1IPSEC_SPIGRP(5) [FIXME: manual] IPSEC_SPIGRP(5)
2
3
4
6 ipsec_spigrp - list IPSEC Security Association groupings
7
9 ipsec spigrp
10 cat/proc/net/ipsec_spigrp
11
12
14 Note that spigrp is only supported on the classic KLIPS stack. It is
15 not supported on any other stack and will be completely removed in
16 future versions. A replacement command still needs to be designed
17
19 /proc/net/ipsec_spigrp is a read-only file that lists groups of IPSEC
20 Security Associations (SAs).
21
22 An entry in the IPSEC extended routing table can only point (via an
23 SAID) to one SA. If more than one transform must be applied to a given
24 type of packet, this can be accomplished by setting up several SAs with
25 the same destination address but potentially different SPIs and
26 protocols, and grouping them with ipsec_spigrp(8).
27
28 The SA groups are listed, one line per connection/group, as a sequence
29 of SAs to be applied (or that should have been applied, in the case of
30 an incoming packet) from inside to outside the packet. An SA is
31 identified by its SAID, which consists of protocol ("ah", "esp", "comp"
32 or "tun"), SPI (with ´.´ for IPv4 or ´:´ for IPv6 prefixed hexadecimal
33 number ) and destination address (IPv4 dotted quad or IPv6 coloned hex)
34 prefixed by ´@´, in the format <proto><af><spi>@<dest>.
35
37 tun.3d0@192.168.2.110
38 comp.3d0@192.168.2.110 esp.187a101b@192.168.2.110
39 ah.187a101a@192.168.2.110
40
41 is a group of 3 SAs, destined for 192.168.2.110 with an IPv4-in-IPv4
42 tunnel SA applied first with an SPI of 3d0 in hexadecimal, followed by
43 a Deflate compression header to compress the packet with CPI of 3d0 in
44 hexadecimal, followed by an Encapsulating Security Payload header to
45 encrypt the packet with SPI 187a101b in hexadecimal, followed by an
46 Authentication Header to authenticate the packet with SPI 187a101a in
47 hexadecimal, applied from inside to outside the packet. This could be
48 an incoming or outgoing group, depending on the address of the local
49 machine.
50
51 tun:3d0@3049:1::2
52 comp:3d0@3049:1::2 esp:187a101b@3049:1::2 ah:187a101a@3049:1::2
53
54 is a group of 3 SAs, destined for 3049:1::2 with an IPv6-in-IPv6 tunnel
55 SA applied first with an SPI of 3d0 in hexadecimal, followed by a
56 Deflate compression header to compress the packet with CPI of 3d0 in
57 hexadecimal, followed by an Encapsulating Security Payload header to
58 encrypt the packet with SPI 187a101b in hexadecimal, followed by an
59 Authentication Header to authenticate the packet with SPI 187a101a in
60 hexadecimal, applied from inside to outside the packet. This could be
61 an incoming or outgoing group, depending on the address of the local
62 machine.
63
65 /proc/net/ipsec_spigrp, /usr/local/bin/ipsec
66
68 ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5),
69 ipsec_spi(5), ipsec_klipsdebug(5), ipsec_spigrp(8), ipsec_version(5),
70 ipsec_pf_key(5)
71
73 Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by
74 Richard Guy Briggs.
75
77 :-)
78
79
80
81[FIXME: source] 10/06/2010 IPSEC_SPIGRP(5)