diff options
Diffstat (limited to 'doc/manpage.d/ipsec_spi.5.html')
| -rw-r--r-- | doc/manpage.d/ipsec_spi.5.html | 305 |
1 files changed, 305 insertions, 0 deletions
diff --git a/doc/manpage.d/ipsec_spi.5.html b/doc/manpage.d/ipsec_spi.5.html new file mode 100644 index 000000000..b1cf89033 --- /dev/null +++ b/doc/manpage.d/ipsec_spi.5.html @@ -0,0 +1,305 @@ +Content-type: text/html + +<HTML><HEAD><TITLE>Manpage of IPSEC_SPI</TITLE> +</HEAD><BODY> +<H1>IPSEC_SPI</H1> +Section: File Formats (5)<BR>Updated: 26 Jun 2000<BR><A HREF="#index">Index</A> +<A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR> + + + + +<A NAME="lbAB"> </A> +<H2>NAME</H2> + +ipsec_spi - list IPSEC Security Associations +<A NAME="lbAC"> </A> +<H2>SYNOPSIS</H2> + +<B>ipsec</B> + +<B>spi</B> + +<P> + +<B>cat</B> + +<B>/proc/net/ipsec_spi</B> + +<P> + +<A NAME="lbAD"> </A> +<H2>DESCRIPTION</H2> + +<I>/proc/net/ipsec_spi</I> + +is a read-only file that lists the current IPSEC Security Associations. +A Security Association (SA) is a transform through which packet contents +are to be processed before being forwarded. A transform can be an +IPv4-in-IPv4 or IPv6-in-IPv6 encapsulation, an IPSEC Authentication Header (authentication +with no encryption), or an IPSEC Encapsulation Security Payload +(encryption, possibly including authentication). +<P> + +When a packet is passed from a higher networking layer through an IPSEC +virtual interface, a search in the extended routing table (see +<I><A HREF="ipsec_eroute.5.html">ipsec_eroute</A></I>(5)) + +yields +a IP protocol number +, +a Security Parameters Index (SPI) +and +an effective destination address +When an IPSEC packet arrives from the network, +its ostensible destination, an SPI and an IP protocol +specified by its outermost IPSEC header are used. +The destination/SPI/protocol combination is used to select a relevant SA. +(See +<I><A HREF="ipsec_spigrp.5.html">ipsec_spigrp</A></I>(5) + +for discussion of how multiple transforms are combined.) +<P> + +An +<I>spi ,</I> + +<I>proto, </I> + +<I>daddr</I> + +and +<I>address_family</I> + +arguments specify an SAID. +<I>Proto</I> + +is an ASCII string, "ah", "esp", "comp" or "tun", specifying the IP protocol. +<I>Spi</I> + +is a number, preceded by '.' indicating hexadecimal and IPv4 or by ':' indicating hexadecimal and IPv6, +where each hexadecimal digit represents 4 bits, +between +<B>0x100</B> + +and +<B>0xffffffff</B>; + +values from +<B>0x0</B> + +to +<B>0xff</B> + +are reserved. +<I>Daddr</I> + +is a dotted-decimal IPv4 destination address or a coloned hex IPv6 destination address. +<P> + +An +<I>SAID</I> + +combines the three parameters above, such as: "<A HREF="mailto:tun.101@1.2.3.4">tun.101@1.2.3.4</A>" for IPv4 or "tun:<A HREF="mailto:101@3049">101@3049</A>:1::1" for IPv6 +<P> + +A table entry consists of: +<DL COMPACT> +<DT>+<DD> +<B>SAID</B> + +<DT>+<DD> +<transform name (proto,encalg,authalg)>: +<DT>+<DD> +direction (dir=) +<DT>+<DD> +source address (src=) +<DT>+<DD> +source and destination addresses and masks for inner header policy check +addresses (policy=), as dotted-quads or coloned hex, separated by '->', +for IPv4-in-IPv4 or IPv6-in-IPv6 SAs only +<DT>+<DD> +initialisation vector length and value (iv_bits=, iv=) if non-zero +<DT>+<DD> +out-of-order window size, number of out-of-order errors, sequence +number, recently received packet bitmask, maximum difference between +sequence numbers (ooowin=, ooo_errs=, seq=, bit=, max_seq_diff=) if SA +is AH or ESP and if individual items are non-zero +<DT>+<DD> +extra flags (flags=) if any are set +<DT>+<DD> +authenticator length in bits (alen=) if non-zero +<DT>+<DD> +authentication key length in bits (aklen=) if non-zero +<DT>+<DD> +authentication errors (auth_errs=) if non-zero +<DT>+<DD> +encryption key length in bits (eklen=) if non-zero +<DT>+<DD> +encryption size errors (encr_size_errs=) if non-zero +<DT>+<DD> +encryption padding error warnings (encr_pad_errs=) if non-zero +<DT>+<DD> +lifetimes legend, c=Current status, s=Soft limit when exceeded will +initiate rekeying, h=Hard