1
Content-type: text/html
3
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
4
<HTML><HEAD><TITLE>Man page of IPSEC_EROUTE</TITLE>
7
Section: File Formats (5)<BR>Updated: 20 Sep 2001<BR><A HREF="#index">Index</A>
8
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
13
<A NAME="lbAB"> </A>
16
ipsec_eroute - list of existing eroutes
17
<A NAME="lbAC"> </A>
28
<B>/proc/net/ipsec_eroute</B>
30
<A NAME="lbAD"> </A>
33
<I>/proc/net/ipsec_eroute</I>
35
lists the IPSEC extended routing tables,
36
which control what (if any) processing is applied
37
to non-encrypted packets arriving for IPSEC processing and forwarding.
38
At this point it is a read-only file.
41
A table entry consists of:
46
source address with mask and source port (0 if all ports or not applicable)
48
a '->' separator for visual and automated parsing between src and dst
50
destination address with mask and destination port (0 if all ports or
53
a '=>' separator for visual and automated parsing between selection
54
criteria and SAID to use
56
SAID (Security Association IDentifier), comprised of:
63
where '.' stands for IPv4 and ':' for IPv6
65
Security Parameters Index
70
where the packet should be forwarded after processing
71
(normally the other security gateway)
72
together indicate which Security Association should be used to process
75
a ':' separating the SAID from the transport protocol (0 if all protocols)
77
source identity text string with no whitespace, in parens,
79
destination identity text string with no whitespace, in parens
83
Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
84
protocol is one of "ah", "esp", "comp" or "tun"
86
SPIs are prefixed hexadecimal numbers where the prefix '.' is for IPv4 and the prefix ':' is for IPv6
89
SAIDs are written as "<A HREF="mailto:protoafSPI@edst">protoafSPI@edst</A>". There are also 5
90
"magic" SAIDs which have special meaning:
95
means that matches are to be dropped
99
means that matches are to be dropped and an ICMP returned, if
104
means that matches are to trigger an ACQUIRE message to the Key
105
Management daemon(s) and a hold eroute will be put in place to
106
prevent subsequent packets also triggering ACQUIRE messages.
110
means that matches are to stored until the eroute is replaced or
111
until that eroute gets reaped
115
means that matches are to allowed to pass without IPSEC processing
120
<A NAME="lbAE"> </A>
125
<B>1867 172.31.252.0/24:0 -> 0.0.0.0/0:0 => <A HREF="mailto:tun0x130@192.168.43.1">tun0x130@192.168.43.1</A>:0 </B>
129
<B> ()<TT> </TT>()</B>
133
means that 1,867 packets have been sent to an<BR>
136
that has been set up to protect traffic between the subnet
139
with a subnet mask of
142
bits and the default address/mask represented by an address of
145
with a subnet mask of
148
bits using the local machine as a security gateway on this end of the
149
tunnel and the machine
152
on the other end of the tunnel with a Security Association IDentifier of
153
<B><A HREF="mailto:tun0x130@192.168.43.1">tun0x130@192.168.43.1</A></B>
155
which means that it is a tunnel mode connection (4, IPPROTO_IPIP) with a
156
Security Parameters Index of
159
in hexadecimal with no identies defined for either end.
162
<B>746 192.168.2.110/32:0 -> 192.168.2.120/32:25 => <A HREF="mailto:esp0x130@192.168.2.120">esp0x130@192.168.2.120</A>:6 </B>
166
<B> ()<TT> </TT>()</B>
170
means that 746 packets have been sent to an<BR>
173
that has been set up to protect traffic sent from any port on the host
176
to the SMTP (TCP, port 25) port on the host
179
with a Security Association IDentifier of
180
<B><A HREF="mailto:tun0x130@192.168.2.120">tun0x130@192.168.2.120</A></B>
182
which means that it is a transport mode connection with a
183
Security Parameters Index of
186
in hexadecimal with no identies defined for either end.
189
<B>125 3049:1::/64 -> 0:0/0 => tun:<A HREF="mailto:130@3058">130@3058</A>:4::5<TT> </TT>()<TT> </TT>()</B>
193
means that 125 packets have been sent to an<BR>
196
that has been set up to protect traffic between the subnet
199
with a subnet mask of
202
bits and the default address/mask represented by an address of
205
with a subnet mask of
208
bits using the local machine as a security gateway on this end of the
209
tunnel and the machine
212
on the other end of the tunnel with a Security Association IDentifier of
213
<B>tun:<A HREF="mailto:130@3058">130@3058</A>:4::5</B>
215
which means that it is a tunnel mode connection with a
216
Security Parameters Index of
219
in hexadecimal with no identies defined for either end.
