IPSEC_SPIGRP(5) [FIXME: manual] IPSEC_SPIGRP(5)NAMEipsec_spigrp - list IPSEC Security Association groupings
SYNOPSIS
ipsec spigrp
cat/proc/net/ipsec_spigrp
OBSOLETE
Note that spigrp is only supported on the classic KLIPS stack. It is
not supported on any other stack and will be completely removed in
future versions. A replacement command still needs to be designed
DESCRIPTION
/proc/net/ipsec_spigrp is a read-only file that lists groups of IPSEC
Security Associations (SAs).
An entry in the IPSEC extended routing table can only point (via an
SAID) to one SA. If more than one transform must be applied to a given
type of packet, this can be accomplished by setting up several SAs with
the same destination address but potentially different SPIs and
protocols, and grouping them with ipsec_spigrp(8).
The SA groups are listed, one line per connection/group, as a sequence
of SAs to be applied (or that should have been applied, in the case of
an incoming packet) from inside to outside the packet. An SA is
identified by its SAID, which consists of protocol ("ah", "esp", "comp"
or "tun"), SPI (with ´.´ for IPv4 or ´:´ for IPv6 prefixed hexadecimal
number ) and destination address (IPv4 dotted quad or IPv6 coloned hex)
prefixed by ´@´, in the format <proto><af><spi>@<dest>.
EXAMPLES
tun.3d0@192.168.2.110
comp.3d0@192.168.2.110 esp.187a101b@192.168.2.110
ah.187a101a@192.168.2.110
is a group of 3 SAs, destined for 192.168.2.110 with an IPv4-in-IPv4
tunnel SA applied first with an SPI of 3d0 in hexadecimal, followed by
a Deflate compression header to compress the packet with CPI of 3d0 in
hexadecimal, followed by an Encapsulating Security Payload header to
encrypt the packet with SPI 187a101b in hexadecimal, followed by an
Authentication Header to authenticate the packet with SPI 187a101a in
hexadecimal, applied from inside to outside the packet. This could be
an incoming or outgoing group, depending on the address of the local
machine.
tun:3d0@3049:1::2
comp:3d0@3049:1::2 esp:187a101b@3049:1::2 ah:187a101a@3049:1::2
is a group of 3 SAs, destined for 3049:1::2 with an IPv6-in-IPv6 tunnel
SA applied first with an SPI of 3d0 in hexadecimal, followed by a
Deflate compression header to compress the packet with CPI of 3d0 in
hexadecimal, followed by an Encapsulating Security Payload header to
encrypt the packet with SPI 187a101b in hexadecimal, followed by an
Authentication Header to authenticate the packet with SPI 187a101a in
hexadecimal, applied from inside to outside the packet. This could be
an incoming or outgoing group, depending on the address of the local
machine.
FILES
/proc/net/ipsec_spigrp, /usr/local/bin/ipsec
SEE ALSOipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5),
ipsec_spi(5), ipsec_klipsdebug(5), ipsec_spigrp(8), ipsec_version(5),
ipsec_pf_key(5)HISTORY
Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by
Richard Guy Briggs.
BUGS
:-)
[FIXME: source] 10/06/2010 IPSEC_SPIGRP(5)
