diff options
Diffstat (limited to 'doc/manpage.d/ipsec_eroute.5.html')
| -rw-r--r-- | doc/manpage.d/ipsec_eroute.5.html | 370 |
1 files changed, 370 insertions, 0 deletions
diff --git a/doc/manpage.d/ipsec_eroute.5.html b/doc/manpage.d/ipsec_eroute.5.html new file mode 100644 index 000000000..158b57015 --- /dev/null +++ b/doc/manpage.d/ipsec_eroute.5.html @@ -0,0 +1,370 @@ +Content-type: text/html + +<HTML><HEAD><TITLE>Manpage of IPSEC_EROUTE</TITLE> +</HEAD><BODY> +<H1>IPSEC_EROUTE</H1> +Section: File Formats (5)<BR>Updated: 20 Sep 2001<BR><A HREF="#index">Index</A> +<A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR> + + + + +<A NAME="lbAB"> </A> +<H2>NAME</H2> + +ipsec_eroute - list of existing eroutes +<A NAME="lbAC"> </A> +<H2>SYNOPSIS</H2> + +<B>ipsec</B> + +<B>eroute</B> + +<P> + +<B>cat</B> + +<B>/proc/net/ipsec_eroute</B> + +<A NAME="lbAD"> </A> +<H2>DESCRIPTION</H2> + +<I>/proc/net/ipsec_eroute</I> + +lists the IPSEC extended routing tables, +which control what (if any) processing is applied +to non-encrypted packets arriving for IPSEC processing and forwarding. +At this point it is a read-only file. +<P> + +A table entry consists of: +<DL COMPACT> +<DT>+<DD> +packet count, +<DT>+<DD> +source address with mask, +<DT>+<DD> +a '->' separator for visual and automated parsing between src and dst +<DT>+<DD> +destination address with mask +<DT>+<DD> +a '=>' separator for visual and automated parsing between selection +criteria and SAID to use +<DT>+<DD> +SAID (Security Association IDentifier), comprised of: +<DT>+<DD> +protocol +(<I>proto</I>), +<DT>+<DD> +address family +(<I>af</I>), +where '.' stands for IPv4 and ':' for IPv6 +<DT>+<DD> +Security Parameters Index +(<I>SPI</I>), +<DT>+<DD> +effective destination +(<I>edst</I>), +where the packet should be forwarded after processing +(normally the other security gateway) +together indicate which Security Association should be used to process +the packet, +<DT>+<DD> +source identity text string with no whitespace, in parens, +<DT>+<DD> +destination identity text string with no whitespace, in parens +</DL> +<P> + +Addresses are written as IPv4 dotted quads or IPv6 coloned hex, +protocol is one of "ah", "esp", "comp" or "tun" +and +SPIs are prefixed hexadecimal numbers where the prefix '.' is for IPv4 and the prefix ':' is for IPv6 +<P> + +SAIDs are written as "<A HREF="mailto:protoafSPI@edst">protoafSPI@edst</A>". There are also 5 +"magic" SAIDs which have special meaning: +<DL COMPACT> +<DT>+<DD> +<B>%drop</B> + +means that matches are to be dropped +<DT>+<DD> +<B>%reject</B> + +means that matches are to be dropped and an ICMP returned, if +possible to inform +<DT>+<DD> +<B>%trap</B> + +means that matches are to trigger an ACQUIRE message to the Key +Management daemon(s) and a hold eroute will be put in place to +prevent subsequent packets also triggering ACQUIRE messages. +<DT>+<DD> +<B>%hold</B> + +means that matches are to stored until the eroute is replaced or +until that eroute gets reaped +<DT>+<DD> +<B>%pass</B> + +means that matches are to allowed to pass without IPSEC processing +<BR> + + +</DL> +<A NAME="lbAE"> </A> +<H2>EXAMPLES</H2> + +<P> + +<B>1867 172.31.252.0/24 -> 0.0.0.0/0 => <A HREF="mailto:tun.130@192.168.43.1">tun.130@192.168.43.1</A> </B> + +<BR> + +<B> ()<TT> </TT>()</B> + +<P> + +means that 1,867 packets have been sent to an<BR> +<B>eroute</B> + +that has been set up to protect traffic between the subnet +<B>172.31.252.0</B> + +with a subnet mask of +<B>24</B> + +bits and the default address/mask represented by an address of +<B>0.0.0.0</B> + +with a subnet mask of +<B>0</B> + +bits using the local machine as a security gateway on this end of the +tunnel and the machine +<B>192.168.43.1</B> + +on the other end of the tunnel with a Security Association IDentifier of +<B><A HREF="mailto:tun0x130@192.168.43.1">tun0x130@192.168.43.1</A></B> + +which means that it is a tunnel mode connection (4, IPPROTO_IPIP) with a +Security Parameters Index of +<B>130</B> + +in hexadecimal with no identies defined for either end. +<P> + +<B>125 3049:1::/64 -> 0:0/0 => tun:<A HREF="mailto:130@3058">130@3058</A>:4::5<TT> </TT>()<TT> </TT>()</B> + +<P> + +means that 125 packets have been sent to an<BR> +<B>eroute</B> + +that has been set up to protect traffic between the subnet +<B>3049:1::</B> + +with a subnet mask of +<B>64</B> + +bits and the default address/mask represented