- import of strongswan-2.7.0

[thirdparty/strongswan.git] / doc / manpage.d / ipsec_eroute.8.html

Content-type: text/html

<HTML><HEAD><TITLE>Manpage of IPSEC_EROUTE</TITLE>
</HEAD><BODY>
<H1>IPSEC_EROUTE</H1>
Section: Maintenance Commands (8)<BR>Updated: 21 Jun 2000<BR><A HREF="#index">Index</A>
<A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR>




<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>

ipsec eroute - manipulate IPSEC extended routing tables
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>

<B>ipsec</B>

<B>eroute</B>

<P>

<B>ipsec</B>

<B>eroute</B>

<B>--add</B>

<B>--eraf (inet | inet6)</B>

<B>--src</B>

src/srcmaskbits|srcmask
<B>--dst</B>

dst/dstmaskbits|dstmask
&lt;SAID&gt;
<P>

<B>ipsec</B>

<B>eroute</B>

<B>--replace</B>

<B>--eraf (inet | inet6)</B>

<B>--src</B>

src/srcmaskbits|srcmask
<B>--dst</B>

dst/dstmaskbits|dstmask
&lt;SAID&gt;
<P>

<B>ipsec</B>

<B>eroute</B>

<B>--del</B>

<B>--eraf (inet | inet6)</B>

<B>--src</B>

src/srcmaskbits|srcmask
<B>--dst</B>

dst/dstmaskbits|dstmask
<P>

<B>ipsec</B>

<B>eroute</B>

<B>--clear</B>

<P>

<B>ipsec</B>

<B>eroute</B>

<B>--help</B>

<P>

<B>ipsec</B>

<B>eroute</B>

<B>--version</B>

<P>

Where &lt;SAID&gt; is
<B>--af</B>

(inet | inet6)
<B>--edst</B>

edst
<B>--spi</B>

spi
<B>--proto</B>

proto
OR
<B>--said</B>

said
OR
<B>--said</B>

<B>(%passthrough | %passthrough4 | %passthrough6)</B>

<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>

<I>Eroute</I>

manages the IPSEC extended routing tables,
which control what (if any) processing is applied
to non-encrypted packets arriving for IPSEC processing and forwarding.
The form with no additional arguments lists the contents of
/proc/net/ipsec_eroute.
The
<B>--add</B>

form adds a table entry, the
<B>--replace</B>

form replaces a table entry, while the
<B>--del</B>

form deletes one.  The
<B>--clear</B>

form deletes the entire table.
<P>

A table entry consists of:
<DL COMPACT>
<DT>+<DD>
source and destination addresses,
with masks,
for selection of packets
<DT>+<DD>
Security Association IDentifier, comprised of:
<DT>+<DD>
protocol
(<I>proto</I>), indicating (together with the
effective destination and the security parameters index)
which Security Association should be used to process the packet
<DT>+<DD>
address family
(<I>af</I>),
<DT>+<DD>
Security Parameters Index
(<I>spi</I>), indicating (together with the
effective destination and protocol)
which Security Association should be used to process the packet
(must be larger than or equal to 0x100)
<DT>+<DD>
effective destination
(<I>edst</I>),
where the packet should be forwarded after processing
(normally the other security gateway)
<DT>+<DD>
OR
<DT>+<DD>
SAID
(<I>said</I>), indicating 
which Security Association should be used to process the packet
</DL>
<P>

Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
protocol is one of &quot;ah&quot;, &quot;esp&quot;, &quot;comp&quot; or &quot;tun&quot; and SPIs are
prefixed hexadecimal numbers where '.' represents IPv4 and ':'
stands for IPv6.
<P>

SAIDs are written as &quot;<A HREF="mailto:protoafSPI@address">protoafSPI@address</A>&quot;.  There are also 5
&quot;magic&quot; SAIDs which have special meaning:
<DL COMPACT>
<DT>+<DD>
<B>%drop</B>

means that matches are to be dropped
<DT>+<DD>
<B>%reject</B>

means that matches are to be dropped and an ICMP returned, if
possible to inform
<DT>+<DD>
<B>%trap</B>

means that matches are to trigger an ACQUIRE message to the Key
Management daemon(s) and a hold eroute will be put in place to
prevent subsequent packets also triggering ACQUIRE messages.
<DT>+<DD>
<B>%hold</B>

means that matches are to stored until the eroute is replaced or
until that eroute gets reaped
<DT>+<DD>
<B>%pass</B>

means that matches are to allowed to pass without IPSEC processing
</DL>
<P>

The format of /proc/net/ipsec_eroute is listed in <A HREF="ipsec_eroute.5.html">ipsec_eroute</A>(5).
<BR>


