1IPSEC_EROUTE(5) IPSEC_EROUTE(5)
2
3
4
6 ipsec_eroute - list of existing eroutes
7
9 ipsec eroute
10 cat/proc/net/ipsec_eroute
11
12
14 Note that eroute is only supported on the classic KLIPS stack. It is
15 not supported on any other stack and will be completely removed in fu‐
16 ture versions. A replacement command still needs to be designed
17
18
20 /proc/net/ipsec_eroute lists the IPSEC extended routing tables, which
21 control what (if any) processing is applied to non-encrypted packets
22 arriving for IPSEC processing and forwarding. At this point it is a
23 read-only file.
24
25
26 A table entry consists of:
27
28
29 + packet count,
30
31
32 + source address with mask and source port (0 if all ports or not
33 applicable)
34
35
36 + a '->' separator for visual and automated parsing between src
37 and dst
38
39
40 + destination address with mask and destination port (0 if all
41 ports or not applicable)
42
43
44 + a '=>' separator for visual and automated parsing between selec‐
45 tion criteria and SAID to use
46
47
48 + SAID (Security Association IDentifier), comprised of:
49
50
51 + protocol (proto),
52
53
54 + address family (af), where '.' stands for IPv4 and ':' for IPv6
55
56
57 + Security Parameters Index (SPI),
58
59
60 + effective destination (edst), where the packet should be for‐
61 warded after processing (normally the other security gateway)
62 together indicate which Security Association should be used to
63 process the packet,
64
65
66 + a ':' separating the SAID from the transport protocol (0 if all
67 protocols)
68
69
70 + source identity text string with no whitespace, in parens,
71
72
73 + destination identity text string with no whitespace, in parens
74
75
76 Addresses are written as IPv4 dotted quads or IPv6 coloned hex, proto‐
77 col is one of "ah", "esp", "comp" or "tun" and SPIs are prefixed hexa‐
78 decimal numbers where the prefix '.' is for IPv4 and the prefix ':' is
79 for IPv6
80
81
82 SAIDs are written as "protoafSPI@edst". There are also 5 "magic" SAIDs
83 which have special meaning:
84
85
86 + %drop means that matches are to be dropped
87
88
89 + %reject means that matches are to be dropped and an ICMP re‐
90 turned, if possible to inform
91
92
93 + %trap means that matches are to trigger an ACQUIRE message to
94 the Key Management daemon(s) and a hold eroute will be put in
95 place to prevent subsequent packets also triggering ACQUIRE mes‐
96 sages.
97
98
99 + %hold means that matches are to stored until the eroute is re‐
100 placed or until that eroute gets reaped
101
102
103 + %pass means that matches are to allowed to pass without IPSEC
104 processing
105
106
108 1867 172.31.252.0/24:0 -> 0.0.0.0/0:0 => tun0x130@192.168.43.1:0
109 () ()
110
111
112 means that 1,867 packets have been sent to an eroute that has been set
113 up to protect traffic between the subnet 172.31.252.0 with a subnet
114 mask of 24 bits and the default address/mask represented by an address
115 of 0.0.0.0 with a subnet mask of 0 bits using the local machine as a
116 security gateway on this end of the tunnel and the machine 192.168.43.1
117 on the other end of the tunnel with a Security Association IDentifier
118 of tun0x130@192.168.43.1 which means that it is a tunnel mode connec‐
119 tion (4, IPPROTO_IPIP) with a Security Parameters Index of 130 in hexa‐
120 decimal with no identies defined for either end.
121
122
123 746 192.168.2.110/32:0 -> 192.168.2.120/32:25 =>
124 esp0x130@192.168.2.120:6 () ()
125
126
127 means that 746 packets have been sent to an eroute that has been set up
128 to protect traffic sent from any port on the host 192.168.2.110 to the
129 SMTP (TCP, port 25) port on the host 192.168.2.120 with a Security As‐
130 sociation IDentifier of tun0x130@192.168.2.120 which means that it is a
131 transport mode connection with a Security Parameters Index of 130 in
132 hexadecimal with no identies defined for either end.
133
134
135 125 3049:1::/64 -> 0:0/0 => tun:130@3058:4::5 () ()
136
137
138 means that 125 packets have been sent to an eroute that has been set up
139 to protect traffic between the subnet 3049:1:: with a subnet mask of 64
140 bits and the default address/mask represented by an address of 0:0 with
141 a subnet mask of 0 bits using the local machine as a security gateway
142 on this end of the tunnel and the machine 3058:4::5 on the other end of
143 the tunnel with a Security Association IDentifier of tun:130@3058:4::5
144 which means that it is a tunnel mode connection with a Security Parame‐
145 ters Index of 130 in hexadecimal with no identies defined for either
146 end.
147
148
149 42 192.168.6.0/24:0 -> 192.168.7.0/24:0 => %passthrough
150
151
152 means that 42 packets have been sent to an eroute that has been set up
153 to pass the traffic from the subnet 192.168.6.0 with a subnet mask of
154 24 bits and to subnet 192.168.7.0 with a subnet mask of 24 bits without
155 any IPSEC processing with no identies defined for either end.
156
157
158 2112 192.168.8.55/32:0 -> 192.168.9.47/24:0 => %hold (east) ()
159
160
161 means that 2112 packets have been sent to an eroute that has been set
162 up to hold the traffic from the host 192.168.8.55 and to host
163 192.168.9.47 until a key exchange from a Key Management daemon succeeds
164 and puts in an SA or fails and puts in a pass or drop eroute depending
165 on the default configuration with the local client defined as "east"
166 and no identy defined for the remote end.
167
168
169 2001 192.168.2.110/32:0 -> 192.168.2.120/32:0 =>
170 esp0xe6de@192.168.2.120:0 () ()
171
172
173 means that 2001 packets have been sent to an eroute that has been set
174 up to protect traffic between the host 192.168.2.110 and the host
175 192.168.2.120 using 192.168.2.110 as a security gateway on this end of
176 the connection and the machine 192.168.2.120 on the other end of the
177 connection with a Security Association IDentifier of
178 esp0xe6de@192.168.2.120 which means that it is a transport mode connec‐
179 tion with a Security Parameters Index of e6de in hexadecimal using En‐
180 capsuation Security Payload protocol (50, IPPROTO_ESP) with no identies
181 defined for either end.
182
183
184 1984 3049:1::110/128 -> 3049:1::120/128 => ah:f5ed@3049:1::120 ()
185 ()
186
187
188 means that 1984 packets have been sent to an eroute that has been set
189 up to authenticate traffic between the host 3049:1::110 and the host
190 3049:1::120 using 3049:1::110 as a security gateway on this end of the
191 connection and the machine 3049:1::120 on the other end of the connec‐
192 tion with a Security Association IDentifier of ah:f5ed@3049:1::120
193 which means that it is a transport mode connection with a Security Pa‐
194 rameters Index of f5ed in hexadecimal using Authentication Header pro‐
195 tocol (51, IPPROTO_AH) with no identies defined for either end.
196
197
199 /proc/net/ipsec_eroute, /usr/local/bin/ipsec
200
201
203 ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_spi(5), ipsec_spi‐
204 grp(5), ipsec_klipsdebug(5), ipsec_eroute(8), ipsec_version(5),
205 ipsec_pf_key(5)
206
207
209 Written for the Linux FreeS/WAN project <http://www.freeswan.org/:
210 http://www.freeswan.org/> by Richard Guy Briggs.
211
212
213
214
215 IPSEC_EROUTE(5)