by an address of +<B>0:0</B> + +with a subnet mask of +<B>0</B> + +bits using the local machine as a security gateway on this end of the +tunnel and the machine +<B>3058:4::5</B> + +on the other end of the tunnel with a Security Association IDentifier of +<B>tun:<A HREF="mailto:130@3058">130@3058</A>:4::5</B> + +which means that it is a tunnel mode connection with a +Security Parameters Index of +<B>130</B> + +in hexadecimal with no identies defined for either end. +<P> + +<B>42 192.168.6.0/24 -> 192.168.7.0/24 => %passthrough</B> + +<P> + +means that 42 packets have been sent to an +<B>eroute</B> + +that has been set up to pass the traffic from the subnet +<B>192.168.6.0</B> + +with a subnet mask of +<B>24</B> + +bits and to subnet +<B>192.168.7.0</B> + +with a subnet mask of +<B>24</B> + +bits without any IPSEC processing with no identies defined for either end. +<P> + +<B>2112 192.168.8.55/32 -> 192.168.9.47/24 => %hold<TT> </TT>(east)<TT> </TT>()</B> + +<P> + +means that 2112 packets have been sent to an<BR> +<B>eroute</B> + +that has been set up to hold the traffic from the host +<B>192.168.8.55</B> + +and to host +<B>192.168.9.47</B> + +until a key exchange from a Key Management daemon +succeeds and puts in an SA or fails and puts in a pass +or drop eroute depending on the default configuration with the local client +defined as "east" and no identy defined for the remote end. +<P> + +<B>2001 192.168.2.110/32 -> 192.168.2.120/32 => </B> + +<BR> + +<B> <A HREF="mailto:esp.e6de@192.168.2.120">esp.e6de@192.168.2.120</A><TT> </TT>()<TT> </TT>()</B> + +<P> + +means that 2001 packets have been sent to an<BR> +<B>eroute</B> + +that has been set up to protect traffic between the host +<B>192.168.2.110</B> + +and the host +<B>192.168.2.120</B> + +using +<B>192.168.2.110</B> + +as a security gateway on this end of the +connection and the machine +<B>192.168.2.120</B> + +on the other end of the connection with a Security Association IDentifier of +<B><A HREF="mailto:esp.e6de@192.168.2.120">esp.e6de@192.168.2.120</A></B> + +which means that it is a transport mode connection with a Security +Parameters Index of +<B>e6de</B> + +in hexadecimal using Encapsuation Security Payload protocol (50, +IPPROTO_ESP) with no identies defined for either end. +<P> + +<B>1984 3049:1::110/128 -> 3049:1::120/128 => </B> + +<BR> + +<B> ah:<A HREF="mailto:f5ed@3049">f5ed@3049</A>:1::120<TT> </TT>()<TT> </TT>()</B> + +<P> + +means that 1984 packets have been sent to an<BR> +<B>eroute</B> + +that has been set up to authenticate traffic between the host +<B>3049:1::110</B> + +and the host +<B>3049:1::120</B> + +using +<B>3049:1::110</B> + +as a security gateway on this end of the +connection and the machine +<B>3049:1::120</B> + +on the other end of the connection with a Security Association IDentifier of +<B>ah:<A HREF="mailto:f5ed@3049">f5ed@3049</A>:1::120</B> + +which means that it is a transport mode connection with a Security +Parameters Index of +<B>f5ed</B> + +in hexadecimal using Authentication Header protocol (51, +IPPROTO_AH) with no identies defined for either end. +<A NAME="lbAF"> </A> +<H2>FILES</H2> + +/proc/net/ipsec_eroute, /usr/local/bin/ipsec +<A NAME="lbAG"> </A> +<H2>SEE ALSO</H2> + +<A HREF="ipsec.8.html">ipsec</A>(8), <A HREF="ipsec_manual.8.html">ipsec_manual</A>(8), <A HREF="ipsec_tncfg.5.html">ipsec_tncfg</A>(5), <A HREF="ipsec_spi.5.html">ipsec_spi</A>(5), +<A HREF="ipsec_spigrp.5.html">ipsec_spigrp</A>(5), <A HREF="ipsec_klipsdebug.5.html">ipsec_klipsdebug</A>(5), <A HREF="ipsec_eroute.8.html">ipsec_eroute</A>(8), <A HREF="ipsec_version.5.html">ipsec_version</A>(5), +<A HREF="ipsec_pf_key.5.html">ipsec_pf_key</A>(5) +<A NAME="lbAH"> </A> +<H2>HISTORY</H2> + +Written for the Linux FreeS/WAN project +<<A HREF="http://www.freeswan.org/">http://www.freeswan.org/</A>> +by Richard Guy Briggs. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +<P> + +<HR> +<A NAME="index"> </A><H2>Index</H2> +<DL> +<DT><A HREF="#lbAB">NAME</A><DD> +<DT><A HREF="#lbAC">SYNOPSIS</A><DD> +<DT><A HREF="#lbAD">DESCRIPTION</A><DD> +<DT><A HREF="#lbAE">EXAMPLES</A><DD> +<DT><A HREF="#lbAF">FILES</A><DD> +<DT><A HREF="#lbAG">SEE ALSO</A><DD> +<DT><A HREF="#lbAH">HISTORY</A><DD> +</DL> +<HR> +This document was created by +<A HREF="http://localhost/cgi-bin/man/man2html">man2html</A>, +using the manual pages.<BR> +Time: 21:40:17 GMT, November 11, 2003 +</BODY> +</HTML> |