<A NAME="lbAE">&nbsp;</A>
<H2>EXAMPLES</H2>

<P>

<B>ipsec eroute --add --eraf inet --src 192.168.0.1/32 \</B>

<BR>

<B>   --dst 192.168.2.0/24 --af inet --edst 192.168.0.2 \</B>

<BR>

<B>   --spi 0x135 --proto tun</B>

<P>

sets up an
<B>eroute</B>

on a Security Gateway to protect traffic between the host
<B>192.168.0.1</B>

and the subnet
<B>192.168.2.0</B>

with
<B>24</B>

bits of subnet mask via Security Gateway
<B>192.168.0.2</B>

using the Security Association with address
<B>192.168.0.2</B>,

Security Parameters Index
<B>0x135</B>

and protocol
<B>tun</B>

(50, IPPROTO_ESP).
<P>

<B>ipsec eroute --add --eraf inet6 --src 3049:1::1/128 \</B>

<BR>

<B>   --dst 3049:2::/64 --af inet6 --edst 3049:1::2 \</B>

<BR>

<B>   --spi 0x145 --proto tun</B>

<P>

sets up an
<B>eroute</B>

on a Security Gateway to protect traffic between the host
<B>3049:1::1</B>

and the subnet
<B>3049:2::</B>

with
<B>64</B>

bits of subnet mask via Security Gateway
<B>3049:1::2</B>

using the Security Association with address
<B>3049:1::2</B>,

Security Parameters Index
<B>0x145</B>

and protocol
<B>tun</B>

(50, IPPROTO_ESP).
<P>

<B>ipsec eroute --replace --eraf inet --src company.com/24 \</B>

<BR>

<B>   --dst <A HREF="ftp://ftp.ngo.org">ftp.ngo.org</A>/32 --said <A HREF="mailto:tun.135@gw.ngo.org">tun.135@gw.ngo.org</A></B>

<P>

replaces an
<B>eroute</B>

on a Security Gateway to protect traffic between the subnet
<B>company.com</B>

with
<B>24</B>

bits of subnet mask and the host
<B><A HREF="ftp://ftp.ngo.org">ftp.ngo.org</A></B>

via Security Gateway
<B>gw.ngo.org</B>

using the Security Association with Security Association ID
<B><A HREF="mailto:tun0x135@gw.ngo.org">tun0x135@gw.ngo.org</A></B>

<P>

<B>ipsec eroute --del --eraf inet --src company.com/24 \</B>

<BR>

<B>   --dst <A HREF="http://www.ietf.org">www.ietf.org</A>/32 --said %passthrough4</B>

<P>

deletes an
<B>eroute</B>

on a Security Gateway that allowed traffic between the subnet
<B>company.com</B>

with
<B>24</B>

bits of subnet mask and the host
<B><A HREF="http://www.ietf.org">www.ietf.org</A></B>

to pass in the clear, unprocessed.
<A NAME="lbAF">&nbsp;</A>
<H2>FILES</H2>

/proc/net/ipsec_eroute, /usr/local/bin/ipsec
<A NAME="lbAG">&nbsp;</A>
<H2>SEE ALSO</H2>

<A HREF="ipsec.8.html">ipsec</A>(8), <A HREF="ipsec_manual.8.html">ipsec_manual</A>(8), <A HREF="ipsec_tncfg.8.html">ipsec_tncfg</A>(8), <A HREF="ipsec_spi.8.html">ipsec_spi</A>(8),
<A HREF="ipsec_spigrp.8.html">ipsec_spigrp</A>(8), <A HREF="ipsec_klipsdebug.8.html">ipsec_klipsdebug</A>(8), <A HREF="ipsec_eroute.5.html">ipsec_eroute</A>(5)
<A NAME="lbAH">&nbsp;</A>
<H2>HISTORY</H2>

Written for the Linux FreeS/WAN project
&lt;<A HREF="http://www.freeswan.org/">http://www.freeswan.org/</A>&gt;
by Richard Guy Briggs.

































<P>

<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT><A HREF="#lbAB">NAME</A><DD>
<DT><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT><A HREF="#lbAE">EXAMPLES</A><DD>
<DT><A HREF="#lbAF">FILES</A><DD>
<DT><A HREF="#lbAG">SEE ALSO</A><DD>
<DT><A HREF="#lbAH">HISTORY</A><DD>
</DL>
<HR>
This document was created by
<A HREF="http://localhost/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 21:40:17 GMT, November 11, 2003
</BODY>
</HTML>