1IPSEC_SPIGRP(5)                                                IPSEC_SPIGRP(5)
2
3
4

NAME

6       ipsec_spigrp - list IPSEC Security Association groupings
7

SYNOPSIS

9       ipsec spigrp
10              cat/proc/net/ipsec_spigrp
11
12
13

OBSOLETE

15       Note  that  spigrp  is only supported on the classic KLIPS stack. It is
16       not supported on any other stack and will be completely removed in  fu‐
17       ture versions. A replacement command still needs to be designed
18
19

DESCRIPTION

21       /proc/net/ipsec_spigrp  is  a read-only file that lists groups of IPSEC
22       Security Associations (SAs).
23
24
25       An entry in the IPSEC extended routing table can  only  point  (via  an
26       SAID)  to one SA. If more than one transform must be applied to a given
27       type of packet, this can be accomplished by setting up several SAs with
28       the  same destination address but potentially different SPIs and proto‐
29       cols, and grouping them with ipsec_spigrp(8).
30
31
32       The SA groups are listed, one line per connection/group, as a  sequence
33       of  SAs to be applied (or that should have been applied, in the case of
34       an incoming packet) from inside to outside the packet. An SA is identi‐
35       fied  by  its  SAID, which consists of protocol ("ah", "esp", "comp" or
36       "tun"), SPI (with '.' for IPv4 or ':'  for  IPv6  prefixed  hexadecimal
37       number ) and destination address (IPv4 dotted quad or IPv6 coloned hex)
38       prefixed by '@', in the format <proto><af><spi>@<dest>.
39
40

EXAMPLES

42       tun.3d0@192.168.2.110
43              comp.3d0@192.168.2.110                esp.187a101b@192.168.2.110
44              ah.187a101a@192.168.2.110
45
46
47       is  a  group  of 3 SAs, destined for 192.168.2.110 with an IPv4-in-IPv4
48       tunnel SA applied first with an SPI of 3d0 in hexadecimal, followed  by
49       a  Deflate compression header to compress the packet with CPI of 3d0 in
50       hexadecimal, followed by an Encapsulating Security  Payload  header  to
51       encrypt the packet with SPI 187a101b in hexadecimal, followed by an Au‐
52       thentication Header to authenticate the packet  with  SPI  187a101a  in
53       hexadecimal,  applied  from inside to outside the packet. This could be
54       an incoming or outgoing group, depending on the address  of  the  local
55       machine.
56
57
58       tun:3d0@3049:1::2
59              comp:3d0@3049:1::2                        esp:187a101b@3049:1::2
60              ah:187a101a@3049:1::2
61
62
63       is a group of 3 SAs, destined for 3049:1::2 with an IPv6-in-IPv6 tunnel
64       SA  applied  first with an SPI of 3d0 in hexadecimal, followed by a De‐
65       flate compression header to compress the packet  with  CPI  of  3d0  in
66       hexadecimal,  followed  by  an Encapsulating Security Payload header to
67       encrypt the packet with SPI 187a101b in hexadecimal, followed by an Au‐
68       thentication  Header  to  authenticate  the packet with SPI 187a101a in
69       hexadecimal, applied from inside to outside the packet. This  could  be
70       an  incoming  or  outgoing group, depending on the address of the local
71       machine.
72
73

FILES

75       /proc/net/ipsec_spigrp, /usr/local/bin/ipsec
76
77

SEE ALSO

79       ipsec(8),     ipsec_manual(8),     ipsec_tncfg(5),     ipsec_eroute(5),
80       ipsec_spi(5),  ipsec_klipsdebug(5),  ipsec_spigrp(8), ipsec_version(5),
81       ipsec_pf_key(5)
82
83

HISTORY

85       Written for  the  Linux  FreeS/WAN  project  <http://www.freeswan.org/:
86       http://www.freeswan.org/> by Richard Guy Briggs.
87
88

BUGS

90       :-)
91
92
93
94
95                                                               IPSEC_SPIGRP(5)
Impressum