1IPSEC_EROUTE(8)               Executable programs              IPSEC_EROUTE(8)
2
3
4

NAME

6       ipsec_eroute - manipulate IPSEC extended routing tables
7

SYNOPSIS

9       ipsec eroute
10                    --add --eraf (inet | inet6) --src src/srcmaskbits|srcmask --dst dst/dstmaskbits|dstmask [[--transport-proto transport-protocol]] [--src-port source-port] [--dst-port dest-port] [<SAID>]
11
12       ipsec eroute
13                    --replace --eraf (inet | inet6) --src src/srcmaskbits|srcmask --dst dst/dstmaskbits|dstmask [[--transport-proto transport-protocol]] [--src-port source-port] [--dst-port dest-port] [<SAID>]
14
15       ipsec eroute
16                    --del--del--eraf (inet | inet6) --srcsrc/srcmaskbits|srcmask--dstdst/dstmaskbits|dstmask [[--transport-proto transport-protocol]] [--src-port source-port] [--dst-port dest-port] [<SAID>]
17
18       ipsec eroute --clear
19
20       ipsec eroute --help
21
22       ipsec eroute --version
23

SAID DESCRIPTION

25       Where <SAID> is --af (inet | inet6) --edst edst --spi spi --proto proto
26       OR --said said OR --said (%passthrough | %passthrough4 | %passthrough6
27       | %drop | %reject | %trap | %hold | %pass )
28

DESCRIPTION

30       Eroute manages the IPSEC extended routing tables, which control what
31       (if any) processing is applied to non-encrypted packets arriving for
32       IPSEC processing and forwarding. The form with no additional arguments
33       lists the contents of /proc/net/ipsec_eroute. The --add form adds a
34       table entry, the --replace form replaces a table entry, while the --del
35       form deletes one. The --clear form deletes the entire table.
36
37       A table entry consists of:
38
39       +
40           source and destination addresses, with masks, source and
41           destination ports and protocol for selection of packets. The source
42           and destination ports are only legal if the transport protocol is
43           TCP or UDP.  A port can be specified as either decimal, hexadecimal
44           (leading 0x), octal (leading 0) or a name listed in the first
45           column of /etc/services. A transport protocol can be specified as
46           either decimal, hexadecimal (leading 0x), octal (leading 0) or a
47           name listed in the first column of /etc/protocols. If a transport
48           protocol or port is not specified then it defaults to 0 which means
49           all protocols or all ports respectively.
50
51       +
52           Security Association IDentifier, comprised of:
53
54       +
55           protocol (proto), indicating (together with the effective
56           destination and the security parameters index) which Security
57           Association should be used to process the packet
58
59       +
60           address family (af),
61
62       +
63           Security Parameters Index (spi), indicating (together with the
64           effective destination and protocol) which Security Association
65           should be used to process the packet (must be larger than or equal
66           to 0x100)
67
68       +
69           effective destination (edst), where the packet should be forwarded
70           after processing (normally the other security gateway)
71
72       +
73           OR
74
75       +
76           SAID (said), indicating which Security Association should be used
77           to process the packet
78
79       Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
80       protocol is one of "ah", "esp", "comp" or "tun" and SPIs are prefixed
81       hexadecimal numbers where '.' represents IPv4 and ':' stands for IPv6.
82
83       SAIDs are written as "protoafSPI@address". There are also five "magic"
84       SAIDs that have special meaning:
85
86       +
87           %drop means that matches are to be dropped
88
89       +
90           %reject means that matches are to be dropped and an ICMP returned,
91           if possible to inform
92
93       +
94           %trap means that matches are to trigger an ACQUIRE message to the
95           Key Management daemon(s) and a hold eroute will be put in place to
96           prevent subsequent packets also triggering ACQUIRE messages.
97
98       +
99           %hold means that matches are to stored until the eroute is replaced
100           or until that eroute gets reaped
101
102       +
103           %pass means that matches are to allowed to pass without IPSEC
104           processing
105
106       The format of /proc/net/ipsec_eroute is listed in ipsec_eroute(5).
107

EXAMPLES

109       ipsec eroute --add --eraf inet --src 192.168.0.1/32 \ --dst
110       192.168.2.0/24 --af inet --edst 192.168.0.2 \ --spi 0x135 --proto tun
111
112       sets up an eroute on a Security Gateway to protect traffic between the
113       host 192.168.0.1 and the subnet 192.168.2.0 with 24 bits of subnet mask
114       via Security Gateway 192.168.0.2 using the Security Association with
115       address 192.168.0.2, Security Parameters Index 0x135 and protocol tun
116       (50, IPPROTO_ESP).
117
118       ipsec eroute --add --eraf inet6 --src 3049:1::1/128 \ --dst 3049:2::/64
119       --af inet6 --edst 3049:1::2 \ --spi 0x145 --proto tun
120
121       sets up an eroute on a Security Gateway to protect traffic between the
122       host 3049:1::1 and the subnet 3049:2:: with 64 bits of subnet mask via
123       Security Gateway 3049:1::2 using the Security Association with address
124       3049:1::2, Security Parameters Index 0x145 and protocol tun (50,
125       IPPROTO_ESP).
126
127       ipsec eroute --replace --eraf inet --src company.com/24 \ --dst
128       ftp.ngo.org/32 --said tun.135@gw.ngo.org
129
130       replaces an eroute on a Security Gateway to protect traffic between the
131       subnet company.com with 24 bits of subnet mask and the host ftp.ngo.org
132       via Security Gateway gw.ngo.org using the Security Association with
133       Security Association ID tun0x135@gw.ngo.org
134
135       ipsec eroute --del --eraf inet --src company.com/24 \ --dst
136       www.ietf.org/32 --said %passthrough4
137
138       deletes an eroute on a Security Gateway that allowed traffic between
139       the subnet company.com with 24 bits of subnet mask and the host
140       www.ietf.org to pass in the clear, unprocessed.
141
142       ipsec eroute --add --eraf inet --src company.com/24 \ --dst
143       mail.ngo.org/32 --transport-proto 6 \ --dst-port 110 --said
144       tun.135@mail.ngo.org
145
146       sets up an eroute on on a Security Gateway to protect only TCP traffic
147       on port 110 (pop3) between the subnet company.com with 24 bits of
148       subnet mask and the host ftp.ngo.org via Security Gateway mail.ngo.org
149       using the Security Association with Security Association ID
150       tun0x135@mail.ngo.org.  Note that any other traffic bound for
151       mail.ngo.org that is routed via the ipsec device will be dropped. If
152       you wish to allow other traffic to pass through then you must add a
153       %pass rule. For example the following rule when combined with the above
154       will ensure that POP3 messages read from mail.ngo.org will be encrypted
155       but all other traffic to/from mail.ngo.org will be in clear text.
156
157       ipsec eroute --add --eraf inet --src company.com/24 \ --dst
158       mail.ngo.org/32 --said %pass
159

FILES

161       /proc/net/ipsec_eroute, /usr/local/bin/ipsec
162

SEE ALSO

164       ipsec(8), ipsec_tncfg(8), ipsec_spi(8), ipsec_spigrp(8),
165       ipsec_klipsdebug(8), ipsec_eroute(5)
166

HISTORY

168       Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by
169       Richard Guy Briggs.
170

AUTHOR

172       Paul Wouters
173           placeholder to suppress warning
174
175
176
177libreswan                         02/01/2019                   IPSEC_EROUTE(8)
Impressum