diff options
Diffstat (limited to 'programs/eroute/eroute.5')
| -rw-r--r-- | programs/eroute/eroute.5 | 272 |
1 files changed, 0 insertions, 272 deletions
diff --git a/programs/eroute/eroute.5 b/programs/eroute/eroute.5 deleted file mode 100644 index 52b3f4d25..000000000 --- a/programs/eroute/eroute.5 +++ /dev/null @@ -1,272 +0,0 @@ -.TH IPSEC_EROUTE 5 "20 Sep 2001" -.\" -.\" RCSID $Id: eroute.5,v 1.1 2004/03/15 20:35:27 as Exp $ -.\" -.SH NAME -ipsec_eroute \- list of existing eroutes -.SH SYNOPSIS -.B ipsec -.B eroute -.PP -.B cat -.B /proc/net/ipsec_eroute -.SH DESCRIPTION -.I /proc/net/ipsec_eroute -lists the IPSEC extended routing tables, -which control what (if any) processing is applied -to non-encrypted packets arriving for IPSEC processing and forwarding. -At this point it is a read-only file. -.PP -A table entry consists of: -.IP + 3 -packet count, -.IP + -source address with mask and source port (0 if all ports or not applicable) -.IP + -a '->' separator for visual and automated parsing between src and dst -.IP + -destination address with mask and destination port (0 if all ports or -not applicable) -.IP + -a '=>' separator for visual and automated parsing between selection -criteria and SAID to use -.IP + -SAID (Security Association IDentifier), comprised of: -.IP + 6 -protocol -(\fIproto\fR), -.IP + -address family -(\fIaf\fR), -where '.' stands for IPv4 and ':' for IPv6 -.IP + -Security Parameters Index -(\fISPI\fR), -.IP + -effective destination -(\fIedst\fR), -where the packet should be forwarded after processing -(normally the other security gateway) -together indicate which Security Association should be used to process -the packet, -.IP + 3 -a ':' separating the SAID from the transport protocol (0 if all protocols) -.IP + -source identity text string with no whitespace, in parens, -.IP + -destination identity text string with no whitespace, in parens -.PP -Addresses are written as IPv4 dotted quads or IPv6 coloned hex, -protocol is one of "ah", "esp", "comp" or "tun" -and -SPIs are prefixed hexadecimal numbers where the prefix '.' is for IPv4 and the prefix ':' is for IPv6 -. -.PP -SAIDs are written as "protoafSPI@edst". There are also 5 -"magic" SAIDs which have special meaning: -.IP + 3 -.B %drop -means that matches are to be dropped -.IP + -.B %reject -means that matches are to be dropped and an ICMP returned, if -possible to inform -.IP + -.B %trap -means that matches are to trigger an ACQUIRE message to the Key -Management daemon(s) and a hold eroute will be put in place to -prevent subsequent packets also triggering ACQUIRE messages. -.IP + -.B %hold -means that matches are to stored until the eroute is replaced or -until that eroute gets reaped -.IP + -.B %pass -means that matches are to allowed to pass without IPSEC processing -.br -.ne 5 -.SH EXAMPLES -.LP -.B "1867 172.31.252.0/24:0 -> 0.0.0.0/0:0 => tun0x130@192.168.43.1:0 " -.br -.B " () ()" -.LP -means that 1,867 packets have been sent to an -.BR eroute -that has been set up to protect traffic between the subnet -.BR 172.31.252.0 -with a subnet mask of -.BR 24 -bits and the default address/mask represented by an address of -.BR 0.0.0.0 -with a subnet mask of -.BR 0 -bits using the local machine as a security gateway on this end of the -tunnel and the machine -.BR 192.168.43.1 -on the other end of the tunnel with a Security Association IDentifier of -.BR tun0x130@192.168.43.1 -which means that it is a tunnel mode connection (4, IPPROTO_IPIP) with a -Security Parameters Index of -.BR 130 -in hexadecimal with no identies defined for either end. -.LP -.B "746 192.168.2.110/32:0 -> 192.168.2.120/32:25 => esp0x130@192.168.2.120:6 " -.br -.B " () ()" -.LP -means that 746 packets have been sent to an -.BR eroute -that has been set up to protect traffic sent from any port on the host -.BR 192.168.2.110 -to the SMTP (TCP, port 25) port on the host -.BR 192.168.2.120 -with a Security Association IDentifier of -.BR tun0x130@192.168.2.120 -which means that it is a transport mode connection with a -Security Parameters Index of -.BR 130 -in hexadecimal with no identies defined for either end. -.LP -.B 125 3049:1::/64 -> 0:0/0 => tun:130@3058:4::5 () () -.LP -means that 125 packets have been sent to an -.BR eroute -that has been set up to protect traffic between the