]>
Commit | Line | Data |
---|---|---|
997358a6 MW |
1 | Content-type: text/html |
2 | ||
3 | <HTML><HEAD><TITLE>Manpage of IPSEC_EROUTE</TITLE> | |
4 | </HEAD><BODY> | |
5 | <H1>IPSEC_EROUTE</H1> | |
6 | Section: Maintenance Commands (8)<BR>Updated: 21 Jun 2000<BR><A HREF="#index">Index</A> | |
7 | <A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR> | |
8 | ||
9 | ||
10 | ||
11 | ||
12 | <A NAME="lbAB"> </A> | |
13 | <H2>NAME</H2> | |
14 | ||
15 | ipsec eroute - manipulate IPSEC extended routing tables | |
16 | <A NAME="lbAC"> </A> | |
17 | <H2>SYNOPSIS</H2> | |
18 | ||
19 | <B>ipsec</B> | |
20 | ||
21 | <B>eroute</B> | |
22 | ||
23 | <P> | |
24 | ||
25 | <B>ipsec</B> | |
26 | ||
27 | <B>eroute</B> | |
28 | ||
29 | <B>--add</B> | |
30 | ||
31 | <B>--eraf (inet | inet6)</B> | |
32 | ||
33 | <B>--src</B> | |
34 | ||
35 | src/srcmaskbits|srcmask | |
36 | <B>--dst</B> | |
37 | ||
38 | dst/dstmaskbits|dstmask | |
39 | <SAID> | |
40 | <P> | |
41 | ||
42 | <B>ipsec</B> | |
43 | ||
44 | <B>eroute</B> | |
45 | ||
46 | <B>--replace</B> | |
47 | ||
48 | <B>--eraf (inet | inet6)</B> | |
49 | ||
50 | <B>--src</B> | |
51 | ||
52 | src/srcmaskbits|srcmask | |
53 | <B>--dst</B> | |
54 | ||
55 | dst/dstmaskbits|dstmask | |
56 | <SAID> | |
57 | <P> | |
58 | ||
59 | <B>ipsec</B> | |
60 | ||
61 | <B>eroute</B> | |
62 | ||
63 | <B>--del</B> | |
64 | ||
65 | <B>--eraf (inet | inet6)</B> | |
66 | ||
67 | <B>--src</B> | |
68 | ||
69 | src/srcmaskbits|srcmask | |
70 | <B>--dst</B> | |
71 | ||
72 | dst/dstmaskbits|dstmask | |
73 | <P> | |
74 | ||
75 | <B>ipsec</B> | |
76 | ||
77 | <B>eroute</B> | |
78 | ||
79 | <B>--clear</B> | |
80 | ||
81 | <P> | |
82 | ||
83 | <B>ipsec</B> | |
84 | ||
85 | <B>eroute</B> | |
86 | ||
87 | <B>--help</B> | |
88 | ||
89 | <P> | |
90 | ||
91 | <B>ipsec</B> | |
92 | ||
93 | <B>eroute</B> | |
94 | ||
95 | <B>--version</B> | |
96 | ||
97 | <P> | |
98 | ||
99 | Where <SAID> is | |
100 | <B>--af</B> | |
101 | ||
102 | (inet | inet6) | |
103 | <B>--edst</B> | |
104 | ||
105 | edst | |
106 | <B>--spi</B> | |
107 | ||
108 | spi | |
109 | <B>--proto</B> | |
110 | ||
111 | proto | |
112 | OR | |
113 | <B>--said</B> | |
114 | ||
115 | said | |
116 | OR | |
117 | <B>--said</B> | |
118 | ||
119 | <B>(%passthrough | %passthrough4 | %passthrough6)</B> | |
120 | ||
121 | <A NAME="lbAD"> </A> | |
122 | <H2>DESCRIPTION</H2> | |
123 | ||
124 | <I>Eroute</I> | |
125 | ||
126 | manages the IPSEC extended routing tables, | |
127 | which control what (if any) processing is applied | |
128 | to non-encrypted packets arriving for IPSEC processing and forwarding. | |
129 | The form with no additional arguments lists the contents of | |
130 | /proc/net/ipsec_eroute. | |
131 | The | |
132 | <B>--add</B> | |
133 | ||
134 | form adds a table entry, the | |
135 | <B>--replace</B> | |
136 | ||
137 | form replaces a table entry, while the | |
138 | <B>--del</B> | |
139 | ||
140 | form deletes one. The | |
141 | <B>--clear</B> | |
142 | ||
143 | form deletes the entire table. | |
144 | <P> | |
145 | ||
146 | A table entry consists of: | |
147 | <DL COMPACT> | |
148 | <DT>+<DD> | |
149 | source and destination addresses, | |
150 | with masks, | |
151 | for selection of packets | |
152 | <DT>+<DD> | |
153 | Security Association IDentifier, comprised of: | |
154 | <DT>+<DD> | |
155 | protocol | |
156 | (<I>proto</I>), indicating (together with the | |
157 | effective destination and the security parameters index) | |
158 | which Security Association should be used to process the packet | |
159 | <DT>+<DD> | |
160 | address family | |
161 | (<I>af</I>), | |
162 | <DT>+<DD> | |
