Man Linux: Main Page and Category List

NAME

       ipsec_spigrp - list IPSEC Security Association groupings

SYNOPSIS

       ipsec spigrp
             cat/proc/net/ipsec_spigrp

OBSOLETE

       Note that spigrp is only supported on the classic KLIPS stack. It is
       not supported on any other stack and will be completely removed in
       future versions. A replacement command still needs to be designed

DESCRIPTION

       /proc/net/ipsec_spigrp is a read-only file that lists groups of IPSEC
       Security Associations (SAs).

       An entry in the IPSEC extended routing table can only point (via an
       SAID) to one SA. If more than one transform must be applied to a given
       type of packet, this can be accomplished by setting up several SAs with
       the same destination address but potentially different SPIs and
       protocols, and grouping them with ipsec_spigrp(8).

       The SA groups are listed, one line per connection/group, as a sequence
       of SAs to be applied (or that should have been applied, in the case of
       an incoming packet) from inside to outside the packet. An SA is
       identified by its SAID, which consists of protocol ("ah", "esp", "comp"
       or "tun"), SPI (with ´.´ for IPv4 or ´:´ for IPv6 prefixed hexadecimal
       number ) and destination address (IPv4 dotted quad or IPv6 coloned hex)
       prefixed by ´@´, in the format <proto><af><spi>@<dest>.

EXAMPLES

       tun.3d0@192.168.2.110
           comp.3d0@192.168.2.110 esp.187a101b@192.168.2.110
           ah.187a101a@192.168.2.110

       is a group of 3 SAs, destined for 192.168.2.110 with an IPv4-in-IPv4
       tunnel SA applied first with an SPI of 3d0 in hexadecimal, followed by
       a Deflate compression header to compress the packet with CPI of 3d0 in
       hexadecimal, followed by an Encapsulating Security Payload header to
       encrypt the packet with SPI 187a101b in hexadecimal, followed by an
       Authentication Header to authenticate the packet with SPI 187a101a in
       hexadecimal, applied from inside to outside the packet. This could be
       an incoming or outgoing group, depending on the address of the local
       machine.

       tun:3d0@3049:1::2
           comp:3d0@3049:1::2 esp:187a101b@3049:1::2 ah:187a101a@3049:1::2

       is a group of 3 SAs, destined for 3049:1::2 with an IPv6-in-IPv6 tunnel
       SA applied first with an SPI of 3d0 in hexadecimal, followed by a
       Deflate compression header to compress the packet with CPI of 3d0 in
       hexadecimal, followed by an Encapsulating Security Payload header to
       encrypt the packet with SPI 187a101b in hexadecimal, followed by an
       Authentication Header to authenticate the packet with SPI 187a101a in
       hexadecimal, applied from inside to outside the packet. This could be
       an incoming or outgoing group, depending on the address of the local
       machine.

FILES

       /proc/net/ipsec_spigrp, /usr/local/bin/ipsec

SEE ALSO

       ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5),
       ipsec_spi(5), ipsec_klipsdebug(5), ipsec_spigrp(8), ipsec_version(5),
       ipsec_pf_key(5)

HISTORY

       Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by
       Richard Guy Briggs.

BUGS

       :-)

[FIXME: source]                   02/25/2010