subnet -.BR 3049:1:: -with a subnet mask of -.BR 64 -bits and the default address/mask represented by an address of -.BR 0:0 -with a subnet mask of -.BR 0 -bits using the local machine as a security gateway on this end of the -tunnel and the machine -.BR 3058:4::5 -on the other end of the tunnel with a Security Association IDentifier of -.BR tun:130@3058:4::5 -which means that it is a tunnel mode connection with a -Security Parameters Index of -.BR 130 -in hexadecimal with no identies defined for either end. -.LP -.B 42 192.168.6.0/24:0 -> 192.168.7.0/24:0 => %passthrough -.LP -means that 42 packets have been sent to an -.BR eroute -that has been set up to pass the traffic from the subnet -.BR 192.168.6.0 -with a subnet mask of -.BR 24 -bits and to subnet -.BR 192.168.7.0 -with a subnet mask of -.BR 24 -bits without any IPSEC processing with no identies defined for either end. -.LP -.B 2112 192.168.8.55/32:0 -> 192.168.9.47/24:0 => %hold (east) () -.LP -means that 2112 packets have been sent to an -.BR eroute -that has been set up to hold the traffic from the host -.BR 192.168.8.55 -and to host -.BR 192.168.9.47 -until a key exchange from a Key Management daemon -succeeds and puts in an SA or fails and puts in a pass -or drop eroute depending on the default configuration with the local client -defined as "east" and no identy defined for the remote end. -.LP -.B "2001 192.168.2.110/32:0 -> 192.168.2.120/32:0 => " -.br -.B " esp0xe6de@192.168.2.120:0 () ()" -.LP -means that 2001 packets have been sent to an -.BR eroute -that has been set up to protect traffic between the host -.BR 192.168.2.110 -and the host -.BR 192.168.2.120 -using -.BR 192.168.2.110 -as a security gateway on this end of the -connection and the machine -.BR 192.168.2.120 -on the other end of the connection with a Security Association IDentifier of -.BR esp0xe6de@192.168.2.120 -which means that it is a transport mode connection with a Security -Parameters Index of -.BR e6de -in hexadecimal using Encapsuation Security Payload protocol (50, -IPPROTO_ESP) with no identies defined for either end. -.LP -.B "1984 3049:1::110/128 -> 3049:1::120/128 => " -.br -.B " ah:f5ed@3049:1::120 () ()" -.LP -means that 1984 packets have been sent to an -.BR eroute -that has been set up to authenticate traffic between the host -.BR 3049:1::110 -and the host -.BR 3049:1::120 -using -.BR 3049:1::110 -as a security gateway on this end of the -connection and the machine -.BR 3049:1::120 -on the other end of the connection with a Security Association IDentifier of -.BR ah:f5ed@3049:1::120 -which means that it is a transport mode connection with a Security -Parameters Index of -.BR f5ed -in hexadecimal using Authentication Header protocol (51, -IPPROTO_AH) with no identies defined for either end. -.SH FILES -/proc/net/ipsec_eroute, /usr/local/bin/ipsec -.SH "SEE ALSO" -ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_spi(5), -ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_eroute(8), ipsec_version(5), -ipsec_pf_key(5) -.SH HISTORY -Written for the Linux FreeS/WAN project -<http://www.freeswan.org/> -by Richard Guy Briggs. -.\" -.\" $Log: eroute.5,v $ -.\" Revision 1.1 2004/03/15 20:35:27 as -.\" added files from freeswan-2.04-x509-1.5.3 -.\" -.\" Revision 1.9 2002/04/24 07:35:38 mcr -.\" Moved from ./klips/utils/eroute.5,v -.\" -.\" Revision 1.8 2001/09/20 15:33:13 rgb -.\" PF_KEYv2 ident extension output documentation. -.\" -.\" Revision 1.7 2001/05/29 05:15:31 rgb -.\" Added packet count field at beginning of line. -.\" -.\" Revision 1.6 2001/02/26 19:58:32 rgb -.\" Put SAID elements in order they appear in SAID. -.\" Implement magic SAs %drop, %reject, %trap, %hold, %pass as part -.\" of the new SPD and to support opportunistic. -.\" -.\" Revision 1.5 2000/09/17 18:56:48 rgb -.\" Added IPCOMP support. -.\" -.\" Revision 1.4 2000/09/13 15:54:31 rgb -.\" Added Gerhard's ipv6 updates. -.\" -.\" Revision 1.3 2000/06/30 18:21:55 rgb -.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5) -.\" and correct FILES sections to no longer refer to /dev/ipsec which has -.\" been removed since PF_KEY does not use it. -.\" -.\" Revision 1.2 2000/06/28 12:44:11 henry -.\" format touchup -.\" -.\" Revision 1.1 2000/06/28 05:43:00 rgb -.\" Added manpages for all 5 klips utils. -.\" -.\" -.\" |