diff options
Diffstat (limited to 'doc/manpage.d/ipsec_eroute.8.html')
| -rw-r--r-- | doc/manpage.d/ipsec_eroute.8.html | 421 |
1 files changed, 421 insertions, 0 deletions
diff --git a/doc/manpage.d/ipsec_eroute.8.html b/doc/manpage.d/ipsec_eroute.8.html new file mode 100644 index 000000000..7489462d7 --- /dev/null +++ b/doc/manpage.d/ipsec_eroute.8.html @@ -0,0 +1,421 @@ +Content-type: text/html + +<HTML><HEAD><TITLE>Manpage of IPSEC_EROUTE</TITLE> +</HEAD><BODY> +<H1>IPSEC_EROUTE</H1> +Section: Maintenance Commands (8)<BR>Updated: 21 Jun 2000<BR><A HREF="#index">Index</A> +<A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR> + + + + +<A NAME="lbAB"> </A> +<H2>NAME</H2> + +ipsec eroute - manipulate IPSEC extended routing tables +<A NAME="lbAC"> </A> +<H2>SYNOPSIS</H2> + +<B>ipsec</B> + +<B>eroute</B> + +<P> + +<B>ipsec</B> + +<B>eroute</B> + +<B>--add</B> + +<B>--eraf (inet | inet6)</B> + +<B>--src</B> + +src/srcmaskbits|srcmask +<B>--dst</B> + +dst/dstmaskbits|dstmask +<SAID> +<P> + +<B>ipsec</B> + +<B>eroute</B> + +<B>--replace</B> + +<B>--eraf (inet | inet6)</B> + +<B>--src</B> + +src/srcmaskbits|srcmask +<B>--dst</B> + +dst/dstmaskbits|dstmask +<SAID> +<P> + +<B>ipsec</B> + +<B>eroute</B> + +<B>--del</B> + +<B>--eraf (inet | inet6)</B> + +<B>--src</B> + +src/srcmaskbits|srcmask +<B>--dst</B> + +dst/dstmaskbits|dstmask +<P> + +<B>ipsec</B> + +<B>eroute</B> + +<B>--clear</B> + +<P> + +<B>ipsec</B> + +<B>eroute</B> + +<B>--help</B> + +<P> + +<B>ipsec</B> + +<B>eroute</B> + +<B>--version</B> + +<P> + +Where <SAID> is +<B>--af</B> + +(inet | inet6) +<B>--edst</B> + +edst +<B>--spi</B> + +spi +<B>--proto</B> + +proto +OR +<B>--said</B> + +said +OR +<B>--said</B> + +<B>(%passthrough | %passthrough4 | %passthrough6)</B> + +<A NAME="lbAD"> </A> +<H2>DESCRIPTION</H2> + +<I>Eroute</I> + +manages the IPSEC extended routing tables, +which control what (if any) processing is applied +to non-encrypted packets arriving for IPSEC processing and forwarding. +The form with no additional arguments lists the contents of +/proc/net/ipsec_eroute. +The +<B>--add</B> + +form adds a table entry, the +<B>--replace</B> + +form replaces a table entry, while the +<B>--del</B> + +form deletes one. The +<B>--clear</B> + +form deletes the entire table. +<P> + +A table entry consists of: +<DL COMPACT> +<DT>+<DD> +source and destination addresses, +with masks, +for selection of packets +<DT>+<DD> +Security Association IDentifier, comprised of: +<DT>+<DD> +protocol +(<I>proto</I>), indicating (together with the +effective destination and the security parameters index) +which Security Association should be used to process the packet +<DT>+<DD> +address family +(<I>af</I>), +<DT>+<DD> +Security Parameters Index +(<I>spi</I>), indicating (together with the +effective destination and protocol) +which Security Association should be used to process the packet +(must be larger than or equal to 0x100) +<DT>+<DD> +effective destination +(<I>edst</I>), +where the packet should be forwarded after processing +(normally the other security gateway) +<DT>+<DD> +OR +<DT>+<DD> +SAID +(<I>said</I>), indicating +which Security Association should be used to process the packet +</DL> +<P> + +Addresses are written as IPv4 dotted quads or IPv6 coloned hex, +protocol is one of "ah", "esp", "comp" or "tun" and SPIs are +prefixed hexadecimal numbers where '.' represents IPv4 and ':' +stands for IPv6. +<P> + +SAIDs are written as "<A HREF="mailto:protoafSPI@address">protoafSPI@address</A>". There are also 5 +"magic" SAIDs which have special meaning: +<DL COMPACT> +<DT>+<DD> +<B>%drop</B> + +means that matches are to be dropped +<DT>+<DD> +<B>%reject</B> + +means that matches are to be dropped and an ICMP returned, if +possible to inform +<DT>+<DD> +<B>%trap</B> + +means that matches are to trigger an ACQUIRE message to the Key +Management daemon(s) and a hold eroute