1
.TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
3
ip-xfrm \- transform configuration
12
.RI " { " COMMAND " | "
18
.IR XFRM-OBJECT " { " COMMAND " | "
24
.BR state " | " policy " | " monitor
28
.BR "ip xfrm state" " { " add " | " update " } "
29
.IR ID " [ " ALGO-LIST " ]"
40
.RB "[ " replay-window
49
.IR SELECTOR " ] [ " LIMIT-LIST " ]"
53
.IR ADDR "[/" PLEN "] ]"
58
.B "ip xfrm state allocspi"
76
.BR "ip xfrm state" " { " delete " | " get " } "
84
.BR "ip xfrm state" " { " deleteall " | " list " } ["
94
.BR "ip xfrm state flush" " [ " proto
98
.BR "ip xfrm state count"
113
.BR esp " | " ah " | " comp " | " route2 " | " hao
116
.IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
120
.RB "{ " enc " | " auth " | " comp " } "
121
.IR ALGO-NAME " " ALGO-KEY " |"
124
.IR ALGO-NAME " " ALGO-KEY " " ALGO-ICV-LEN " |"
127
.IR ALGO-NAME " " ALGO-KEY " " ALGO-TRUNC-LEN
131
.BR transport " | " tunnel " | " ro " | " in_trigger " | " beet
134
.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
138
.BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | " af-unspec " | " align4
143
.IR ADDR "[/" PLEN "] ]"
145
.IR ADDR "[/" PLEN "] ]"
156
.RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
161
.RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
167
.RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
170
.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
176
.RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
179
.RB "{ " byte-soft " | " byte-hard " }"
182
.RB "{ " packet-soft " | " packet-hard " }"
187
.RB "{ " espinudp " | " espinudp-nonike " }"
188
.IR SPORT " " DPORT " " OADDR
191
.BR "ip xfrm policy" " { " add " | " update " }"
211
.RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
214
.BR "ip xfrm policy" " { " delete " | " get " }"
215
.RI "{ " SELECTOR " | "
230
.BR "ip xfrm policy" " { " deleteall " | " list " }"
231
.RI "[ " SELECTOR " ]"
244
.B "ip xfrm policy flush"
249
.B "ip xfrm policy count"
254
.IR ADDR "[/" PLEN "] ]"
256
.IR ADDR "[/" PLEN "] ]"
266
.RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
271
.RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
277
.RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
281
.BR in " | " out " | " fwd
289
.BR allow " | " block
292
.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
296
.BR localok " | " icmp
299
.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
305
.RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
308
.RB "{ " byte-soft " | " byte-hard " }"
311
.RB "{ " packet-soft " | " packet-hard " }"
315
.IR TMPL-LIST " := [ " TMPL-LIST " ]"
341
.BR esp " | " ah " | " comp " | " route2 " | " hao
345
.BR transport " | " tunnel " | " ro " | " in_trigger " | " beet
349
.BR required " | " use
352
.BR "ip xfrm monitor" " [ " all " |"
353
.IR LISTofXFRM-OBJECTS " ]"
360
xfrm is an IP framework for transforming packets (such as encrypting
361
their payloads). This framework is used to implement the IPsec protocol
364
object operating on the Security Association Database, and the
366
object operating on the Security Policy Database). It is also used for
367
the IP Payload Compression Protocol and features of Mobile IPv6.
369
.SS ip xfrm state add - add new state into xfrm
371
.SS ip xfrm state update - update existing state in xfrm
373
.SS ip xfrm state allocspi - allocate an SPI value
375
.SS ip xfrm state delete - delete existing state in xfrm
377
.SS ip xfrm state get - get existing state in xfrm
379
.SS ip xfrm state deleteall - delete all existing state in xfrm
381
.SS ip xfrm state list - print out the list of existing state in xfrm
383
.SS ip xfrm state flush - flush all state in xfrm
385
.SS ip xfrm state count - count all existing state in xfrm
389
is specified by a source address, destination address,
390
.RI "transform protocol " XFRM-PROTO ","
391
and/or Security Parameter Index
396
specifies a transform protocol:
397
.RB "IPsec Encapsulating Security Payload (" esp "),"
398
.RB "IPsec Authentication Header (" ah "),"
399
.RB "IP Payload Compression (" comp "),"
400
.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
401
.RB "Mobile IPv6 Home Address Option (" hao ")."
