Man Linux: Main Page and Category List

NAME

       ipsec_eroute - manipulate IPSEC extended routing tables

SYNOPSIS

       ipsec eroute --add --eraf (inet | inet6) --src src/srcmaskbits|srcmask
                    --dst dst/dstmaskbits|dstmask [[--transport-proto
                    transport-protocol]] [--src-port source-port] [--dst-port
                    dest-port] [<SAID>]

       ipsec eroute --replace --eraf (inet | inet6) --src
                    src/srcmaskbits|srcmask --dst dst/dstmaskbits|dstmask
                    [[--transport-proto transport-protocol]] [--src-port
                    source-port] [--dst-port dest-port] [<SAID>]

       ipsec eroute --del--del--eraf (inet | inet6)
                    --srcsrc/srcmaskbits|srcmask--dstdst/dstmaskbits|dstmask
                    [[--transport-proto transport-protocol]] [--src-port
                    source-port] [--dst-port dest-port] [<SAID>]

       ipsec eroute --clear

       ipsec eroute --help

       ipsec eroute --version

SAID DESCRIPTION

       Where <SAID> is --af (inet | inet6) --edst edst --spi spi --proto proto
       OR --said said OR --said (%passthrough | %passthrough4 | %passthrough6
       | %drop | %reject | %trap | %hold | %pass )

DESCRIPTION

       Eroute manages the IPSEC extended routing tables, which control what
       (if any) processing is applied to non-encrypted packets arriving for
       IPSEC processing and forwarding. The form with no additional arguments
       lists the contents of /proc/net/ipsec_eroute. The --add form adds a
       table entry, the --replace form replaces a table entry, while the --del
       form deletes one. The --clear form deletes the entire table.

       A table entry consists of:

       +
           source and destination addresses, with masks, source and
           destination ports and protocol for selection of packets. The source
           and destination ports are only legal if the transport protocol is
           TCP or UDP.  A port can be specified as either decimal, hexadecimal
           (leading 0x), octal (leading 0) or a name listed in the first
           column of /etc/services. A transport protocol can be specified as
           either decimal, hexadecimal (leading 0x), octal (leading 0) or a
           name listed in the first column of /etc/protocols. If a transport
           protocol or port is not specified then it defaults to 0 which means
           all protocols or all ports respectively.

       +
           Security Association IDentifier, comprised of:

       +
           protocol (proto), indicating (together with the effective
           destination and the security parameters index) which Security
           Association should be used to process the packet

       +
           address family (af),

       +
           Security Parameters Index (spi), indicating (together with the
           effective destination and protocol) which Security Association
           should be used to process the packet (must be larger than or equal
           to 0x100)

       +
           effective destination (edst), where the packet should be forwarded
           after processing (normally the other security gateway)

       +
           OR

       +
           SAID (said), indicating which Security Association should be used
           to process the packet

       Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
       protocol is one of "ah", "esp", "comp" or "tun" and SPIs are prefixed
       hexadecimal numbers where ´.´ represents IPv4 and ´:´ stands for IPv6.

       SAIDs are written as "protoafSPI@address". There are also 5 "magic"
       SAIDs which have special meaning:

       +
           %drop means that matches are to be dropped

       +
           %reject means that matches are to be dropped and an ICMP returned,
           if possible to inform

       +
           %trap means that matches are to trigger an ACQUIRE message to the
           Key Management daemon(s) and a hold eroute will be put in place to
           prevent subsequent packets also triggering ACQUIRE messages.

       +
           %hold means that matches are to stored until the eroute is replaced
           or until that eroute gets reaped

       +
           %pass means that matches are to allowed to pass without IPSEC
           processing

       The format of /proc/net/ipsec_eroute is listed in ipsec_eroute(5).

EXAMPLES

       ipsec eroute --add --eraf inet --src 192.168.0.1/32 \

        --dst 192.168.2.0/24 --af inet --edst 192.168.0.2 \

        --spi 0x135 --proto tun

       sets up an eroute on a Security Gateway to protect traffic between the
       host 192.168.0.1 and the subnet 192.168.2.0 with 24 bits of subnet mask
       via Security Gateway 192.168.0.2 using the Security Association with
       address 192.168.0.2, Security Parameters Index 0x135 and protocol tun
       (50, IPPROTO_ESP).

       ipsec eroute --add --eraf inet6 --src 3049:1::1/128 \

        --dst 3049:2::/64 --af inet6 --edst 3049:1::2 \

        --spi 0x145 --proto tun

       sets up an eroute on a Security Gateway to protect traffic between the
       host 3049:1::1 and the subnet 3049:2:: with 64 bits of subnet mask via
       Security Gateway 3049:1::2 using the Security Association with address
       3049:1::2, Security Parameters Index 0x145 and protocol tun (50,
       IPPROTO_ESP).

       ipsec eroute --replace --eraf inet --src company.com/24 \

        --dst ftp.ngo.org/32 --said tun.135@gw.ngo.org

       replaces an eroute on a Security Gateway to protect traffic between the
       subnet company.com with 24 bits of subnet mask and the host ftp.ngo.org
       via Security Gateway gw.ngo.org using the Security Association with
       Security Association ID tun0x135@gw.ngo.org

       ipsec eroute --del --eraf inet --src company.com/24 \

        --dst www.ietf.org/32 --said %passthrough4

       deletes an eroute on a Security Gateway that allowed traffic between
       the subnet company.com with 24 bits of subnet mask and the host
       www.ietf.org to pass in the clear, unprocessed.

       ipsec eroute --add --eraf inet --src company.com/24 \

        --dst mail.ngo.org/32 --transport-proto 6 \

        --dst-port 110 --said tun.135@mail.ngo.org

       sets up an eroute on on a Security Gateway to protect only TCP traffic
       on port 110 (pop3) between the subnet company.com with 24 bits of
       subnet mask and the host ftp.ngo.org via Security Gateway mail.ngo.org
       using the Security Association with Security Association ID
       tun0x135@mail.ngo.org.  Note that any other traffic bound for
       mail.ngo.org that is routed via the ipsec device will be dropped. If
       you wish to allow other traffic to pass through then you must add a
       %pass rule. For example the following rule when combined with the above
       will ensure that POP3 messages read from mail.ngo.org will be encrypted
       but all other traffic to/from mail.ngo.org will be in clear text.

       ipsec eroute --add --eraf inet --src company.com/24 \

        --dst mail.ngo.org/32 --said %pass

FILES

       /proc/net/ipsec_eroute, /usr/local/bin/ipsec

SEE ALSO

       ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_spi(8),
       ipsec_spigrp(8), ipsec_klipsdebug(8), ipsec_eroute(5)

HISTORY

       Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by
       Richard Guy Briggs.

[FIXME: source]                  03 April 2007