1IPSEC_EROUTE(8) [FIXME: manual] IPSEC_EROUTE(8)
2
3
4
6 ipsec_eroute - manipulate IPSEC extended routing tables
7
9 ipsec eroute
10 --add --eraf (inet | inet6) --src src/srcmaskbits|srcmask --dst dst/dstmaskbits|dstmask [[--transport-proto transport-protocol]] [--src-port source-port] [--dst-port dest-port] [<SAID>]
11
12 ipsec eroute
13 --replace --eraf (inet | inet6) --src src/srcmaskbits|srcmask --dst dst/dstmaskbits|dstmask [[--transport-proto transport-protocol]] [--src-port source-port] [--dst-port dest-port] [<SAID>]
14
15 ipsec eroute
16 --del--del--eraf (inet | inet6) --srcsrc/srcmaskbits|srcmask--dstdst/dstmaskbits|dstmask [[--transport-proto transport-protocol]] [--src-port source-port] [--dst-port dest-port] [<SAID>]
17
18 ipsec eroute --clear
19
20 ipsec eroute --help
21
22 ipsec eroute --version
23
25 Where <SAID> is --af (inet | inet6) --edst edst --spi spi --proto proto
26 OR --said said OR --said (%passthrough | %passthrough4 | %passthrough6
27 | %drop | %reject | %trap | %hold | %pass )
28
30 Eroute manages the IPSEC extended routing tables, which control what
31 (if any) processing is applied to non-encrypted packets arriving for
32 IPSEC processing and forwarding. The form with no additional arguments
33 lists the contents of /proc/net/ipsec_eroute. The --add form adds a
34 table entry, the --replace form replaces a table entry, while the --del
35 form deletes one. The --clear form deletes the entire table.
36
37 A table entry consists of:
38
39 +
40 source and destination addresses, with masks, source and
41 destination ports and protocol for selection of packets. The source
42 and destination ports are only legal if the transport protocol is
43 TCP or UDP. A port can be specified as either decimal, hexadecimal
44 (leading 0x), octal (leading 0) or a name listed in the first
45 column of /etc/services. A transport protocol can be specified as
46 either decimal, hexadecimal (leading 0x), octal (leading 0) or a
47 name listed in the first column of /etc/protocols. If a transport
48 protocol or port is not specified then it defaults to 0 which means
49 all protocols or all ports respectively.
50
51 +
52 Security Association IDentifier, comprised of:
53
54 +
55 protocol (proto), indicating (together with the effective
56 destination and the security parameters index) which Security
57 Association should be used to process the packet
58
59 +
60 address family (af),
61
62 +
63 Security Parameters Index (spi), indicating (together with the
64 effective destination and protocol) which Security Association
65 should be used to process the packet (must be larger than or equal
66 to 0x100)
67
68 +
69 effective destination (edst), where the packet should be forwarded
70 after processing (normally the other security gateway)
71
72 +
73 OR
74
75 +
76 SAID (said), indicating which Security Association should be used
77 to process the packet
78
79 Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
80 protocol is one of "ah", "esp", "comp" or "tun" and SPIs are prefixed
81 hexadecimal numbers where ´.´ represents IPv4 and ´:´ stands for IPv6.
82
83 SAIDs are written as "protoafSPI@address". There are also 5 "magic"
84 SAIDs which have special meaning:
85
86 +
87 %drop means that matches are to be dropped
88
89 +
90 %reject means that matches are to be dropped and an ICMP returned,
91 if possible to inform
92
93 +
94 %trap means that matches are to trigger an ACQUIRE message to the
95 Key Management daemon(s) and a hold eroute will be put in place to
96 prevent subsequent packets also triggering ACQUIRE messages.
97
98 +
99 %hold means that matches are to stored until the eroute is replaced
100 or until that eroute gets reaped
101
102 +
103 %pass means that matches are to allowed to pass without IPSEC
104 processing
105
106 The format of /proc/net/ipsec_eroute is listed in ipsec_eroute(5).
107
109 ipsec eroute --add --eraf inet --src 192.168.0.1/32 \
110
111 --dst 192.168.2.0/24 --af inet --edst 192.168.0.2 \
112
113 --spi 0x135 --proto tun
114
115 sets up an eroute on a Security Gateway to protect traffic between the
116 host 192.168.0.1 and the subnet 192.168.2.0 with 24 bits of subnet mask
117 via Security Gateway 192.168.0.2 using the Security Association with
118 address 192.168.0.2, Security Parameters Index 0x135 and protocol tun
119 (50, IPPROTO_ESP).
120
121 ipsec eroute --add --eraf inet6 --src 3049:1::1/128 \
122
123 --dst 3049:2::/64 --af inet6 --edst 3049:1::2 \
124
125 --spi 0x145 --proto tun
126
127 sets up an eroute on a Security Gateway to protect traffic between the
128 host 3049:1::1 and the subnet 3049:2:: with 64 bits of subnet mask via
129 Security Gateway 3049:1::2 using the Security Association with address
130 3049:1::2, Security Parameters Index 0x145 and protocol tun (50,
131 IPPROTO_ESP).
132
133 ipsec eroute --replace --eraf inet --src company.com/24 \
134
135 --dst ftp.ngo.org/32 --said tun.135@gw.ngo.org
136
137 replaces an eroute on a Security Gateway to protect traffic between the
138 subnet company.com with 24 bits of subnet mask and the host ftp.ngo.org
139 via Security Gateway gw.ngo.org using the Security Association with
140 Security Association ID tun0x135@gw.ngo.org
141
142 ipsec eroute --del --eraf inet --src company.com/24 \
143
144 --dst www.ietf.org/32 --said %passthrough4
145
146 deletes an eroute on a Security Gateway that allowed traffic between
147 the subnet company.com with 24 bits of subnet mask and the host
148 www.ietf.org to pass in the clear, unprocessed.
149
150 ipsec eroute --add --eraf inet --src company.com/24 \
151
152 --dst mail.ngo.org/32 --transport-proto 6 \
153
154 --dst-port 110 --said tun.135@mail.ngo.org
155
156 sets up an eroute on on a Security Gateway to protect only TCP traffic
157 on port 110 (pop3) between the subnet company.com with 24 bits of
158 subnet mask and the host ftp.ngo.org via Security Gateway mail.ngo.org
159 using the Security Association with Security Association ID
160 tun0x135@mail.ngo.org. Note that any other traffic bound for
161 mail.ngo.org that is routed via the ipsec device will be dropped. If
162 you wish to allow other traffic to pass through then you must add a
163 %pass rule. For example the following rule when combined with the above
164 will ensure that POP3 messages read from mail.ngo.org will be encrypted
165 but all other traffic to/from mail.ngo.org will be in clear text.
166
167 ipsec eroute --add --eraf inet --src company.com/24 \
168
169 --dst mail.ngo.org/32 --said %pass
170
172 /proc/net/ipsec_eroute, /usr/local/bin/ipsec
173
175 ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_spi(8),
176 ipsec_spigrp(8), ipsec_klipsdebug(8), ipsec_eroute(5)
177
179 Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by
180 Richard Guy Briggs.
181
182
183
184[FIXME: source] 03 April 2007 IPSEC_EROUTE(8)