1IPSEC_EROUTE(8) System Manager's Manual IPSEC_EROUTE(8)
2
3
4
6 ipsec eroute - manipulate IPSEC extended routing tables
7
9 ipsec eroute
10
11 ipsec eroute --add --eraf (inet | inet6) --src src/srcmaskbits|srcmask
12 --dst dst/dstmaskbits|dstmask [ --transport-proto transport-protocol ]
13 [ --src-port source-port ] [ --dst-port dest-port ] <SAID>
14
15 ipsec eroute --replace --eraf (inet | inet6) --src src/srcmaskbits|src‐
16 mask --dst dst/dstmaskbits|dstmask [ --transport-proto transport-proto‐
17 col ] [ --src-port source-port ] [ --dst-port dest-port ] <SAID>
18
19 ipsec eroute --del --eraf (inet | inet6) --src src/srcmaskbits|srcmask
20 --dst dst/dstmaskbits|dstmask [ --transport-proto transport-protocol ]
21 [ --src-port source-port ] [ --dst-port dest-port ]
22
23 ipsec eroute --clear
24
25 ipsec eroute --help
26
27 ipsec eroute --version
28
29 Where <SAID> is --af (inet | inet6) --edst edst --spi spi --proto proto
30 OR --said said OR --said (%passthrough | %passthrough4 | %passthrough6
31 | %drop | %reject | %trap | %hold | %pass )
32
34 Eroute manages the IPSEC extended routing tables, which control what
35 (if any) processing is applied to non-encrypted packets arriving for
36 IPSEC processing and forwarding. The form with no additional arguments
37 lists the contents of /proc/net/ipsec_eroute. The --add form adds a
38 table entry, the --replace form replaces a table entry, while the --del
39 form deletes one. The --clear form deletes the entire table.
40
41 A table entry consists of:
42
43 + source and destination addresses, with masks, source and destination
44 ports and protocol for selection of packets. The source and desti‐
45 nation ports are only legal if the transport protocol is TCP or UDP.
46 A port can be specified as either decimal, hexadecimal (leading 0x),
47 octal (leading 0) or a name listed in the first column of /etc/ser‐
48 vices. A transport protocol can be specified as either decimal,
49 hexadecimal (leading 0x), octal (leading 0) or a name listed in the
50 first column of /etc/protocols. If a transport protocol or port is
51 not specified then it defaults to 0 which means all protocols or all
52 ports respectively.
53
54 + Security Association IDentifier, comprised of:
55
56 + protocol (proto), indicating (together with the effective desti‐
57 nation and the security parameters index) which Security Associa‐
58 tion should be used to process the packet
59
60 + address family (af),
61
62 + Security Parameters Index (spi), indicating (together with the
63 effective destination and protocol) which Security Association
64 should be used to process the packet (must be larger than or
65 equal to 0x100)
66
67 + effective destination (edst), where the packet should be for‐
68 warded after processing (normally the other security gateway)
69
70 + OR
71
72 + SAID (said), indicating which Security Association should be used
73 to process the packet
74
75 Addresses are written as IPv4 dotted quads or IPv6 coloned hex, proto‐
76 col is one of "ah", "esp", "comp" or "tun" and SPIs are prefixed hexa‐
77 decimal numbers where '.' represents IPv4 and ':' stands for IPv6.
78
79 SAIDs are written as "protoafSPI@address". There are also 5 "magic"
80 SAIDs which have special meaning:
81
82 + %drop means that matches are to be dropped
83
84 + %reject means that matches are to be dropped and an ICMP returned,
85 if possible to inform
86
87 + %trap means that matches are to trigger an ACQUIRE message to the
88 Key Management daemon(s) and a hold eroute will be put in place to
89 prevent subsequent packets also triggering ACQUIRE messages.
90
91 + %hold means that matches are to stored until the eroute is replaced
92 or until that eroute gets reaped
93
94 + %pass means that matches are to allowed to pass without IPSEC pro‐
95 cessing
96
97 The format of /proc/net/ipsec_eroute is listed in ipsec_eroute(5).
98
100 ipsec eroute --add --eraf inet --src 192.168.0.1/32 \
101 --dst 192.168.2.0/24 --af inet --edst 192.168.0.2 \
102 --spi 0x135 --proto tun
103
104 sets up an eroute on a Security Gateway to protect traffic between the
105 host 192.168.0.1 and the subnet 192.168.2.0 with 24 bits of subnet mask
106 via Security Gateway 192.168.0.2 using the Security Association with
107 address 192.168.0.2, Security Parameters Index 0x135 and protocol tun
108 (50, IPPROTO_ESP).
109
110 ipsec eroute --add --eraf inet6 --src 3049:1::1/128 \
111 --dst 3049:2::/64 --af inet6 --edst 3049:1::2 \
112 --spi 0x145 --proto tun
113
114 sets up an eroute on a Security Gateway to protect traffic between the
115 host 3049:1::1 and the subnet 3049:2:: with 64 bits of subnet mask via
116 Security Gateway 3049:1::2 using the Security Association with address
117 3049:1::2, Security Parameters Index 0x145 and protocol tun (50,
118 IPPROTO_ESP).
119
120 ipsec eroute --replace --eraf inet --src company.com/24 \
121 --dst ftp.ngo.org/32 --said tun.135@gw.ngo.org
122
123 replaces an eroute on a Security Gateway to protect traffic between the
124 subnet company.com with 24 bits of subnet mask and the host ftp.ngo.org
125 via Security Gateway gw.ngo.org using the Security Association with
126 Security Association ID tun0x135@gw.ngo.org
127
128 ipsec eroute --del --eraf inet --src company.com/24 \
129 --dst www.ietf.org/32 --said %passthrough4
130
131 deletes an eroute on a Security Gateway that allowed traffic between
132 the subnet company.com with 24 bits of subnet mask and the host
133 www.ietf.org to pass in the clear, unprocessed.
134
135 ipsec eroute --add --eraf inet --src company.com/24 \
136 --dst mail.ngo.org/32 --transport-proto 6 \
137 --dst-port 110 --said tun.135@mail.ngo.org
138
139 sets up an eroute on on a Security Gateway to protect only TCP traffic
140 on port 110 (pop3) between the subnet company.com with 24 bits of sub‐
141 net mask and the host ftp.ngo.org via Security Gateway mail.ngo.org
142 using the Security Association with Security Association ID
143 tun0x135@mail.ngo.org. Note that any other traffic bound for
144 mail.ngo.org that is routed via the ipsec device will be dropped. If
145 you wish to allow other traffic to pass through then you must add a
146 %pass rule. For example the following rule when combined with the
147 above will ensure that POP3 messages read from mail.ngo.org will be
148 encrypted but all other traffic to/from mail.ngo.org will be in clear
149 text.
150
151 ipsec eroute --add --eraf inet --src company.com/24 \
152 --dst mail.ngo.org/32 --said %pass
153
155 /proc/net/ipsec_eroute, /usr/local/bin/ipsec
156
158 ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_spi(8), ipsec_spi‐
159 grp(8), ipsec_klipsdebug(8), ipsec_eroute(5)
160
162 Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by
163 Richard Guy Briggs.
164
165
166
167 21 Jun 2000 IPSEC_EROUTE(8)