1IPSEC_EROUTE(5)                                                IPSEC_EROUTE(5)
2
3
4

NAME

6       ipsec_eroute - list of existing eroutes
7

SYNOPSIS

9       ipsec eroute
10              cat/proc/net/ipsec_eroute
11
12

OBSOLETE

14       Note  that  eroute  is only supported on the classic KLIPS stack. It is
15       not supported on any other stack and will be completely removed in  fu‐
16       ture versions. A replacement command still needs to be designed
17
18

DESCRIPTION

20       /proc/net/ipsec_eroute  lists  the IPSEC extended routing tables, which
21       control what (if any) processing is applied  to  non-encrypted  packets
22       arriving  for  IPSEC  processing  and forwarding. At this point it is a
23       read-only file.
24
25
26       A table entry consists of:
27
28
29       +      packet count,
30
31
32       +      source address with mask and source port (0 if all ports or  not
33              applicable)
34
35
36       +      a  '->'  separator  for visual and automated parsing between src
37              and dst
38
39
40       +      destination address with mask and destination  port  (0  if  all
41              ports or not applicable)
42
43
44       +      a '=>' separator for visual and automated parsing between selec‐
45              tion criteria and SAID to use
46
47
48       +      SAID (Security Association IDentifier), comprised of:
49
50
51       +      protocol (proto),
52
53
54       +      address family (af), where '.' stands for IPv4 and ':' for IPv6
55
56
57       +      Security Parameters Index (SPI),
58
59
60       +      effective destination (edst), where the packet  should  be  for‐
61              warded  after  processing  (normally the other security gateway)
62              together indicate which Security Association should be  used  to
63              process the packet,
64
65
66       +      a  ':' separating the SAID from the transport protocol (0 if all
67              protocols)
68
69
70       +      source identity text string with no whitespace, in parens,
71
72
73       +      destination identity text string with no whitespace, in parens
74
75
76       Addresses are written as IPv4 dotted quads or IPv6 coloned hex,  proto‐
77       col  is one of "ah", "esp", "comp" or "tun" and SPIs are prefixed hexa‐
78       decimal numbers where the prefix '.' is for IPv4 and the prefix ':'  is
79       for IPv6
80
81
82       SAIDs  are written as "protoafSPI@edst". There are also 5 "magic" SAIDs
83       which have special meaning:
84
85
86       +      %drop means that matches are to be dropped
87
88
89       +      %reject means that matches are to be dropped  and  an  ICMP  re‐
90              turned, if possible to inform
91
92
93       +      %trap  means  that  matches are to trigger an ACQUIRE message to
94              the Key Management daemon(s) and a hold eroute will  be  put  in
95              place to prevent subsequent packets also triggering ACQUIRE mes‐
96              sages.
97
98
99       +      %hold means that matches are to stored until the eroute  is  re‐
100              placed or until that eroute gets reaped
101
102
103       +      %pass  means  that  matches are to allowed to pass without IPSEC
104              processing
105
106

