only point (via a destination address, a Security Parameters Index
26 (SPI) and a protocol identifier) to one SA. If more than one transform
27 must be applied to a given type of packet, this can be accomplished by
28 setting up several SAs with the same destination address but
29 potentially different SPIs and protocols, and grouping them with
30 spigrp.
31
32 The SAs to be grouped, specified by destination address (DNS name
33 lookup, IPv4 dotted quad or IPv6 coloned hex), SPI (´0x´-prefixed
34 hexadecimal number) and protocol ("ah", "esp", "comp" or "tun"), are
35 listed from the inside transform to the outside; in other words, the
36 transforms are applied in the order of the command line and removed in
37 the reverse order. The resulting SA group is referred to by its first
38 SA (by af1, dst1, spi1 and proto1).
39
40 The --said option indicates that the SA IDs are to be specified as one
41 argument each, in the format <proto><af><spi>@<dest>. The SA IDs must
42 all be specified as separate parameters without the --said option or
43 all as monolithic parameters after the --said option.
44
45 The SAs must already exist and must not already be part of a group.
46
47 If spigrp is invoked with only one SA specification, it ungroups the
48 previously-grouped set of SAs containing the SA specified.
49
50 The --label option identifies all responses from that command
51 invocation with a user-supplied label, provided as an argument to the
52 label option. This can be helpful for debugging one invocation of the
53 command out of a large number.
54
55 The command form with no additional arguments lists the contents of
56 /proc/net/ipsec_spigrp. The format of /proc/net/ipsec_spigrp is
57 discussed in ipsec_spigrp(5).
58
60 ipsec spigrp inet gw2 0x113 tun inet gw2 0x115 esp inet gw2 0x116 ah
61 groups 3 SAs together, all destined for gw2, but with an
62 IPv4-in-IPv4 tunnel SA applied first with SPI 0x113, then an ESP
63 header to encrypt the packet with SPI 0x115, and finally an AH
64 header to authenticate the packet with SPI 0x116.
65
66 ipsec spigrp --said tun.113@gw2 esp.115@gw2 ah.116@gw2
67 groups 3 SAs together, all destined for gw2, but with an
68 IPv4-in-IPv4 tunnel SA applied first with SPI 0x113, then an ESP
69 header to encrypt the packet with SPI 0x115, and finally an AH
70 header to authenticate the packet with SPI 0x116.
71
72 ipsec spigrp --said tun:233@3049:1::1 esp:235@3049:1::1
73 ah:236@3049:1::1
74 groups 3 SAs together, all destined for 3049:1::1, but with an
75 IPv6-in-IPv6 tunnel SA applied first with SPI 0x233, then an ESP
76 header to encrypt the packet with SPI 0x235, and finally an AH
77 header to authenticate the packet with SPI 0x236.
78
79 ipsec spigrp inet6 3049:1::1 0x233 tun inet6 3049:1::1 0x235 esp inet6
80 3049:1::1 0x236 ah
81 groups 3 SAs together, all destined for 3049:1::1, but with an
82 IPv6-in-IPv6 tunnel SA applied first with SPI 0x233, then an ESP
83 header to encrypt the packet with SPI 0x235, and finally an AH
84 header to authenticate the packet with SPI 0x236.
85
87 /proc/net/ipsec_spigrp, /usr/local/bin/ipsec
88
90 ipsec(8), ipsec_tncfg(8), ipsec_eroute(8), ipsec_spi(8),
91 ipsec_klipsdebug(8), ipsec_spigrp(5)
92
94 Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by
95 Richard Guy Briggs.
96
98 Yes, it really is limited to a maximum of four SAs, although admittedly
99 it´s hard to see why you would need more.
100
102 Paul Wouters
103 placeholder to suppress warning
104
105
106
107libreswan 10/04/2017 IPSEC_SPIGRP(8)