From aa0f5b38aec14428b4b80e06f90ff781f8bca5f1 Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Mon, 22 May 2006 05:12:18 +0000 Subject: Import initial strongswan 2.7.0 version into SVN. --- doc/manpage.d/ipsec_spi.5.html | 305 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 305 insertions(+) create mode 100644 doc/manpage.d/ipsec_spi.5.html (limited to 'doc/manpage.d/ipsec_spi.5.html') diff --git a/doc/manpage.d/ipsec_spi.5.html b/doc/manpage.d/ipsec_spi.5.html new file mode 100644 index 000000000..b1cf89033 --- /dev/null +++ b/doc/manpage.d/ipsec_spi.5.html @@ -0,0 +1,305 @@ +Content-type: text/html + +Manpage of IPSEC_SPI + +

IPSEC_SPI

+Section: File Formats (5)
Updated: 26 Jun 2000
Index +Return to Main Contents
+ + + + +  +

NAME

+ +ipsec_spi - list IPSEC Security Associations +  +

SYNOPSIS

+ +ipsec + +spi + +

+ +cat + +/proc/net/ipsec_spi + +

+ +  +

DESCRIPTION

+ +/proc/net/ipsec_spi + +is a read-only file that lists the current IPSEC Security Associations. +A Security Association (SA) is a transform through which packet contents +are to be processed before being forwarded. A transform can be an +IPv4-in-IPv4 or IPv6-in-IPv6 encapsulation, an IPSEC Authentication Header (authentication +with no encryption), or an IPSEC Encapsulation Security Payload +(encryption, possibly including authentication). +

+ +When a packet is passed from a higher networking layer through an IPSEC +virtual interface, a search in the extended routing table (see +ipsec_eroute(5)) + +yields +a IP protocol number +, +a Security Parameters Index (SPI) +and +an effective destination address +When an IPSEC packet arrives from the network, +its ostensible destination, an SPI and an IP protocol +specified by its outermost IPSEC header are used. +The destination/SPI/protocol combination is used to select a relevant SA. +(See +ipsec_spigrp(5) + +for discussion of how multiple transforms are combined.) +

+ +An +spi , + +proto, + +daddr + +and +address_family + +arguments specify an SAID. +Proto + +is an ASCII string, "ah", "esp", "comp" or "tun", specifying the IP protocol. +Spi + +is a number, preceded by '.' indicating hexadecimal and IPv4 or by ':' indicating hexadecimal and IPv6, +where each hexadecimal digit represents 4 bits, +between +0x100 + +and +0xffffffff; + +values from +0x0 + +to +0xff + +are reserved. +Daddr + +is a dotted-decimal IPv4 destination address or a coloned hex IPv6 destination address. +

+ +An +SAID + +combines the three parameters above, such as: "tun.101@1.2.3.4" for IPv4 or "tun:101@3049:1::1" for IPv6 +

+ +A table entry consists of: +

+
+
+SAID + +
+
+<transform name (proto,encalg,authalg)>: +
+
+direction (dir=) +
+
+source address (src=) +
+
+source and destination addresses and masks for inner header policy check +addresses (policy=), as dotted-quads or coloned hex, separated by '->', +for IPv4-in-IPv4 or IPv6-in-IPv6 SAs only +
+
+initialisation vector length and value (iv_bits=, iv=) if non-zero +
+
+out-of-order window size, number of out-of-order errors, sequence +number, recently received packet bitmask, maximum difference between +sequence numbers (ooowin=, ooo_errs=, seq=, bit=, max_seq_diff=) if SA +is AH or ESP and if individual items are non-zero +
+
+extra flags (flags=) if any are set +
+
+authenticator length in bits (alen=) if non-zero +
+
+authentication key length in bits (aklen=) if non-zero +
+
+authentication errors (auth_errs=) if non-zero +
+
+encryption key length in bits (eklen=) if non-zero +
+
+encryption size errors (encr_size_errs=) if non-zero +
+
+encryption padding error warnings (encr_pad_errs=) if non-zero +
+
+lifetimes legend, c=Current status, s=Soft limit when exceeded will +initiate rekeying, h=Hard limit will cause termination of SA (life(c,s,h)=) +
+
+number of connections to which the SA is allocated (c), that will cause a +rekey (s), that will cause an expiry (h) (alloc=), if any value is non-zero +
+
+number of bytes processesd by this SA (c), that will cause a rekey (s), that +will cause an expiry (h) (bytes=), if any value is non-zero +
+
+time since the SA was added (c), until rekey (s), until expiry (h), in seconds (add=) +
+
+time since the SA was first used (c), until rekey (s), until expiry (h), in seconds (used=), +if any value is non-zero +
+
+number of packets processesd by this SA (c), that will cause a rekey (s), that +will cause an expiry (h) (packets=), if any value is non-zero +
+
+time since the last packet was processed, in seconds (idle=), if SA has +been used +
+average compression ratio (ratio=) +
+  +

EXAMPLES

+ +tun.12a@192.168.43.1 IPIP: dir=out src=192.168.43.2 + +
+ + life(c,s,h)=bytes(14073,0,0)add(269,0,0) + +
+ + use(149,0,0)packets(14,0,0) + +
+ + idle=23 + +

+ +is an outbound IPv4-in-IPv4 (protocol 4) tunnel-mode SA set up between machines +192.168.43.2 and 192.168.43.1 with an SPI of 12a in hexadecimal that has +passed about 14 kilobytes of traffic in 14 packets since it was created, +269 seconds ago, first used 149 seconds ago and has been idle for 23 +seconds. +

+ +esp:9a35fc02@3049:1::1 ESP_3DES_HMAC_MD5: + +
+ + dir=in src=9a35fc02@3049:1::2 + +
+ + ooowin=32 seq=7149 bit=0xffffffff + +
+ + alen=128 aklen=128 eklen=192 + +
+ + life(c,s,h)=bytes(1222304,0,0)add(4593,0,0) + +
+ + use(3858,0,0)packets(7149,0,0) + +
+ + idle=23 + +

+ +is an inbound Encapsulating Security Payload (protocol 50) SA on machine +3049:1::1 with an SPI of 9a35fc02 that uses 3DES as the encryption +cipher, HMAC MD5 as the authentication algorithm, an out-of-order +window of 32 packets, a present sequence number of 7149, every one of +the last 32 sequence numbers was received, the authenticator length and +keys is 128 bits, the encryption key is 192 bits (actually 168 for 3DES +since 1 of 8 bits is a parity bit), has passed 1.2 Mbytes of data in +7149 packets, was added 4593 seconds ago, first used +3858 seconds ago and has been idle for 23 seconds. +

+ +  +

FILES

+ +/proc/net/ipsec_spi, /usr/local/bin/ipsec +  +

SEE ALSO

+ +ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5), +ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_spi(8), ipsec_version(5), +ipsec_pf_key(5) +  +

HISTORY

+ +Written for the Linux FreeS/WAN project +<http://www.freeswan.org/> +by Richard Guy Briggs. +  +

BUGS

+ +The add and use times are awkward, displayed in seconds since machine +start. It would be better to display them in seconds before now for +human readability. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ +

+ 

Index

+
+
NAME
+
SYNOPSIS
+
DESCRIPTION
+
EXAMPLES
+
FILES
+
SEE ALSO
+
HISTORY
+
BUGS
+
+
+This document was created by +man2html, +using the manual pages.
+Time: 21:40:18 GMT, November 11, 2003 + + -- cgit v1.2.3