1
Content-type: text/html
3
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
4
<HTML><HEAD><TITLE>Man page of IPSEC_SPI</TITLE>
7
Section: Maintenance Commands (8)<BR>Updated: 23 Oct 2001<BR><A HREF="#index">Index</A>
8
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
13
<A NAME="lbAB"> </A>
16
ipsec spi - manage IPSEC Security Associations
17
<A NAME="lbAC"> </A>
22
Note: In the following,
50
(soft | hard)-(allocations | bytes | addtime | usetime | packets)=value[,...]
70
<B>hmac-md5-96</B>|<B>hmac-sha1-96</B>
73
<B>--replay_window</B>
99
<B>--replay_window</B>
122
<B>3des-md5-96</B>|<B>3des-sha1-96</B>
125
<B>--replay_window</B>
221
<A NAME="lbAD"> </A>
226
creates and deletes IPSEC Security Associations.
227
A Security Association (SA) is a transform through which packet
228
contents are to be processed before being forwarded.
229
A transform can be an IPv4-in-IPv4 or an IPv6-in-IPv6 encapsulation,
230
an IPSEC Authentication Header (authentication with no encryption),
231
or an IPSEC Encapsulation Security Payload (encryption, possibly
232
including authentication).
235
When a packet is passed from a higher networking layer
236
through an IPSEC virtual interface,
237
a search in the extended routing table (see
238
<I><A HREF="/cgi-bin/man/man2html?8+ipsec_eroute">ipsec_eroute</A></I>(8))
240
yields an effective destination address, a
241
Security Parameters Index (SPI) and a IP protocol number.
242
When an IPSEC packet arrives from the network,
243
its ostensible destination, an SPI and an IP protocol
244
specified by its outermost IPSEC header are used.
245
The destination/SPI/protocol combination is used to select a relevant SA.
247
<I><A HREF="/cgi-bin/man/man2html?8+ipsec_spigrp">ipsec_spigrp</A></I>(8)
249
for discussion of how multiple transforms are combined.)
262
arguments specify the SA to be created or deleted.
265
is the address family (inet for IPv4, inet6 for IPv6).
268
is a destination address
269
in dotted-decimal notation for IPv4
270
or in a coloned hex notation for IPv6.
273
is a number, preceded by '0x' for hexadecimal,
289
is an ASCII string, "ah", "esp", "comp" or "tun", specifying the IP protocol.
290
The protocol must agree with the algorithm selected.
296
argument can also specify an SA to be created or deleted.
299
combines the three parameters above, such as: "<A HREF="mailto:tun.101@1.2.3.4">tun.101@1.2.3.4</A>" or "tun:101@1:2::3:4",
300
where the address family is specified by "." for IPv4 and ":" for IPv6. The address
301
family indicators substitute the "0x" for hexadecimal.
307
must also be provided for the inbound policy check to
308
function. The source address does not need to be included if inbound
309
policy checking has been disabled.
312
Keys vectors must be entered as hexadecimal or base64 numbers.
313
They should be cryptographically strong random numbers.
316
All hexadecimal numbers are entered as strings of hexadecimal digits
317
(0-9 and a-f), without spaces, preceded by '0x', where each hexadecimal
318
digit represents 4 bits.
319
All base64 numbers are entered as strings of base64 digits
320
<BR> (0-9, A-Z, a-z, '+' and '/'), without spaces, preceded by '0s',
321
where each hexadecimal digit represents 6 bits and '=' is used for padding.
324
The deletion of an SA which has been grouped will result in the entire chain
328
The form with no additional arguments lists the contents of
329
/proc/net/ipsec_spi. The format of /proc/net/ipsec_spi is discussed in
330
<A HREF="/cgi-bin/man/man2html?5+ipsec_spi">ipsec_spi</A>(5).
333
The lifetime severity of
336
sets a limit when the key management daemons are asked to rekey the SA.
337
The lifetime severity of
340
sets a limit when the SA must expire.
344
tells the system when to expire the SA because it is being shared by too many
345
eroutes (not currently used). The lifetime type of
348
tells the system to expire the SA after a certain number of bytes have been
349
processed with that SA. The lifetime type of
352
tells the system to expire the SA a certain number of seconds after the SA was
353
installed. The lifetime type of
356
tells the system to expire the SA a certain number of seconds after that SA has
357
processed its first packet. The lifetime type of
360
tells the system to expire the SA after a certain number of packets have been
361
processed with that SA.