limit will cause termination of SA (life(c,s,h)=) +<DT>+<DD> +number of connections to which the SA is allocated (c), that will cause a +rekey (s), that will cause an expiry (h) (alloc=), if any value is non-zero +<DT>+<DD> +number of bytes processesd by this SA (c), that will cause a rekey (s), that +will cause an expiry (h) (bytes=), if any value is non-zero +<DT>+<DD> +time since the SA was added (c), until rekey (s), until expiry (h), in seconds (add=) +<DT>+<DD> +time since the SA was first used (c), until rekey (s), until expiry (h), in seconds (used=), +if any value is non-zero +<DT>+<DD> +number of packets processesd by this SA (c), that will cause a rekey (s), that +will cause an expiry (h) (packets=), if any value is non-zero +<DT>+<DD> +time since the last packet was processed, in seconds (idle=), if SA has +been used +<DT><DD> +average compression ratio (ratio=) +</DL> +<A NAME="lbAE"> </A> +<H2>EXAMPLES</H2> + +<B><A HREF="mailto:tun.12a@192.168.43.1">tun.12a@192.168.43.1</A> IPIP: dir=out src=192.168.43.2</B> + +<BR> + +<B> life(c,s,h)=bytes(14073,0,0)add(269,0,0)</B> + +<BR> + +<B> use(149,0,0)packets(14,0,0)</B> + +<BR> + +<B> idle=23</B> + +<P> + +is an outbound IPv4-in-IPv4 (protocol 4) tunnel-mode SA set up between machines +192.168.43.2 and 192.168.43.1 with an SPI of 12a in hexadecimal that has +passed about 14 kilobytes of traffic in 14 packets since it was created, +269 seconds ago, first used 149 seconds ago and has been idle for 23 +seconds. +<P> + +<B>esp:<A HREF="mailto:9a35fc02@3049">9a35fc02@3049</A>:1::1 ESP_3DES_HMAC_MD5:</B> + +<BR> + +<B> dir=in src=<A HREF="mailto:9a35fc02@3049">9a35fc02@3049</A>:1::2</B> + +<BR> + +<B> ooowin=32 seq=7149 bit=0xffffffff</B> + +<BR> + +<B> alen=128 aklen=128 eklen=192</B> + +<BR> + +<B> life(c,s,h)=bytes(1222304,0,0)add(4593,0,0)</B> + +<BR> + +<B> use(3858,0,0)packets(7149,0,0)</B> + +<BR> + +<B> idle=23</B> + +<P> + +is an inbound Encapsulating Security Payload (protocol 50) SA on machine +3049:1::1 with an SPI of 9a35fc02 that uses 3DES as the encryption +cipher, HMAC MD5 as the authentication algorithm, an out-of-order +window of 32 packets, a present sequence number of 7149, every one of +the last 32 sequence numbers was received, the authenticator length and +keys is 128 bits, the encryption key is 192 bits (actually 168 for 3DES +since 1 of 8 bits is a parity bit), has passed 1.2 Mbytes of data in +7149 packets, was added 4593 seconds ago, first used +3858 seconds ago and has been idle for 23 seconds. +<P> + +<A NAME="lbAF"> </A> +<H2>FILES</H2> + +/proc/net/ipsec_spi, /usr/local/bin/ipsec +<A NAME="lbAG"> </A> +<H2>SEE ALSO</H2> + +<A HREF="ipsec.8.html">ipsec</A>(8), <A HREF="ipsec_manual.8.html">ipsec_manual</A>(8), <A HREF="ipsec_tncfg.5.html">ipsec_tncfg</A>(5), <A HREF="ipsec_eroute.5.html">ipsec_eroute</A>(5), +<A HREF="ipsec_spigrp.5.html">ipsec_spigrp</A>(5), <A HREF="ipsec_klipsdebug.5.html">ipsec_klipsdebug</A>(5), <A HREF="ipsec_spi.8.html">ipsec_spi</A>(8), <A HREF="ipsec_version.5.html">ipsec_version</A>(5), +<A HREF="ipsec_pf_key.5.html">ipsec_pf_key</A>(5) +<A NAME="lbAH"> </A> +<H2>HISTORY</H2> + +Written for the Linux FreeS/WAN project +<<A HREF="http://www.freeswan.org/">http://www.freeswan.org/</A>> +by Richard Guy Briggs. +<A NAME="lbAI"> </A> +<H2>BUGS</H2> + +The add and use times are awkward, displayed in seconds since machine +start. It would be better to display them in seconds before now for +human readability. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +<P> + +<HR> +<A NAME="index"> </A><H2>Index</H2> +<DL> +<DT><A HREF="#lbAB">NAME</A><DD> +<DT><A HREF="#lbAC">SYNOPSIS</A><DD> +<DT><A HREF="#lbAD">DESCRIPTION</A><DD> +<DT><A HREF="#lbAE">EXAMPLES</A><DD> +<DT><A HREF="#lbAF">FILES</A><DD> +<DT><A HREF="#lbAG">SEE ALSO</A><DD> +<DT><A HREF="#lbAH">HISTORY</A><DD> +<DT><A HREF="#lbAI">BUGS</A><DD> +</DL> +<HR> +This document was created by +<A HREF="http://localhost/cgi-bin/man/man2html">man2html</A>, +using the manual pages.<BR> +Time: 21:40:18 GMT, November 11, 2003 +</BODY> +</HTML> |