306 lines
7.5 KiB
HTML
306 lines
7.5 KiB
HTML
Content-type: text/html
|
|
|
|
<HTML><HEAD><TITLE>Manpage of IPSEC_SPI</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>IPSEC_SPI</H1>
|
|
Section: File Formats (5)<BR>Updated: 26 Jun 2000<BR><A HREF="#index">Index</A>
|
|
<A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
|
|
|
|
|
|
|
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
ipsec_spi - list IPSEC Security Associations
|
|
<A NAME="lbAC"> </A>
|
|
<H2>SYNOPSIS</H2>
|
|
|
|
<B>ipsec</B>
|
|
|
|
<B>spi</B>
|
|
|
|
<P>
|
|
|
|
<B>cat</B>
|
|
|
|
<B>/proc/net/ipsec_spi</B>
|
|
|
|
<P>
|
|
|
|
<A NAME="lbAD"> </A>
|
|
<H2>DESCRIPTION</H2>
|
|
|
|
<I>/proc/net/ipsec_spi</I>
|
|
|
|
is a read-only file that lists the current IPSEC Security Associations.
|
|
A Security Association (SA) is a transform through which packet contents
|
|
are to be processed before being forwarded. A transform can be an
|
|
IPv4-in-IPv4 or IPv6-in-IPv6 encapsulation, an IPSEC Authentication Header (authentication
|
|
with no encryption), or an IPSEC Encapsulation Security Payload
|
|
(encryption, possibly including authentication).
|
|
<P>
|
|
|
|
When a packet is passed from a higher networking layer through an IPSEC
|
|
virtual interface, a search in the extended routing table (see
|
|
<I><A HREF="ipsec_eroute.5.html">ipsec_eroute</A></I>(5))
|
|
|
|
yields
|
|
a IP protocol number
|
|
,
|
|
a Security Parameters Index (SPI)
|
|
and
|
|
an effective destination address
|
|
When an IPSEC packet arrives from the network,
|
|
its ostensible destination, an SPI and an IP protocol
|
|
specified by its outermost IPSEC header are used.
|
|
The destination/SPI/protocol combination is used to select a relevant SA.
|
|
(See
|
|
<I><A HREF="ipsec_spigrp.5.html">ipsec_spigrp</A></I>(5)
|
|
|
|
for discussion of how multiple transforms are combined.)
|
|
<P>
|
|
|
|
An
|
|
<I>spi ,</I>
|
|
|
|
<I>proto, </I>
|
|
|
|
<I>daddr</I>
|
|
|
|
and
|
|
<I>address_family</I>
|
|
|
|
arguments specify an SAID.
|
|
<I>Proto</I>
|
|
|
|
is an ASCII string, "ah", "esp", "comp" or "tun", specifying the IP protocol.
|
|
<I>Spi</I>
|
|
|
|
is a number, preceded by '.' indicating hexadecimal and IPv4 or by ':' indicating hexadecimal and IPv6,
|
|
where each hexadecimal digit represents 4 bits,
|
|
between
|
|
<B>0x100</B>
|
|
|
|
and
|
|
<B>0xffffffff</B>;
|
|
|
|
values from
|
|
<B>0x0</B>
|
|
|
|
to
|
|
<B>0xff</B>
|
|
|
|
are reserved.
|
|
<I>Daddr</I>
|
|
|
|
is a dotted-decimal IPv4 destination address or a coloned hex IPv6 destination address.
|
|
<P>
|
|
|
|
An
|
|
<I>SAID</I>
|
|
|
|
combines the three parameters above, such as: "<A HREF="mailto:tun.101@1.2.3.4">tun.101@1.2.3.4</A>" for IPv4 or "tun:<A HREF="mailto:101@3049">101@3049</A>:1::1" for IPv6
|
|
<P>
|
|
|
|
A table entry consists of:
|
|
<DL COMPACT>
|
|
<DT>+<DD>
|
|
<B>SAID</B>
|
|
|
|
<DT>+<DD>
|
|
<transform name (proto,encalg,authalg)>:
|
|
<DT>+<DD>
|
|
direction (dir=)
|
|
<DT>+<DD>
|
|
source address (src=)
|
|
<DT>+<DD>
|
|
source and destination addresses and masks for inner header policy check
|
|
addresses (policy=), as dotted-quads or coloned hex, separated by '->',
|
|
for IPv4-in-IPv4 or IPv6-in-IPv6 SAs only
|
|
<DT>+<DD>
|
|
initialisation vector length and value (iv_bits=, iv=) if non-zero
|
|
<DT>+<DD>
|
|
out-of-order window size, number of out-of-order errors, sequence
|
|
number, recently received packet bitmask, maximum difference between
|
|
sequence numbers (ooowin=, ooo_errs=, seq=, bit=, max_seq_diff=) if SA
|
|
is AH or ESP and if individual items are non-zero
|
|
<DT>+<DD>
|
|
extra flags (flags=) if any are set
