diff options
Diffstat (limited to 'programs/eroute/eroute.5')
| -rw-r--r-- | programs/eroute/eroute.5 | 272 |
1 files changed, 272 insertions, 0 deletions
diff --git a/programs/eroute/eroute.5 b/programs/eroute/eroute.5 new file mode 100644 index 000000000..52b3f4d25 --- /dev/null +++ b/programs/eroute/eroute.5 @@ -0,0 +1,272 @@ +.TH IPSEC_EROUTE 5 "20 Sep 2001" +.\" +.\" RCSID $Id: eroute.5,v 1.1 2004/03/15 20:35:27 as Exp $ +.\" +.SH NAME +ipsec_eroute \- list of existing eroutes +.SH SYNOPSIS +.B ipsec +.B eroute +.PP +.B cat +.B /proc/net/ipsec_eroute +.SH DESCRIPTION +.I /proc/net/ipsec_eroute +lists the IPSEC extended routing tables, +which control what (if any) processing is applied +to non-encrypted packets arriving for IPSEC processing and forwarding. +At this point it is a read-only file. +.PP +A table entry consists of: +.IP + 3 +packet count, +.IP + +source address with mask and source port (0 if all ports or not applicable) +.IP + +a '->' separator for visual and automated parsing between src and dst +.IP + +destination address with mask and destination port (0 if all ports or +not applicable) +.IP + +a '=>' separator for visual and automated parsing between selection +criteria and SAID to use +.IP + +SAID (Security Association IDentifier), comprised of: +.IP + 6 +protocol +(\fIproto\fR), +.IP + +address family +(\fIaf\fR), +where '.' stands for IPv4 and ':' for IPv6 +.IP + +Security Parameters Index +(\fISPI\fR), +.IP + +effective destination +(\fIedst\fR), +where the packet should be forwarded after processing +(normally the other security gateway) +together indicate which Security Association should be used to process +the packet, +.IP + 3 +a ':' separating the SAID from the transport protocol (0 if all protocols) +.IP + +source identity text string with no whitespace, in parens, +.IP + +destination identity text string with no whitespace, in parens +.PP +Addresses are written as IPv4 dotted quads or IPv6 coloned hex, +protocol is one of "ah", "esp", "comp" or "tun" +and +SPIs are prefixed hexadecimal numbers where the prefix '.' is for IPv4 and the prefix ':' is for IPv6 +. +.PP +SAIDs are written as "protoafSPI@edst". There are also 5 +"magic" SAIDs which have special meaning: +.IP + 3 +.B %drop +means that matches are to be dropped +.IP + +.B %reject +means that matches are to be dropped and an ICMP returned, if +possible to inform +.IP + +.B %trap +means that matches are to trigger an ACQUIRE message to the Key +Management daemon(s) and a hold eroute will be put in place to +prevent subsequent packets also triggering ACQUIRE messages. +.IP + +.B %hold +means that matches are to stored until the eroute is replaced or +until that eroute gets reaped +.IP + +.B %pass +means that matches are to allowed to pass without IPSEC processing +.br +.ne 5 +.SH EXAMPLES +.LP +.B "1867 172.31.252.0/24:0 -> 0.0.0.0/0:0 => tun0x130@192.168.43.1:0 " +.br +.B " () ()" +.LP +means that 1,867 packets have been sent to an +.BR eroute +that has been set up to protect traffic between the subnet +.BR 172.31.252.0 +with a subnet mask of +.BR 24 +bits and the default address/mask represented by an address of +.BR 0.0.0.0 +with a subnet mask of +.BR 0 +bits using the local machine as a security gateway on this end of the +tunnel and the machine +.BR 192.168.43.1 +on the other end of the tunnel with a Security Association IDentifier of +.BR tun0x130@192.168.43.1 +which means that it is a tunnel mode connection (4, IPPROTO_IPIP) with a +Security Parameters Index of +.BR 130 +in hexadecimal with no identies defined for either end. +.LP +.B "746 192.168.2.110/32:0 -> 192.168.2.120/32:25 => esp0x130@192.168.2.120:6 " +.br +.B " () ()" +.LP +means that 746 packets have been sent to an +.BR eroute +that has been set up to protect traffic sent from any port on the host +.BR 192.168.2.110 +to the SMTP (TCP, port 25) port on the host +.BR 192.168.2.120 +with a Security Association IDentifier of +.BR tun0x130@192.168.2.120 +which means that it is a transport mode connection with a +Security Parameters Index of +.BR 130 +in hexadecimal with no identies defined for either end. +.LP +.B 125 3049:1::/64 -> 0:0/0 => tun:130@3058:4::5 () () +.LP +means that 125 packets have been sent to an +.BR eroute +that has been set up to protect traffic between the