163 | Security Parameters Index | |
164 | (<I>spi</I>), indicating (together with the | |
165 | effective destination and protocol) | |
166 | which Security Association should be used to process the packet | |
167 | (must be larger than or equal to 0x100) | |
168 | <DT>+<DD> | |
169 | effective destination | |
170 | (<I>edst</I>), | |
171 | where the packet should be forwarded after processing | |
172 | (normally the other security gateway) | |
173 | <DT>+<DD> | |
174 | OR | |
175 | <DT>+<DD> | |
176 | SAID | |
177 | (<I>said</I>), indicating | |
178 | which Security Association should be used to process the packet | |
179 | </DL> | |
180 | <P> | |
181 | ||
182 | Addresses are written as IPv4 dotted quads or IPv6 coloned hex, | |
183 | protocol is one of "ah", "esp", "comp" or "tun" and SPIs are | |
184 | prefixed hexadecimal numbers where '.' represents IPv4 and ':' | |
185 | stands for IPv6. | |
186 | <P> | |
187 | ||
188 | SAIDs are written as "<A HREF="mailto:protoafSPI@address">protoafSPI@address</A>". There are also 5 | |
189 | "magic" SAIDs which have special meaning: | |
190 | <DL COMPACT> | |
191 | <DT>+<DD> | |
192 | <B>%drop</B> | |
193 | ||
194 | means that matches are to be dropped | |
195 | <DT>+<DD> | |
196 | <B>%reject</B> | |
197 | ||
198 | means that matches are to be dropped and an ICMP returned, if | |
199 | possible to inform | |
200 | <DT>+<DD> | |
201 | <B>%trap</B> | |
202 | ||
203 | means that matches are to trigger an ACQUIRE message to the Key | |
204 | Management daemon(s) and a hold eroute will be put in place to | |
205 | prevent subsequent packets also triggering ACQUIRE messages. | |
206 | <DT>+<DD> | |
207 | <B>%hold</B> | |
208 | ||
209 | means that matches are to stored until the eroute is replaced or | |
210 | until that eroute gets reaped | |
211 | <DT>+<DD> | |
212 | <B>%pass</B> | |
213 | ||
214 | means that matches are to allowed to pass without IPSEC processing | |
215 | </DL> | |
216 | <P> | |
217 | ||
218 | The format of /proc/net/ipsec_eroute is listed in <A HREF="ipsec_eroute.5.html">ipsec_eroute</A>(5). | |
219 | <BR> | |
220 | ||
221 | ||
222 | <A NAME="lbAE"> </A> | |
223 | <H2>EXAMPLES</H2> | |
224 | ||
225 | <P> | |
226 | ||
227 | <B>ipsec eroute --add --eraf inet --src 192.168.0.1/32 \</B> | |
228 | ||
229 | <BR> | |
230 | ||
231 | <B> --dst 192.168.2.0/24 --af inet --edst 192.168.0.2 \</B> | |
232 | ||
233 | <BR> | |
234 | ||
235 | <B> --spi 0x135 --proto tun</B> | |
236 | ||
237 | <P> | |
238 | ||
239 | sets up an | |
240 | <B>eroute</B> | |
241 | ||
242 | on a Security Gateway to protect traffic between the host | |
243 | <B>192.168.0.1</B> | |
244 | ||
245 | and the subnet | |
246 | <B>192.168.2.0</B> | |
247 | ||
248 | with | |
249 | <B>24</B> | |
250 | ||
251 | bits of subnet mask via Security Gateway | |
252 | <B>192.168.0.2</B> | |
253 | ||
254 | using the Security Association with address | |
255 | <B>192.168.0.2</B>, | |
256 | ||
257 | Security Parameters Index | |
258 | <B>0x135</B> | |
259 | ||
260 | and protocol | |
261 | <B>tun</B> | |
262 | ||
263 | (50, IPPROTO_ESP). | |
264 | <P> | |
265 | ||
266 | <B>ipsec eroute --add --eraf inet6 --src 3049:1::1/128 \</B> | |
267 | ||
268 | <BR> | |
269 | ||
270 | <B> --dst 3049:2::/64 --af inet6 --edst 3049:1::2 \</B> | |
271 | ||
272 | <BR> | |
273 | ||
274 | <B> --spi 0x145 --proto tun</B> | |
275 | ||
276 | <P> | |
277 | ||
278 | sets up an | |
279 | <B>eroute</B> | |
280 | ||
281 | on a Security Gateway to protect traffic between the host | |
282 | <B>3049:1::1</B> | |
283 | ||
284 | and the subnet | |
285 | <B>3049:2::</B> | |