222
<B>42 192.168.6.0/24:0 -> 192.168.7.0/24:0 => %passthrough</B>
226
means that 42 packets have been sent to an
229
that has been set up to pass the traffic from the subnet
232
with a subnet mask of
238
with a subnet mask of
241
bits without any IPSEC processing with no identies defined for either end.
244
<B>2112 192.168.8.55/32:0 -> 192.168.9.47/24:0 => %hold<TT> </TT>(east)<TT> </TT>()</B>
248
means that 2112 packets have been sent to an<BR>
251
that has been set up to hold the traffic from the host
257
until a key exchange from a Key Management daemon
258
succeeds and puts in an SA or fails and puts in a pass
259
or drop eroute depending on the default configuration with the local client
260
defined as "east" and no identy defined for the remote end.
263
<B>2001 192.168.2.110/32:0 -> 192.168.2.120/32:0 => </B>
267
<B> <A HREF="mailto:esp0xe6de@192.168.2.120">esp0xe6de@192.168.2.120</A>:0<TT> </TT>()<TT> </TT>()</B>
271
means that 2001 packets have been sent to an<BR>
274
that has been set up to protect traffic between the host
283
as a security gateway on this end of the
284
connection and the machine
287
on the other end of the connection with a Security Association IDentifier of
288
<B><A HREF="mailto:esp0xe6de@192.168.2.120">esp0xe6de@192.168.2.120</A></B>
290
which means that it is a transport mode connection with a Security
294
in hexadecimal using Encapsuation Security Payload protocol (50,
295
IPPROTO_ESP) with no identies defined for either end.
298
<B>1984 3049:1::110/128 -> 3049:1::120/128 => </B>
302
<B> ah:<A HREF="mailto:f5ed@3049">f5ed@3049</A>:1::120<TT> </TT>()<TT> </TT>()</B>
306
means that 1984 packets have been sent to an<BR>
309
that has been set up to authenticate traffic between the host
318
as a security gateway on this end of the
319
connection and the machine
322
on the other end of the connection with a Security Association IDentifier of
323
<B>ah:<A HREF="mailto:f5ed@3049">f5ed@3049</A>:1::120</B>
325
which means that it is a transport mode connection with a Security
329
in hexadecimal using Authentication Header protocol (51,
330
IPPROTO_AH) with no identies defined for either end.
331
<A NAME="lbAF"> </A>
334
/proc/net/ipsec_eroute, /usr/local/bin/ipsec
335
<A NAME="lbAG"> </A>
338
<A HREF="/cgi-bin/man/man2html?8+ipsec">ipsec</A>(8), <A HREF="/cgi-bin/man/man2html?8+ipsec_manual">ipsec_manual</A>(8), <A HREF="/cgi-bin/man/man2html?5+ipsec_tncfg">ipsec_tncfg</A>(5), <A HREF="/cgi-bin/man/man2html?5+ipsec_spi">ipsec_spi</A>(5),
339
<A HREF="/cgi-bin/man/man2html?5+ipsec_spigrp">ipsec_spigrp</A>(5), <A HREF="/cgi-bin/man/man2html?5+ipsec_klipsdebug">ipsec_klipsdebug</A>(5), <A HREF="/cgi-bin/man/man2html?8+ipsec_eroute">ipsec_eroute</A>(8), <A HREF="/cgi-bin/man/man2html?5+ipsec_version">ipsec_version</A>(5),
340
<A HREF="/cgi-bin/man/man2html?5+ipsec_pf_key">ipsec_pf_key</A>(5)
341
<A NAME="lbAH"> </A>
344
Written for the Linux FreeS/WAN project
345
<<A HREF="http://www.freeswan.org/">http://www.freeswan.org/</A>>
346
by Richard Guy Briggs.
391
<A NAME="index"> </A><H2>Index</H2>
393
<DT><A HREF="#lbAB">NAME</A><DD>
394
<DT><A HREF="#lbAC">SYNOPSIS</A><DD>
395
<DT><A HREF="#lbAD">DESCRIPTION</A><DD>
396
<DT><A HREF="#lbAE">EXAMPLES</A><DD>
397
<DT><A HREF="#lbAF">FILES</A><DD>
398
<DT><A HREF="#lbAG">SEE ALSO</A><DD>
399
<DT><A HREF="#lbAH">HISTORY</A><DD>
402
This document was created by
403
<A HREF="/cgi-bin/man/man2html">man2html</A>,
404
using the manual pages.<BR>
405
Time: 10:29:41 GMT, June 17, 2004