EXAMPLES

108       1867  172.31.252.0/24:0  ->  0.0.0.0/0:0   =>   tun0x130@192.168.43.1:0
109       () ()
110
111
112       means  that 1,867 packets have been sent to an eroute that has been set
113       up to protect traffic between the subnet  172.31.252.0  with  a  subnet
114       mask  of 24 bits and the default address/mask represented by an address
115       of 0.0.0.0 with a subnet mask of 0 bits using the local  machine  as  a
116       security gateway on this end of the tunnel and the machine 192.168.43.1
117       on the other end of the tunnel with a Security  Association  IDentifier
118       of  tun0x130@192.168.43.1  which means that it is a tunnel mode connec‐
119       tion (4, IPPROTO_IPIP) with a Security Parameters Index of 130 in hexa‐
120       decimal with no identies defined for either end.
121
122
123       746       192.168.2.110/32:0       ->       192.168.2.120/32:25      =>
124       esp0x130@192.168.2.120:6      () ()
125
126
127       means that 746 packets have been sent to an eroute that has been set up
128       to  protect traffic sent from any port on the host 192.168.2.110 to the
129       SMTP (TCP, port 25) port on the host 192.168.2.120 with a Security  As‐
130       sociation IDentifier of tun0x130@192.168.2.120 which means that it is a
131       transport mode connection with a Security Parameters Index  of  130  in
132       hexadecimal with no identies defined for either end.
133
134
135       125 3049:1::/64 -> 0:0/0 => tun:130@3058:4::5 () ()
136
137
138       means that 125 packets have been sent to an eroute that has been set up
139       to protect traffic between the subnet 3049:1:: with a subnet mask of 64
140       bits and the default address/mask represented by an address of 0:0 with
141       a subnet mask of 0 bits using the local machine as a  security  gateway
142       on this end of the tunnel and the machine 3058:4::5 on the other end of
143       the tunnel with a Security Association IDentifier of  tun:130@3058:4::5
144       which means that it is a tunnel mode connection with a Security Parame‐
145       ters Index of 130 in hexadecimal with no identies  defined  for  either
146       end.
147
148
149       42 192.168.6.0/24:0 -> 192.168.7.0/24:0 => %passthrough
150
151
152       means  that 42 packets have been sent to an eroute that has been set up
153       to pass the traffic from the subnet 192.168.6.0 with a subnet  mask  of
154       24 bits and to subnet 192.168.7.0 with a subnet mask of 24 bits without
155       any IPSEC processing with no identies defined for either end.
156
157
158       2112 192.168.8.55/32:0 -> 192.168.9.47/24:0 => %hold (east) ()
159
160
161       means that 2112 packets have been sent to an eroute that has  been  set
162       up  to  hold  the  traffic  from  the  host  192.168.8.55  and  to host
163       192.168.9.47 until a key exchange from a Key Management daemon succeeds
164       and  puts in an SA or fails and puts in a pass or drop eroute depending
165       on the default configuration with the local client  defined  as  "east"
166       and no identy defined for the remote end.
167
168
169       2001       192.168.2.110/32:0       ->       192.168.2.120/32:0      =>
170       esp0xe6de@192.168.2.120:0 () ()
171
172
173       means that 2001 packets have been sent to an eroute that has  been  set
174       up  to  protect  traffic  between  the  host 192.168.2.110 and the host
175       192.168.2.120 using 192.168.2.110 as a security gateway on this end  of
176       the  connection  and  the machine 192.168.2.120 on the other end of the
177       connection    with    a    Security    Association    IDentifier     of
178       esp0xe6de@192.168.2.120 which means that it is a transport mode connec‐
179       tion with a Security Parameters Index of e6de in hexadecimal using  En‐
180       capsuation Security Payload protocol (50, IPPROTO_ESP) with no identies
181       defined for either end.
182
183
184       1984 3049:1::110/128 -> 3049:1::120/128 =>      ah:f5ed@3049:1::120  ()
185       ()
186
187
188       means  that  1984 packets have been sent to an eroute that has been set
189       up to authenticate traffic between the host 3049:1::110  and  the  host
190       3049:1::120  using 3049:1::110 as a security gateway on this end of the
191       connection and the machine 3049:1::120 on the other end of the  connec‐
192       tion  with  a  Security  Association  IDentifier of ah:f5ed@3049:1::120
193       which means that it is a transport mode connection with a Security  Pa‐
194       rameters  Index of f5ed in hexadecimal using Authentication Header pro‐
195       tocol (51, IPPROTO_AH) with no identies defined for either end.
196
197

FILES

199       /proc/net/ipsec_eroute, /usr/local/bin/ipsec
200
201

SEE ALSO

203       ipsec(8),  ipsec_manual(8),  ipsec_tncfg(5),  ipsec_spi(5),  ipsec_spi‐
204       grp(5),    ipsec_klipsdebug(5),    ipsec_eroute(8),   ipsec_version(5),
205       ipsec_pf_key(5)
206
207

HISTORY

209       Written for  the  Linux  FreeS/WAN  project  <http://www.freeswan.org/:
210       http://www.freeswan.org/> by Richard Guy Briggs.
211
212
213
214
215                                                               IPSEC_EROUTE(5)
Impressum