1IPSEC_EROUTE(8)             System Manager's Manual            IPSEC_EROUTE(8)
2
3
4

NAME

6       ipsec eroute - manipulate IPSEC extended routing tables
7

SYNOPSIS

9       ipsec eroute
10
11       ipsec  eroute --add --eraf (inet | inet6) --src src/srcmaskbits|srcmask
12       --dst dst/dstmaskbits|dstmask [ --transport-proto transport-protocol  ]
13       [ --src-port source-port ] [ --dst-port dest-port ] <SAID>
14
15       ipsec eroute --replace --eraf (inet | inet6) --src src/srcmaskbits|src‐
16       mask --dst dst/dstmaskbits|dstmask [ --transport-proto transport-proto‐
17       col ] [ --src-port source-port ] [ --dst-port dest-port ] <SAID>
18
19       ipsec  eroute --del --eraf (inet | inet6) --src src/srcmaskbits|srcmask
20       --dst dst/dstmaskbits|dstmask [ --transport-proto transport-protocol  ]
21       [ --src-port source-port ] [ --dst-port dest-port ]
22
23       ipsec eroute --clear
24
25       ipsec eroute --help
26
27       ipsec eroute --version
28
29       Where <SAID> is --af (inet | inet6) --edst edst --spi spi --proto proto
30       OR --said said OR --said (%passthrough | %passthrough4 |  %passthrough6
31       | %drop | %reject | %trap | %hold | %pass )
32

DESCRIPTION

34       Eroute  manages  the  IPSEC extended routing tables, which control what
35       (if any) processing is applied to non-encrypted  packets  arriving  for
36       IPSEC processing and forwarding.  The form with no additional arguments
37       lists the contents of /proc/net/ipsec_eroute.  The --add  form  adds  a
38       table entry, the --replace form replaces a table entry, while the --del
39       form deletes one.  The --clear form deletes the entire table.
40
41       A table entry consists of:
42
43       +  source and destination addresses, with masks, source and destination
44          ports  and protocol for selection of packets.  The source and desti‐
45          nation ports are only legal if the transport protocol is TCP or UDP.
46          A port can be specified as either decimal, hexadecimal (leading 0x),
47          octal (leading 0) or a name listed in the first column of  /etc/ser‐
48          vices.   A  transport  protocol  can be specified as either decimal,
49          hexadecimal (leading 0x), octal (leading 0) or a name listed in  the
50          first  column of /etc/protocols.  If a transport protocol or port is
51          not specified then it defaults to 0 which means all protocols or all
52          ports respectively.
53
54       +  Security Association IDentifier, comprised of:
55
56       +     protocol  (proto), indicating (together with the effective desti‐
57             nation and the security parameters index) which Security Associa‐
58             tion should be used to process the packet
59
60       +     address family (af),
61
62       +     Security  Parameters  Index  (spi), indicating (together with the
63             effective destination and protocol)  which  Security  Association
64             should  be  used  to  process  the packet (must be larger than or
65             equal to 0x100)
66
67       +     effective destination (edst), where the  packet  should  be  for‐
68             warded after processing (normally the other security gateway)
69
70       +  OR
71
72       +     SAID (said), indicating which Security Association should be used
73             to process the packet
74
75       Addresses are written as IPv4 dotted quads or IPv6 coloned hex,  proto‐
76       col  is one of "ah", "esp", "comp" or "tun" and SPIs are prefixed hexa‐
77       decimal numbers where '.' represents IPv4 and ':' stands for IPv6.
78
79       SAIDs are written as "protoafSPI@address".  There are  also  5  "magic"
80       SAIDs which have special meaning:
81
82       +  %drop means that matches are to be dropped
83
84       +  %reject  means  that matches are to be dropped and an ICMP returned,
85          if possible to inform
86
87       +  %trap means that matches are to trigger an ACQUIRE  message  to  the
88          Key  Management  daemon(s) and a hold eroute will be put in place to
89          prevent subsequent packets also triggering ACQUIRE messages.
90
91       +  %hold means that matches are to stored until the eroute is  replaced
92          or until that eroute gets reaped
93
94       +  %pass  means  that matches are to allowed to pass without IPSEC pro‐
95          cessing
96
97       The format of /proc/net/ipsec_eroute is listed in ipsec_eroute(5).
98

