1IPSEC_SPIGRP(8)                                                IPSEC_SPIGRP(8)
2
3
4

NAME

6       ipsec spigrp - group/ungroup IPSEC Security Associations
7

SYNOPSIS

9       ipsec spigrp
10              ipsecspigrp [--label label] af1dst1spi1proto1
11             [af2dst2spi2proto2 [af3dst3spi3proto3 [af4dst4spi4proto4]]]
12              ipsecspigrp [--label label] --said SA1 [SA2 [SA3 [SA4]]]
13              ipsecspigrp --help
14              ipsecspigrp --version
15
16
17

OBSOLETE

19       Note that spi is only supported on the classic KLIPS stack. It  is  not
20       supported  on  any other stack and will be completely removed in future
21       versions. A replacement command still needs to be designed
22
23

DESCRIPTION

25       Spigrp groups IPSEC Security Associations (SAs)  together  or  ungroups
26       previously  grouped  SAs.  An entry in the IPSEC extended routing table
27       can only point (via a destination address, a Security Parameters  Index
28       (SPI)  and a protocol identifier) to one SA. If more than one transform
29       must be applied to a given type of packet, this can be accomplished  by
30       setting up several SAs with the same destination address but potential‐
31       ly different SPIs and protocols, and grouping them with spigrp.
32
33
34       The SAs to be grouped,  specified  by  destination  address  (DNS  name
35       lookup, IPv4 dotted quad or IPv6 coloned hex), SPI ('0x'-prefixed hexa‐
36       decimal number) and protocol ("ah", "esp", "comp" or "tun"), are listed
37       from  the  inside  transform to the outside; in other words, the trans‐
38       forms are applied in the order of the command line and removed  in  the
39       reverse  order.  The  resulting SA group is referred to by its first SA
40       (by af1, dst1, spi1 and proto1).
41
42
43       The --said option indicates that the SA IDs are to be specified as  one
44       argument  each,  in the format <proto><af><spi>@<dest>. The SA IDs must
45       all be specified as separate parameters without the  --said  option  or
46       all as monolithic parameters after the --said option.
47
48
49       The SAs must already exist and must not already be part of a group.
50
51
52       If  spigrp  is  invoked with only one SA specification, it ungroups the
53       previously-grouped set of SAs containing the SA specified.
54
55
56       The --label option identifies all responses from that  command  invoca‐
57       tion  with  a user-supplied label, provided as an argument to the label
58       option. This can be helpful for debugging one invocation of the command
59       out of a large number.
60
61
62       The  command  form  with  no additional arguments lists the contents of
63       /proc/net/ipsec_spigrp. The format of  /proc/net/ipsec_spigrp  is  dis‐
64       cussed in ipsec_spigrp(5).
65
66

EXAMPLES

68       ipsec spigrp inet gw2 0x113 tun inet gw2 0x115 esp inet gw2 0x116 ah
69              groups  3  SAs  together,  all  destined  for  gw2,  but with an
70              IPv4-in-IPv4 tunnel SA applied first with SPI 0x113, then an ESP
71              header  to  encrypt the packet with SPI 0x115, and finally an AH
72              header to authenticate the packet with SPI 0x116.
73
74
75       ipsec spigrp --said tun.113@gw2 esp.115@gw2 ah.116@gw2
76              groups 3 SAs  together,  all  destined  for  gw2,  but  with  an
77              IPv4-in-IPv4 tunnel SA applied first with SPI 0x113, then an ESP
78              header to encrypt the packet with SPI 0x115, and finally  an  AH
79              header to authenticate the packet with SPI 0x116.
80
81
82       ipsec     spigrp     --said     tun:233@3049:1::1     esp:235@3049:1::1
83       ah:236@3049:1::1
84              groups 3 SAs together, all destined for 3049:1::1, but  with  an
85              IPv6-in-IPv6 tunnel SA applied first with SPI 0x233, then an ESP
86              header to encrypt the packet with SPI 0x235, and finally  an  AH
87              header to authenticate the packet with SPI 0x236.
88
89
90       ipsec  spigrp inet6 3049:1::1 0x233 tun inet6 3049:1::1 0x235 esp inet6
91       3049:1::1 0x236 ah
92              groups 3 SAs together, all destined for 3049:1::1, but  with  an
93              IPv6-in-IPv6 tunnel SA applied first with SPI 0x233, then an ESP
94              header to encrypt the packet with SPI 0x235, and finally  an  AH
95              header to authenticate the packet with SPI 0x236.
96
97

FILES

99       /proc/net/ipsec_spigrp, /usr/local/bin/ipsec
100
101

SEE ALSO

103       ipsec(8),     ipsec_manual(8),     ipsec_tncfg(8),     ipsec_eroute(8),
104       ipsec_spi(8), ipsec_klipsdebug(8), ipsec_spigrp(5)
105
106

HISTORY

108       Written for  the  Linux  FreeS/WAN  project  <http://www.freeswan.org/:
109       http://www.freeswan.org/> by Richard Guy Briggs.
110
111

BUGS

113       Yes, it really is limited to a maximum of four SAs, although admittedly
114       it's hard to see why you would need more.
115
116
117
118
119                                                               IPSEC_SPIGRP(8)
Impressum