1
Content-type: text/html
3
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
4
<HTML><HEAD><TITLE>Man page of IPSEC_SPI</TITLE>
7
Section: File Formats (5)<BR>Updated: 26 Jun 2000<BR><A HREF="#index">Index</A>
8
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
13
<A NAME="lbAB"> </A>
16
ipsec_spi - list IPSEC Security Associations
17
<A NAME="lbAC"> </A>
28
<B>/proc/net/ipsec_spi</B>
32
<A NAME="lbAD"> </A>
35
<I>/proc/net/ipsec_spi</I>
37
is a read-only file that lists the current IPSEC Security Associations.
38
A Security Association (SA) is a transform through which packet contents
39
are to be processed before being forwarded. A transform can be an
40
IPv4-in-IPv4 or IPv6-in-IPv6 encapsulation, an IPSEC Authentication Header (authentication
41
with no encryption), or an IPSEC Encapsulation Security Payload
42
(encryption, possibly including authentication).
45
When a packet is passed from a higher networking layer through an IPSEC
46
virtual interface, a search in the extended routing table (see
47
<I><A HREF="/cgi-bin/man/man2html?5+ipsec_eroute">ipsec_eroute</A></I>(5))
52
a Security Parameters Index (SPI)
54
an effective destination address
55
When an IPSEC packet arrives from the network,
56
its ostensible destination, an SPI and an IP protocol
57
specified by its outermost IPSEC header are used.
58
The destination/SPI/protocol combination is used to select a relevant SA.
60
<I><A HREF="/cgi-bin/man/man2html?5+ipsec_spigrp">ipsec_spigrp</A></I>(5)
62
for discussion of how multiple transforms are combined.)
75
arguments specify an SAID.
78
is an ASCII string, "ah", "esp", "comp" or "tun", specifying the IP protocol.
81
is a number, preceded by '.' indicating hexadecimal and IPv4 or by ':' indicating hexadecimal and IPv6,
82
where each hexadecimal digit represents 4 bits,
98
is a dotted-decimal IPv4 destination address or a coloned hex IPv6 destination address.
104
combines the three parameters above, such as: "<A HREF="mailto:tun.101@1.2.3.4">tun.101@1.2.3.4</A>" for IPv4 or "tun:<A HREF="mailto:101@3049">101@3049</A>:1::1" for IPv6
107
A table entry consists of:
113
<transform name (proto,encalg,authalg)>:
117
source address (src=)
119
source and destination addresses and masks for inner header policy check
120
addresses (policy=), as dotted-quads or coloned hex, separated by '->',
121
for IPv4-in-IPv4 or IPv6-in-IPv6 SAs only
123
initialisation vector length and value (iv_bits=, iv=) if non-zero
125
out-of-order window size, number of out-of-order errors, sequence
126
number, recently received packet bitmask, maximum difference between
127
sequence numbers (ooowin=, ooo_errs=, seq=, bit=, max_seq_diff=) if SA
128
is AH or ESP and if individual items are non-zero
130
extra flags (flags=) if any are set
132
authenticator length in bits (alen=) if non-zero
134
authentication key length in bits (aklen=) if non-zero
136
authentication errors (auth_errs=) if non-zero
138
encryption key length in bits (eklen=) if non-zero
140
encryption size errors (encr_size_errs=) if non-zero
142
encryption padding error warnings (encr_pad_errs=) if non-zero
144
lifetimes legend, c=Current status, s=Soft limit when exceeded will
145
initiate rekeying, h=Hard limit will cause termination of SA (life(c,s,h)=)
147
number of connections to which the SA is allocated (c), that will cause a
148
rekey (s), that will cause an expiry (h) (alloc=), if any value is non-zero
150
number of bytes processesd by this SA (c), that will cause a rekey (s), that
151
will cause an expiry (h) (bytes=), if any value is non-zero