362
<A NAME="lbAE"> </A>
369
specifies the address family (inet for IPv4, inet6 for IPv6)
373
specifies the effective destination
376
of the Security Association
380
specifies the Security Parameters Index
383
of the Security Association
387
specifies the IP protocol
390
of the Security Association
394
specifies the Security Association in monolithic format
398
add an SA for an IPSEC Authentication Header,
399
specified by the following transform identifier
405
(RFC2402, obsoletes RFC1826)
406
<DT><B>hmac-md5-96</B>
409
transform following the HMAC and MD5 standards,
413
to produce a 96-bit authenticator (RFC2403)
414
<DT><B>hmac-sha1-96</B>
417
transform following the HMAC and SHA1 standards,
421
to produce a 96-bit authenticator (RFC2404)
425
add an SA for an IPSEC Encapsulation Security Payload,
426
specified by the following
427
transform identifier (<B>3des</B>,
432
(RFC2406, obsoletes RFC1827)
436
encryption transform following the Triple-DES standard in
437
Cipher-Block-Chaining mode using a 64-bit
440
(internally generated) and a 192-bit 3DES
444
<DT><B>3des-md5-96</B>
447
encryption transform following the Triple-DES standard in
448
Cipher-Block-Chaining mode with authentication provided by
450
(96-bit authenticator),
454
(internally generated), a 192-bit 3DES
457
and a 128-bit HMAC-MD5
461
<DT><B>3des-sha1-96</B>
464
encryption transform following the Triple-DES standard in
465
Cipher-Block-Chaining mode with authentication provided by
467
(96-bit authenticator),
471
(internally generated), a 192-bit 3DES
474
and a 160-bit HMAC-SHA1
478
<DT><B>--replay_window</B> replayw
481
sets the replay window size; valid values are decimal, 1 to 64
482
<DT><B>--life</B> life_param[,life_param]
485
sets the lifetime expiry; the format of
488
consists of a comma-separated list of lifetime specifications without spaces;
489
a lifetime specification is comprised of a severity of
490
<B>soft</B> or <B>hard</B>
492
followed by a '-', followed by a lifetime type of
493
<B>allocations</B>, <B>bytes</B>, <B>addtime</B>, <B>usetime</B> or <B>packets</B>
495
followed by an '=' and finally by a value
499
add an SA for IPSEC IP Compression,
500
specified by the following
501
transform identifier (<B>deflate</B>)
507
compression transform following the patent-free Deflate compression algorithm
512
add an SA for an IPv4-in-IPv4
522
add an SA for an IPv6-in-IPv6
532
specify the source end of an IP-in-IP tunnel from
538
and also specifies the source address of the Security Association to be
539
used in inbound policy checking and must be the same address
549
specify the destination end of an IP-in-IP tunnel from
558
delete the specified SA
572
display version information
574
<A NAME="lbAF"> </A>
577
To keep line lengths down and reduce clutter,
578
some of the long keys in these examples have been abbreviated
579
by replacing part of their text with
582
Keys used when the programs are actually run must,
583
of course, be the full length required for the particular algorithm.
586
<B>ipsec spi --af inet --edst gw2 --spi 0x125 --proto esp \</B>
594
<B> --esp 3des-md5-96 \</B>
598
<B> --enckey 0x6630</B><I>...</I><B>97ce \</B>
602
<B> --authkey 0x9941</B><I>...</I><B>71df</B>
621
encryption with integral
624
authentication transform, using an encryption key of
625
<B>0x6630</B><I>...</I><B>97ce</B>
627
and an authentication key of
628
<B>0x9941</B><I>...</I><B>71df</B>
630
(see note above about abbreviated keys).
633
<B>ipsec spi --af inet6 --edst 3049:9::9000:3100 --spi 0x150 --proto ah \</B>
637
<B> --src 3049:9::9000:3101 \</B>
641
<B> --ah hmac-md5-96 \</B>
645
<B> --authkey 0x1234</B><I>...</I><B>2eda \</B>
650
<B>3049:9::9000:3101</B>
653
<B>3049:9::9000:3100</B>
664
authentication transform, using an authentication key of
665
<B>0x1234</B><I>...</I><B>2eda</B>
667
(see note above about abbreviated keys).
670
<B>ipsec spi --said <A HREF="mailto:tun.987@192.168.100.100">tun.987@192.168.100.100</A> --del </B>
675
<B>192.168.100.100</B>
686
<B>ipsec spi --said tun:<A HREF="mailto:500@3049">500@3049</A>:9::1000:1 --del </B>
691
<B>3049:9::1000:1</B>
702
<A NAME="lbAG"> </A>
705
/proc/net/ipsec_spi, /usr/local/bin/ipsec
706
<A NAME="lbAH"> </A>
709
<A HREF="/cgi-bin/man/man2html?8+ipsec">ipsec</A>(8), <A HREF="/cgi-bin/man/man2html?8+ipsec_manual">ipsec_manual</A>(8), <A HREF="/cgi-bin/man/man2html?8+ipsec_tncfg">ipsec_tncfg</A>(8), <A HREF="/cgi-bin/man/man2html?8+ipsec_eroute">ipsec_eroute</A>(8),
710
<A HREF="/cgi-bin/man/man2html?8+ipsec_spigrp">ipsec_spigrp</A>(8), <A HREF="/cgi-bin/man/man2html?8+ipsec_klipsdebug">ipsec_klipsdebug</A>(8), <A HREF="/cgi-bin/man/man2html?5+ipsec_spi">ipsec_spi</A>(5)
711
<A NAME="lbAI"> </A>
714
Written for the Linux FreeS/WAN project
715
<<A HREF="http://www.freeswan.org/">http://www.freeswan.org/</A>>
716
by Richard Guy Briggs.
717
<A NAME="lbAJ"> </A>
720
The syntax is messy and the transform naming needs work.
773
<A NAME="index"> </A><H2>Index</H2>
775
<DT><A HREF="#lbAB">NAME</A><DD>
776
<DT><A HREF="#lbAC">SYNOPSIS</A><DD>
777
<DT><A HREF="#lbAD">DESCRIPTION</A><DD>
778
<DT><A HREF="#lbAE">OPTIONS</A><DD>
779
<DT><A HREF="#lbAF">EXAMPLES</A><DD>
780
<DT><A HREF="#lbAG">FILES</A><DD>
781
<DT><A HREF="#lbAH">SEE ALSO</A><DD>
782
<DT><A HREF="#lbAI">HISTORY</A><DD>
783
<DT><A HREF="#lbAJ">BUGS</A><DD>
786
This document was created by
787
<A HREF="/cgi-bin/man/man2html">man2html</A>,
788
using the manual pages.<BR>
789
Time: 10:29:43 GMT, June 17, 2004