405
specifies one or more algorithms
407
to use. Algorithm types include
408
.RB "encryption (" enc "),"
409
.RB "authentication (" auth "),"
410
.RB "authentication with a specified truncation length (" auth-trunc "),"
411
.RB "authenticated encryption with associated data (" aead "), and"
412
.RB "compression (" comp ")."
413
For each algorithm used, the algorithm type, the algorithm name
417
must be specified. For
419
the Integrity Check Value length
421
must additionally be specified.
424
the signature truncation length
426
must additionally be specified.
430
specifies a mode of operation:
431
.RB "IPsec transport mode (" transport "), "
432
.RB "IPsec tunnel mode (" tunnel "), "
433
.RB "Mobile IPv6 route optimization mode (" ro "), "
434
.RB "Mobile IPv6 inbound trigger mode (" in_trigger "), or "
435
.RB "IPsec ESP Bound End-to-End Tunnel Mode (" beet ")."
439
contains one or more of the following optional flags:
440
.BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
441
.BR af-unspec ", or " align4 "."
445
selects the traffic that will be controlled by the policy, based on the source
446
address, the destination address, the network device, and/or
451
selects traffic by protocol. For the
452
.BR tcp ", " udp ", " sctp ", or " dccp
453
protocols, the source and destination port can optionally be specified.
455
.BR icmp ", " ipv6-icmp ", or " mobility-header
456
protocols, the type and code numbers can optionally be specified.
459
protocol, the key can optionally be specified as a dotted-quad or number.
460
Other protocols can be selected by name or number
465
sets limits in seconds, bytes, or numbers of packets.
469
encapsulates packets with protocol
470
.BR espinudp " or " espinudp-nonike ","
471
.RI "using source port " SPORT ", destination port " DPORT
472
.RI ", and original address " OADDR "."
474
.SS ip xfrm policy add - add a new policy
476
.SS ip xfrm policy update - update an existing policy
478
.SS ip xfrm policy delete - delete an existing policy
480
.SS ip xfrm policy get - get an existing policy
482
.SS ip xfrm policy deleteall - delete all existing xfrm policies
484
.SS ip xfrm policy list - print out the list of xfrm policies
486
.SS ip xfrm policy flush - flush policies
488
.SS ip xfrm policy count - count existing policies
492
selects the traffic that will be controlled by the policy, based on the source
493
address, the destination address, the network device, and/or
498
selects traffic by protocol. For the
499
.BR tcp ", " udp ", " sctp ", or " dccp
500
protocols, the source and destination port can optionally be specified.
502
.BR icmp ", " ipv6-icmp ", or " mobility-header
503
protocols, the type and code numbers can optionally be specified.
506
protocol, the key can optionally be specified as a dotted-quad or number.
507
Other protocols can be selected by name or number
512
selects the policy direction as
513
.BR in ", " out ", or " fwd "."
517
sets the security context.
522
.BR main " (default) or " sub "."
527
.BR allow " (default) or " block "."
531
is a number that defaults to zero.
535
contains one or both of the following optional flags:
536
.BR local " or " icmp "."
540
sets limits in seconds, bytes, or numbers of packets.
544
is a template list specified using
545
.IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
549
is specified by a source address, destination address,
550
.RI "transform protocol " XFRM-PROTO ","
551
and/or Security Parameter Index
556
specifies a transform protocol:
557
.RB "IPsec Encapsulating Security Payload (" esp "),"
558
.RB "IPsec Authentication Header (" ah "),"
559
.RB "IP Payload Compression (" comp "),"
560
.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
561
.RB "Mobile IPv6 Home Address Option (" hao ")."
565
specifies a mode of operation:
566
.RB "IPsec transport mode (" transport "), "
567
.RB "IPsec tunnel mode (" tunnel "), "
568
.RB "Mobile IPv6 route optimization mode (" ro "), "
569
.RB "Mobile IPv6 inbound trigger mode (" in_trigger "), or "
570
.RB "IPsec ESP Bound End-to-End Tunnel Mode (" beet ")."
575
.BR required " (default) or " use "."
577
.SS ip xfrm monitor - state monitoring for xfrm objects
578
The xfrm objects to monitor can be optionally specified.
581
Manpage by David Ward