EXAMPLES

100       ipsec eroute --add --eraf inet --src 192.168.0.1/32 \
101          --dst 192.168.2.0/24 --af inet --edst 192.168.0.2 \
102          --spi 0x135 --proto tun
103
104       sets up an eroute on a Security Gateway to protect traffic between  the
105       host 192.168.0.1 and the subnet 192.168.2.0 with 24 bits of subnet mask
106       via Security Gateway 192.168.0.2 using the  Security  Association  with
107       address  192.168.0.2,  Security Parameters Index 0x135 and protocol tun
108       (50, IPPROTO_ESP).
109
110       ipsec eroute --add --eraf inet6 --src 3049:1::1/128 \
111          --dst 3049:2::/64 --af inet6 --edst 3049:1::2 \
112          --spi 0x145 --proto tun
113
114       sets up an eroute on a Security Gateway to protect traffic between  the
115       host  3049:1::1 and the subnet 3049:2:: with 64 bits of subnet mask via
116       Security Gateway 3049:1::2 using the Security Association with  address
117       3049:1::2,  Security  Parameters  Index  0x145  and  protocol  tun (50,
118       IPPROTO_ESP).
119
120       ipsec eroute --replace --eraf inet --src company.com/24 \
121          --dst ftp.ngo.org/32 --said tun.135@gw.ngo.org
122
123       replaces an eroute on a Security Gateway to protect traffic between the
124       subnet company.com with 24 bits of subnet mask and the host ftp.ngo.org
125       via Security Gateway gw.ngo.org using  the  Security  Association  with
126       Security Association ID tun0x135@gw.ngo.org
127
128       ipsec eroute --del --eraf inet --src company.com/24 \
129          --dst www.ietf.org/32 --said %passthrough4
130
131       deletes  an  eroute  on a Security Gateway that allowed traffic between
132       the subnet company.com with  24  bits  of  subnet  mask  and  the  host
133       www.ietf.org to pass in the clear, unprocessed.
134
135       ipsec eroute --add --eraf inet --src company.com/24 \
136          --dst mail.ngo.org/32 --transport-proto 6 \
137          --dst-port 110 --said tun.135@mail.ngo.org
138
139       sets  up an eroute on on a Security Gateway to protect only TCP traffic
140       on port 110 (pop3) between the subnet company.com with 24 bits of  sub‐
141       net  mask  and  the  host ftp.ngo.org via Security Gateway mail.ngo.org
142       using  the  Security   Association   with   Security   Association   ID
143       tun0x135@mail.ngo.org.    Note   that   any  other  traffic  bound  for
144       mail.ngo.org that is routed via the ipsec device will be  dropped.   If
145       you  wish  to  allow  other traffic to pass through then you must add a
146       %pass rule.  For example the following  rule  when  combined  with  the
147       above  will  ensure  that  POP3 messages read from mail.ngo.org will be
148       encrypted but all other traffic to/from mail.ngo.org will be  in  clear
149       text.
150
151       ipsec eroute --add --eraf inet --src company.com/24 \
152          --dst mail.ngo.org/32 --said %pass
153

FILES

155       /proc/net/ipsec_eroute, /usr/local/bin/ipsec
156

SEE ALSO

158       ipsec(8),  ipsec_manual(8),  ipsec_tncfg(8),  ipsec_spi(8),  ipsec_spi‐
159       grp(8), ipsec_klipsdebug(8), ipsec_eroute(5)
160

HISTORY

162       Written for the Linux FreeS/WAN project  <http://www.freeswan.org/>  by
163       Richard Guy Briggs.
164
165
166
167                                  21 Jun 2000                  IPSEC_EROUTE(8)
Impressum