subnet +.BR 3049:1:: +with a subnet mask of +.BR 64 +bits and the default address/mask represented by an address of +.BR 0:0 +with a subnet mask of +.BR 0 +bits using the local machine as a security gateway on this end of the +tunnel and the machine +.BR 3058:4::5 +on the other end of the tunnel with a Security Association IDentifier of +.BR tun:130@3058:4::5 +which means that it is a tunnel mode connection with a +Security Parameters Index of +.BR 130 +in hexadecimal with no identies defined for either end. +.LP +.B 42 192.168.6.0/24:0 -> 192.168.7.0/24:0 => %passthrough +.LP +means that 42 packets have been sent to an +.BR eroute +that has been set up to pass the traffic from the subnet +.BR 192.168.6.0 +with a subnet mask of +.BR 24 +bits and to subnet +.BR 192.168.7.0 +with a subnet mask of +.BR 24 +bits without any IPSEC processing with no identies defined for either end. +.LP +.B 2112 192.168.8.55/32:0 -> 192.168.9.47/24:0 => %hold (east) () +.LP +means that 2112 packets have been sent to an +.BR eroute +that has been set up to hold the traffic from the host +.BR 192.168.8.55 +and to host +.BR 192.168.9.47 +until a key exchange from a Key Management daemon +succeeds and puts in an SA or fails and puts in a pass +or drop eroute depending on the default configuration with the local client +defined as "east" and no identy defined for the remote end. +.LP +.B "2001 192.168.2.110/32:0 -> 192.168.2.120/32:0 => " +.br +.B " esp0xe6de@192.168.2.120:0 () ()" +.LP +means that 2001 packets have been sent to an +.BR eroute +that has been set up to protect traffic between the host +.BR 192.168.2.110 +and the host +.BR 192.168.2.120 +using +.BR 192.168.2.110 +as a security gateway on this end of the +connection and the machine +.BR 192.168.2.120 +on the other end of the connection with a Security Association IDentifier of +.BR esp0xe6de@192.168.2.120 +which means that it is a transport mode connection with a Security +Parameters Index of +.BR e6de +in hexadecimal using Encapsuation Security Payload protocol (50, +IPPROTO_ESP) with no identies defined for either end. +.LP +.B "1984 3049:1::110/128 -> 3049:1::120/128 => " +.br +.B " ah:f5ed@3049:1::120 () ()" +.LP +means that 1984 packets have been sent to an +.BR eroute +that has been set up to authenticate traffic between the host +.BR 3049:1::110 +and the host +.BR 3049:1::120 +using +.BR 3049:1::110 +as a security gateway on this end of the +connection and the machine +.BR 3049:1::120 +on the other end of the connection with a Security Association IDentifier of +.BR ah:f5ed@3049:1::120 +which means that it is a transport mode connection with a Security +Parameters Index of +.BR f5ed +in hexadecimal using Authentication Header protocol (51, +IPPROTO_AH) with no identies defined for either end. +.SH FILES +/proc/net/ipsec_eroute, /usr/local/bin/ipsec +.SH "SEE ALSO" +ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_spi(5), +ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_eroute(8), ipsec_version(5), +ipsec_pf_key(5) +.SH HISTORY +Written for the Linux FreeS/WAN project +<http://www.freeswan.org/> +by Richard Guy Briggs. +.\" +.\" $Log: eroute.5,v $ +.\" Revision 1.1 2004/03/15 20:35:27 as +.\" added files from freeswan-2.04-x509-1.5.3 +.\" +.\" Revision 1.9 2002/04/24 07:35:38 mcr +.\" Moved from ./klips/utils/eroute.5,v +.\" +.\" Revision 1.8 2001/09/20 15:33:13 rgb +.\" PF_KEYv2 ident extension output documentation. +.\" +.\" Revision 1.7 2001/05/29 05:15:31 rgb +.\" Added packet count field at beginning of line. +.\" +.\" Revision 1.6 2001/02/26 19:58:32 rgb +.\" Put SAID elements in order they appear in SAID. +.\" Implement magic SAs %drop, %reject, %trap, %hold, %pass as part +.\" of the new SPD and to support opportunistic. +.\" +.\" Revision 1.5 2000/09/17 18:56:48 rgb +.\" Added IPCOMP support. +.\" +.\" Revision 1.4 2000/09/13 15:54:31 rgb +.\" Added Gerhard's ipv6 updates. +.\" +.\" Revision 1.3 2000/06/30 18:21:55 rgb +.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5) +.\" and correct FILES sections to no longer refer to /dev/ipsec which has +.\" been removed since PF_KEY does not use it. +.\" +.\" Revision 1.2 2000/06/28 12:44:11 henry +.\" format touchup +.\" +.\" Revision 1.1 2000/06/28 05:43:00 rgb +.\" Added manpages for all 5 klips utils. +.\" +.\" +.\" |