will be put in place to +prevent subsequent packets also triggering ACQUIRE messages. +<DT>+<DD> +<B>%hold</B> + +means that matches are to stored until the eroute is replaced or +until that eroute gets reaped +<DT>+<DD> +<B>%pass</B> + +means that matches are to allowed to pass without IPSEC processing +</DL> +<P> + +The format of /proc/net/ipsec_eroute is listed in <A HREF="ipsec_eroute.5.html">ipsec_eroute</A>(5). +<BR> + + +<A NAME="lbAE"> </A> +<H2>EXAMPLES</H2> + +<P> + +<B>ipsec eroute --add --eraf inet --src 192.168.0.1/32 \</B> + +<BR> + +<B> --dst 192.168.2.0/24 --af inet --edst 192.168.0.2 \</B> + +<BR> + +<B> --spi 0x135 --proto tun</B> + +<P> + +sets up an +<B>eroute</B> + +on a Security Gateway to protect traffic between the host +<B>192.168.0.1</B> + +and the subnet +<B>192.168.2.0</B> + +with +<B>24</B> + +bits of subnet mask via Security Gateway +<B>192.168.0.2</B> + +using the Security Association with address +<B>192.168.0.2</B>, + +Security Parameters Index +<B>0x135</B> + +and protocol +<B>tun</B> + +(50, IPPROTO_ESP). +<P> + +<B>ipsec eroute --add --eraf inet6 --src 3049:1::1/128 \</B> + +<BR> + +<B> --dst 3049:2::/64 --af inet6 --edst 3049:1::2 \</B> + +<BR> + +<B> --spi 0x145 --proto tun</B> + +<P> + +sets up an +<B>eroute</B> + +on a Security Gateway to protect traffic between the host +<B>3049:1::1</B> + +and the subnet +<B>3049:2::</B> + +with +<B>64</B> + +bits of subnet mask via Security Gateway +<B>3049:1::2</B> + +using the Security Association with address +<B>3049:1::2</B>, + +Security Parameters Index +<B>0x145</B> + +and protocol +<B>tun</B> + +(50, IPPROTO_ESP). +<P> + +<B>ipsec eroute --replace --eraf inet --src company.com/24 \</B> + +<BR> + +<B> --dst <A HREF="ftp://ftp.ngo.org">ftp.ngo.org</A>/32 --said <A HREF="mailto:tun.135@gw.ngo.org">tun.135@gw.ngo.org</A></B> + +<P> + +replaces an +<B>eroute</B> + +on a Security Gateway to protect traffic between the subnet +<B>company.com</B> + +with +<B>24</B> + +bits of subnet mask and the host +<B><A HREF="ftp://ftp.ngo.org">ftp.ngo.org</A></B> + +via Security Gateway +<B>gw.ngo.org</B> + +using the Security Association with Security Association ID +<B><A HREF="mailto:tun0x135@gw.ngo.org">tun0x135@gw.ngo.org</A></B> + +<P> + +<B>ipsec eroute --del --eraf inet --src company.com/24 \</B> + +<BR> + +<B> --dst <A HREF="http://www.ietf.org">www.ietf.org</A>/32 --said %passthrough4</B> + +<P> + +deletes an +<B>eroute</B> + +on a Security Gateway that allowed traffic between the subnet +<B>company.com</B> + +with +<B>24</B> + +bits of subnet mask and the host +<B><A HREF="http://www.ietf.org">www.ietf.org</A></B> + +to pass in the clear, unprocessed. +<A NAME="lbAF"> </A> +<H2>FILES</H2> + +/proc/net/ipsec_eroute, /usr/local/bin/ipsec +<A NAME="lbAG"> </A> +<H2>SEE ALSO</H2> + +<A HREF="ipsec.8.html">ipsec</A>(8), <A HREF="ipsec_manual.8.html">ipsec_manual</A>(8), <A HREF="ipsec_tncfg.8.html">ipsec_tncfg</A>(8), <A HREF="ipsec_spi.8.html">ipsec_spi</A>(8), +<A HREF="ipsec_spigrp.8.html">ipsec_spigrp</A>(8), <A HREF="ipsec_klipsdebug.8.html">ipsec_klipsdebug</A>(8), <A HREF="ipsec_eroute.5.html">ipsec_eroute</A>(5) +<A NAME="lbAH"> </A> +<H2>HISTORY</H2> + +Written for the Linux FreeS/WAN project +<<A HREF="http://www.freeswan.org/">http://www.freeswan.org/</A>> +by Richard Guy Briggs. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +<P> + +<HR> +<A NAME="index"> </A><H2>Index</H2> +<DL> +<DT><A HREF="#lbAB">NAME</A><DD> +<DT><A HREF="#lbAC">SYNOPSIS</A><DD> +<DT><A HREF="#lbAD">DESCRIPTION</A><DD> +<DT><A HREF="#lbAE">EXAMPLES</A><DD> +<DT><A HREF="#lbAF">FILES</A><DD> +<DT><A HREF="#lbAG">SEE ALSO</A><DD> +<DT><A HREF="#lbAH">HISTORY</A><DD> +</DL> +<HR> +This document was created by +<A HREF="http://localhost/cgi-bin/man/man2html">man2html</A>, +using the manual pages.<BR> +Time: 21:40:17 GMT, November 11, 2003 +</BODY> +</HTML> |