153
time since the SA was added (c), until rekey (s), until expiry (h), in seconds (add=)
155
time since the SA was first used (c), until rekey (s), until expiry (h), in seconds (used=),
156
if any value is non-zero
158
number of packets processesd by this SA (c), that will cause a rekey (s), that
159
will cause an expiry (h) (packets=), if any value is non-zero
161
time since the last packet was processed, in seconds (idle=), if SA has
164
average compression ratio (ratio=)
166
<A NAME="lbAE"> </A>
169
<B><A HREF="mailto:tun.12a@192.168.43.1">tun.12a@192.168.43.1</A> IPIP: dir=out src=192.168.43.2</B>
173
<B> life(c,s,h)=bytes(14073,0,0)add(269,0,0)</B>
177
<B> use(149,0,0)packets(14,0,0)</B>
185
is an outbound IPv4-in-IPv4 (protocol 4) tunnel-mode SA set up between machines
186
192.168.43.2 and 192.168.43.1 with an SPI of 12a in hexadecimal that has
187
passed about 14 kilobytes of traffic in 14 packets since it was created,
188
269 seconds ago, first used 149 seconds ago and has been idle for 23
192
<B>esp:<A HREF="mailto:9a35fc02@3049">9a35fc02@3049</A>:1::1 ESP_3DES_HMAC_MD5:</B>
196
<B> dir=in src=<A HREF="mailto:9a35fc02@3049">9a35fc02@3049</A>:1::2</B>
200
<B> ooowin=32 seq=7149 bit=0xffffffff</B>
204
<B> alen=128 aklen=128 eklen=192</B>
208
<B> life(c,s,h)=bytes(1222304,0,0)add(4593,0,0)</B>
212
<B> use(3858,0,0)packets(7149,0,0)</B>
220
is an inbound Encapsulating Security Payload (protocol 50) SA on machine
221
3049:1::1 with an SPI of 9a35fc02 that uses 3DES as the encryption
222
cipher, HMAC MD5 as the authentication algorithm, an out-of-order
223
window of 32 packets, a present sequence number of 7149, every one of
224
the last 32 sequence numbers was received, the authenticator length and
225
keys is 128 bits, the encryption key is 192 bits (actually 168 for 3DES
226
since 1 of 8 bits is a parity bit), has passed 1.2 Mbytes of data in
227
7149 packets, was added 4593 seconds ago, first used
228
3858 seconds ago and has been idle for 23 seconds.
231
<A NAME="lbAF"> </A>
234
/proc/net/ipsec_spi, /usr/local/bin/ipsec
235
<A NAME="lbAG"> </A>
238
<A HREF="/cgi-bin/man/man2html?8+ipsec">ipsec</A>(8), <A HREF="/cgi-bin/man/man2html?8+ipsec_manual">ipsec_manual</A>(8), <A HREF="/cgi-bin/man/man2html?5+ipsec_tncfg">ipsec_tncfg</A>(5), <A HREF="/cgi-bin/man/man2html?5+ipsec_eroute">ipsec_eroute</A>(5),
239
<A HREF="/cgi-bin/man/man2html?5+ipsec_spigrp">ipsec_spigrp</A>(5), <A HREF="/cgi-bin/man/man2html?5+ipsec_klipsdebug">ipsec_klipsdebug</A>(5), <A HREF="/cgi-bin/man/man2html?8+ipsec_spi">ipsec_spi</A>(8), <A HREF="/cgi-bin/man/man2html?5+ipsec_version">ipsec_version</A>(5),
240
<A HREF="/cgi-bin/man/man2html?5+ipsec_pf_key">ipsec_pf_key</A>(5)
241
<A NAME="lbAH"> </A>
244
Written for the Linux FreeS/WAN project
245
<<A HREF="http://www.freeswan.org/">http://www.freeswan.org/</A>>
246
by Richard Guy Briggs.
247
<A NAME="lbAI"> </A>
250
The add and use times are awkward, displayed in seconds since machine
251
start. It would be better to display them in seconds before now for
289
<A NAME="index"> </A><H2>Index</H2>
291
<DT><A HREF="#lbAB">NAME</A><DD>
292
<DT><A HREF="#lbAC">SYNOPSIS</A><DD>
293
<DT><A HREF="#lbAD">DESCRIPTION</A><DD>
294
<DT><A HREF="#lbAE">EXAMPLES</A><DD>
295
<DT><A HREF="#lbAF">FILES</A><DD>
296
<DT><A HREF="#lbAG">SEE ALSO</A><DD>
297
<DT><A HREF="#lbAH">HISTORY</A><DD>
298
<DT><A HREF="#lbAI">BUGS</A><DD>
301
This document was created by
302
<A HREF="/cgi-bin/man/man2html">man2html</A>,
303
using the manual pages.<BR>
304
Time: 10:29:43 GMT, June 17, 2004