1 files changed, 174 insertions, 0 deletions

diff --git a/programs/spigrp/spigrp.8 b/programs/spigrp/spigrp.8
new file mode 100644
index 000000000..418ed5c3e
--- /dev/null
+++ b/programs/spigrp/spigrp.8
@@ -0,0 +1,174 @@
+.TH IPSEC_SPIGRP 8 "21 Jun 2000"
+.\"
+.\" RCSID $Id: spigrp.8,v 1.1 2004/03/15 20:35:31 as Exp $
+.\"
+.SH NAME
+ipsec spigrp \- group/ungroup IPSEC Security Associations
+.SH SYNOPSIS
+.B ipsec
+.B spigrp
+.PP
+.B ipsec
+.B spigrp
+[
+.B \-\-label
+label ]
+af1 dst1 spi1 proto1 [ af2 dst2 spi2 proto2 [ af3 dst3 spi3 proto3 [ af4 dst4 spi4 proto4 ] ] ] 
+.PP
+.B ipsec
+.B spigrp
+[
+.B \-\-label
+label ]
+.B \-\-said
+SA1 [ SA2 [ SA3 [ SA4 ] ] ] 
+.PP
+.B ipsec
+.B spigrp
+.B \-\-help
+.PP
+.B ipsec
+.B spigrp
+.B \-\-version
+.PP
+.SH DESCRIPTION
+.I Spigrp
+groups IPSEC Security Associations (SAs) together or ungroups
+previously grouped SAs.
+An entry in the IPSEC extended
+routing table can only point
+(via a destination address, a Security Parameters Index (SPI) and
+a protocol identifier) to one SA.
+If more than one transform must be applied to a given type of packet,
+this can be accomplished by setting up several SAs
+with the same destination address but potentially different SPIs and protocols,
+and grouping them with
+.IR spigrp .
+.PP
+The SAs to be grouped,
+specified by destination address (DNS name lookup, IPv4 dotted quad or IPv6 coloned hex), SPI
+('0x'-prefixed hexadecimal number) and protocol ("ah", "esp", "comp" or "tun"),
+are listed from the inside transform to the
+outside;
+in other words, the transforms are applied in
+the order of the command line and removed in the reverse
+order.
+The resulting SA group is referred to by its first SA (by
+.IR af1 ,
+.IR dst1 ,
+.IR spi1
+and
+.IR proto1 ).
+.PP
+The \-\-said option indicates that the SA IDs are to be specified as
+one argument each, in the format <proto><af><spi>@<dest>.  The SA IDs must
+all be specified as separate parameters without the \-\-said option or
+all as monolithic parameters after the \-\-said option.
+.PP
+The SAs must already exist and must not already
+be part of a group.
+.PP
+If
+.I spigrp
+is invoked with only one SA specification,
+it ungroups the previously-grouped set of SAs containing
+the SA specified.
+.PP
+The \-\-label option identifies all responses from that command
+invocation with a user-supplied label, provided as an argument to the
+label option.  This can be helpful for debugging one invocation of the
+command out of a large number.
+.PP
+The command form with no additional arguments lists the contents of
+/proc/net/ipsec_spigrp.  The format of /proc/net/ipsec_spigrp is
+discussed in ipsec_spigrp(5).
+.SH EXAMPLES
+.TP
+.B ipsec spigrp inet gw2 0x113 tun inet gw2 0x115 esp inet gw2 0x116 ah
+groups 3 SAs together, all destined for
+.BR gw2 ,
+but with an IPv4-in-IPv4 tunnel SA applied first with SPI
+.BR 0x113 ,
+then an ESP header to encrypt the packet with SPI
+.BR 0x115 ,
+and finally an AH header to authenticate the packet with SPI
+.BR 0x116 .
+.LP
+.TP
+.B ipsec spigrp --said tun.113@gw2 esp.115@gw2 ah.116@gw2 
+groups 3 SAs together, all destined for
+.BR gw2 ,
+but with an IPv4-in-IPv4 tunnel SA applied first with SPI
+.BR 0x113 ,
+then an ESP header to encrypt the packet with SPI
+.BR 0x115 ,
+and finally an AH header to authenticate the packet with SPI
+.BR 0x116 .
+.LP
+.TP
+.B ipsec spigrp --said tun:233@3049:1::1 esp:235@3049:1::1 ah:236@3049:1::1 
+groups 3 SAs together, all destined for
+.BR 3049:1::1,
+but with an IPv6-in-IPv6 tunnel SA applied first with SPI
+.BR 0x233 ,
+then an ESP header to encrypt the packet with SPI
+.BR 0x235 ,
+and finally an AH header to authenticate the packet with SPI
+.BR 0x236 .
+.LP
+.TP
+.B ipsec spigrp inet6 3049:1::1 0x233 tun inet6 3049:1::1 0x235 esp inet6 3049:1::1 0x236 ah
+groups 3 SAs together, all destined for
+.BR 3049:1::1,
+but with an IPv6-in-IPv6 tunnel SA applied first with SPI
+.BR 0x233 ,
+then an ESP header to encrypt the packet with SPI
+.BR 0x235 ,
+and finally an AH header to authenticate the packet with SPI
+.BR 0x236 .
+.LP
+.SH FILES
+/proc/net/ipsec_spigrp, /usr/local/bin/ipsec
+.SH "SEE ALSO"
+ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_eroute(8),
+ipsec_spi(8), ipsec_klipsdebug(8), ipsec_spigrp(5)
+.SH HISTORY
+Written for the Linux FreeS/WAN project
+<http://www.freeswan.org/>
+by Richard Guy Briggs.
+.SH BUGS
+Yes, it really is limited to a maximum of four SAs,
+although admittedly it's hard to see why you would need more.
+.\"
+.\" $Log: spigrp.8,v $
+.\" Revision 1.1  2004/03/15 20:35:31  as
+.\" added files from freeswan-2.04-x509-1.5.3
+.\"
+.\" Revision 1.20  2002/04/24 07:35:41  mcr
+.\" Moved from ./klips/utils/spigrp.8,v
+.\"
+.\" Revision 1.19  2000/09/17 18:56:48  rgb
+.\" Added IPCOMP support.
+.\"
+.\" Revision 1.18  2000/09/13 15:54:32  rgb
+.\" Added Gerhard's ipv6 updates.
+.\"
+.\" Revision 1.17  2000/06/30 18:21:55  rgb
+.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
+.\" and correct FILES sections to no longer refer to /dev/ipsec which has
+.\" been removed since PF_KEY does not use it.
+.\"
+.\" Revision 1.16  2000/06/21 16:54:57  rgb
+.\" Added 'no additional args' text for listing contents of
+.\" /proc/net/ipsec_* files.
+.\"
+.\" Revision 1.15  2000/02/14 21:08:30  rgb
+.\" Added description of --said option.
+.\"
+.\" Revision 1.14  1999/07/19 18:47:25  henry
+.\" fix slightly-misformed comments
+.\"
+.\" Revision 1.13  1999/04/06 04:54:39  rgb
+.\" Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
+.\" patch shell fixes.
+.\"