1IPSEC_SPIGRP(8) IPSEC_SPIGRP(8)
2
3
4
6 ipsec spigrp - group/ungroup IPSEC Security Associations
7
9 ipsec spigrp
10 ipsecspigrp [--label label] af1dst1spi1proto1
11 [af2dst2spi2proto2 [af3dst3spi3proto3 [af4dst4spi4proto4]]]
12 ipsecspigrp [--label label] --said SA1 [SA2 [SA3 [SA4]]]
13 ipsecspigrp --help
14 ipsecspigrp --version
15
16
17
19 Note that spi is only supported on the classic KLIPS stack. It is not
20 supported on any other stack and will be completely removed in future
21 versions. A replacement command still needs to be designed
22
23
25 Spigrp groups IPSEC Security Associations (SAs) together or ungroups
26 previously grouped SAs. An entry in the IPSEC extended routing table
27 can only point (via a destination address, a Security Parameters Index
28 (SPI) and a protocol identifier) to one SA. If more than one transform
29 must be applied to a given type of packet, this can be accomplished by
30 setting up several SAs with the same destination address but potential‐
31 ly different SPIs and protocols, and grouping them with spigrp.
32
33
34 The SAs to be grouped, specified by destination address (DNS name
35 lookup, IPv4 dotted quad or IPv6 coloned hex), SPI ('0x'-prefixed hexa‐
36 decimal number) and protocol ("ah", "esp", "comp" or "tun"), are listed
37 from the inside transform to the outside; in other words, the trans‐
38 forms are applied in the order of the command line and removed in the
39 reverse order. The resulting SA group is referred to by its first SA
40 (by af1, dst1, spi1 and proto1).
41
42
43 The --said option indicates that the SA IDs are to be specified as one
44 argument each, in the format <proto><af><spi>@<dest>. The SA IDs must
45 all be specified as separate parameters without the --said option or
46 all as monolithic parameters after the --said option.
47
48
49 The SAs must already exist and must not already be part of a group.
50
51
52 If spigrp is invoked with only one SA specification, it ungroups the
53 previously-grouped set of SAs containing the SA specified.
54
55
56 The --label option identifies all responses from that command invoca‐
57 tion with a user-supplied label, provided as an argument to the label
58 option. This can be helpful for debugging one invocation of the command
59 out of a large number.
60
61
62 The command form with no additional arguments lists the contents of
63 /proc/net/ipsec_spigrp. The format of /proc/net/ipsec_spigrp is dis‐
64 cussed in ipsec_spigrp(5).
65
66
68 ipsec spigrp inet gw2 0x113 tun inet gw2 0x115 esp inet gw2 0x116 ah
69 groups 3 SAs together, all destined for gw2, but with an
70 IPv4-in-IPv4 tunnel SA applied first with SPI 0x113, then an ESP
71 header to encrypt the packet with SPI 0x115, and finally an AH
72 header to authenticate the packet with SPI 0x116.
73
74
75 ipsec spigrp --said tun.113@gw2 esp.115@gw2 ah.116@gw2
76 groups 3 SAs together, all destined for gw2, but with an
77 IPv4-in-IPv4 tunnel SA applied first with SPI 0x113, then an ESP
78 header to encrypt the packet with SPI 0x115, and finally an AH
79 header to authenticate the packet with SPI 0x116.
80
81
82 ipsec spigrp --said tun:233@3049:1::1 esp:235@3049:1::1
83 ah:236@3049:1::1
84 groups 3 SAs together, all destined for 3049:1::1, but with an
85 IPv6-in-IPv6 tunnel SA applied first with SPI 0x233, then an ESP
86 header to encrypt the packet with SPI 0x235, and finally an AH
87 header to authenticate the packet with SPI 0x236.
88
89
90 ipsec spigrp inet6 3049:1::1 0x233 tun inet6 3049:1::1 0x235 esp inet6
91 3049:1::1 0x236 ah
92 groups 3 SAs together, all destined for 3049:1::1, but with an
93 IPv6-in-IPv6 tunnel SA applied first with SPI 0x233, then an ESP
94 header to encrypt the packet with SPI 0x235, and finally an AH
95 header to authenticate the packet with SPI 0x236.
96
97
99 /proc/net/ipsec_spigrp, /usr/local/bin/ipsec
100
101
103 ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_eroute(8),
104 ipsec_spi(8), ipsec_klipsdebug(8), ipsec_spigrp(5)
105
106
108 Written for the Linux FreeS/WAN project <http://www.freeswan.org/:
109 http://www.freeswan.org/> by Richard Guy Briggs.
110
111
113 Yes, it really is limited to a maximum of four SAs, although admittedly
114 it's hard to see why you would need more.
115
116
117
118
119 IPSEC_SPIGRP(8)