286 | ||
287 | with | |
288 | <B>64</B> | |
289 | ||
290 | bits of subnet mask via Security Gateway | |
291 | <B>3049:1::2</B> | |
292 | ||
293 | using the Security Association with address | |
294 | <B>3049:1::2</B>, | |
295 | ||
296 | Security Parameters Index | |
297 | <B>0x145</B> | |
298 | ||
299 | and protocol | |
300 | <B>tun</B> | |
301 | ||
302 | (50, IPPROTO_ESP). | |
303 | <P> | |
304 | ||
305 | <B>ipsec eroute --replace --eraf inet --src company.com/24 \</B> | |
306 | ||
307 | <BR> | |
308 | ||
309 | <B> --dst <A HREF="ftp://ftp.ngo.org">ftp.ngo.org</A>/32 --said <A HREF="mailto:tun.135@gw.ngo.org">tun.135@gw.ngo.org</A></B> | |
310 | ||
311 | <P> | |
312 | ||
313 | replaces an | |
314 | <B>eroute</B> | |
315 | ||
316 | on a Security Gateway to protect traffic between the subnet | |
317 | <B>company.com</B> | |
318 | ||
319 | with | |
320 | <B>24</B> | |
321 | ||
322 | bits of subnet mask and the host | |
323 | <B><A HREF="ftp://ftp.ngo.org">ftp.ngo.org</A></B> | |
324 | ||
325 | via Security Gateway | |
326 | <B>gw.ngo.org</B> | |
327 | ||
328 | using the Security Association with Security Association ID | |
329 | <B><A HREF="mailto:tun0x135@gw.ngo.org">tun0x135@gw.ngo.org</A></B> | |
330 | ||
331 | <P> | |
332 | ||
333 | <B>ipsec eroute --del --eraf inet --src company.com/24 \</B> | |
334 | ||
335 | <BR> | |
336 | ||
337 | <B> --dst <A HREF="http://www.ietf.org">www.ietf.org</A>/32 --said %passthrough4</B> | |
338 | ||
339 | <P> | |
340 | ||
341 | deletes an | |
342 | <B>eroute</B> | |
343 | ||
344 | on a Security Gateway that allowed traffic between the subnet | |
345 | <B>company.com</B> | |
346 | ||
347 | with | |
348 | <B>24</B> | |
349 | ||
350 | bits of subnet mask and the host | |
351 | <B><A HREF="http://www.ietf.org">www.ietf.org</A></B> | |
352 | ||
353 | to pass in the clear, unprocessed. | |
354 | <A NAME="lbAF"> </A> | |
355 | <H2>FILES</H2> | |
356 | ||
357 | /proc/net/ipsec_eroute, /usr/local/bin/ipsec | |
358 | <A NAME="lbAG"> </A> | |
359 | <H2>SEE ALSO</H2> | |
360 | ||
361 | <A HREF="ipsec.8.html">ipsec</A>(8), <A HREF="ipsec_manual.8.html">ipsec_manual</A>(8), <A HREF="ipsec_tncfg.8.html">ipsec_tncfg</A>(8), <A HREF="ipsec_spi.8.html">ipsec_spi</A>(8), | |
362 | <A HREF="ipsec_spigrp.8.html">ipsec_spigrp</A>(8), <A HREF="ipsec_klipsdebug.8.html">ipsec_klipsdebug</A>(8), <A HREF="ipsec_eroute.5.html">ipsec_eroute</A>(5) | |
363 | <A NAME="lbAH"> </A> | |
364 | <H2>HISTORY</H2> | |
365 | ||
366 | Written for the Linux FreeS/WAN project | |
367 | <<A HREF="http://www.freeswan.org/">http://www.freeswan.org/</A>> | |
368 | by Richard Guy Briggs. | |
369 | ||
370 | ||
371 | ||
372 | ||
373 | ||
374 | ||
375 | ||
376 | ||
377 | ||
378 | ||
379 | ||
380 | ||
381 | ||
382 | ||
383 | ||
384 | ||
385 | ||
386 | ||
387 | ||
388 | ||
389 | ||
390 | ||
391 | ||
392 | ||
393 | ||
394 | ||
395 | ||
396 | ||
397 | ||
398 | ||
399 | ||
400 | ||
401 | ||
402 | <P> | |
403 | ||
404 | <HR> | |
405 | <A NAME="index"> </A><H2>Index</H2> | |
406 | <DL> | |
407 | <DT><A HREF="#lbAB">NAME</A><DD> | |
408 | <DT><A HREF="#lbAC">SYNOPSIS</A><DD> | |
409 | <DT><A HREF="#lbAD">DESCRIPTION</A><DD> | |
410 | <DT><A HREF="#lbAE">EXAMPLES</A><DD> | |
411 | <DT><A HREF="#lbAF">FILES</A><DD> | |
412 | <DT><A HREF="#lbAG">SEE ALSO</A><DD> | |
413 | <DT><A HREF="#lbAH">HISTORY</A><DD> | |
414 | </DL> | |
415 | <HR> | |
416 | This document was created by | |
417 | <A HREF="http://localhost/cgi-bin/man/man2html">man2html</A>, | |
418 | using the manual pages.<BR> | |
419 | Time: 21:40:17 GMT, November 11, 2003 | |
420 | </BODY> | |
421 | </HTML> |