|
|
<DT>+<DD>
|
|
authenticator length in bits (alen=) if non-zero
|
|
<DT>+<DD>
|
|
authentication key length in bits (aklen=) if non-zero
|
|
<DT>+<DD>
|
|
authentication errors (auth_errs=) if non-zero
|
|
<DT>+<DD>
|
|
encryption key length in bits (eklen=) if non-zero
|
|
<DT>+<DD>
|
|
encryption size errors (encr_size_errs=) if non-zero
|
|
<DT>+<DD>
|
|
encryption padding error warnings (encr_pad_errs=) if non-zero
|
|
<DT>+<DD>
|
|
lifetimes legend, c=Current status, s=Soft limit when exceeded will
|
|
initiate rekeying, h=Hard limit will cause termination of SA (life(c,s,h)=)
|
|
<DT>+<DD>
|
|
number of connections to which the SA is allocated (c), that will cause a
|
|
rekey (s), that will cause an expiry (h) (alloc=), if any value is non-zero
|
|
<DT>+<DD>
|
|
number of bytes processesd by this SA (c), that will cause a rekey (s), that
|
|
will cause an expiry (h) (bytes=), if any value is non-zero
|
|
<DT>+<DD>
|
|
time since the SA was added (c), until rekey (s), until expiry (h), in seconds (add=)
|
|
<DT>+<DD>
|
|
time since the SA was first used (c), until rekey (s), until expiry (h), in seconds (used=),
|
|
if any value is non-zero
|
|
<DT>+<DD>
|
|
number of packets processesd by this SA (c), that will cause a rekey (s), that
|
|
will cause an expiry (h) (packets=), if any value is non-zero
|
|
<DT>+<DD>
|
|
time since the last packet was processed, in seconds (idle=), if SA has
|
|
been used
|
|
<DT><DD>
|
|
average compression ratio (ratio=)
|
|
</DL>
|
|
<A NAME="lbAE"> </A>
|
|
<H2>EXAMPLES</H2>
|
|
|
|
<B><A HREF="mailto:tun.12a@192.168.43.1">tun.12a@192.168.43.1</A> IPIP: dir=out src=192.168.43.2</B>
|
|
|
|
<BR>
|
|
|
|
<B> life(c,s,h)=bytes(14073,0,0)add(269,0,0)</B>
|
|
|
|
<BR>
|
|
|
|
<B> use(149,0,0)packets(14,0,0)</B>
|
|
|
|
<BR>
|
|
|
|
<B> idle=23</B>
|
|
|
|
<P>
|
|
|
|
is an outbound IPv4-in-IPv4 (protocol 4) tunnel-mode SA set up between machines
|
|
192.168.43.2 and 192.168.43.1 with an SPI of 12a in hexadecimal that has
|
|
passed about 14 kilobytes of traffic in 14 packets since it was created,
|
|
269 seconds ago, first used 149 seconds ago and has been idle for 23
|
|
seconds.
|
|
<P>
|
|
|
|
<B>esp:<A HREF="mailto:9a35fc02@3049">9a35fc02@3049</A>:1::1 ESP_3DES_HMAC_MD5:</B>
|
|
|
|
<BR>
|
|
|
|
<B> dir=in src=<A HREF="mailto:9a35fc02@3049">9a35fc02@3049</A>:1::2</B>
|
|
|
|
<BR>
|
|
|
|
<B> ooowin=32 seq=7149 bit=0xffffffff</B>
|
|
|
|
<BR>
|
|
|
|
<B> alen=128 aklen=128 eklen=192</B>
|
|
|
|
<BR>
|
|
|
|
<B> life(c,s,h)=bytes(1222304,0,0)add(4593,0,0)</B>
|
|
|
|
<BR>
|
|
|
|
<B> use(3858,0,0)packets(7149,0,0)</B>
|
|
|
|
<BR>
|
|
|
|
<B> idle=23</B>
|
|
|
|
<P>
|
|
|
|
is an inbound Encapsulating Security Payload (protocol 50) SA on machine
|
|
3049:1::1 with an SPI of 9a35fc02 that uses 3DES as the encryption
|
|
cipher, HMAC MD5 as the authentication algorithm, an out-of-order
|
|
window of 32 packets, a present sequence number of 7149, every one of
|
|
the last 32 sequence numbers was received, the authenticator length and
|
|
keys is 128 bits, the encryption key is 192 bits (actually 168 for 3DES
|
|
since 1 of 8 bits is a parity bit), has passed 1.2 Mbytes of data in
|
|
7149 packets, was added 4593 seconds ago, first used
|
|
3858 seconds ago and has been idle for 23 seconds.
|
|
<P>
|
|
|
|
<A NAME="lbAF"> </A>
|
|
<H2>FILES</H2>
|
|
|
|
/proc/net/ipsec_spi, /usr/local/bin/ipsec
|
|
<A NAME="lbAG"> </A>
|
|
<H2>SEE ALSO</H2>
|
|
|
|
<A HREF="ipsec.8.html">ipsec</A>(8), <A HREF="ipsec_manual.8.html">ipsec_manual</A>(8), <A HREF="ipsec_tncfg.5.html">ipsec_tncfg</A>(5), <A HREF="ipsec_eroute.5.html">ipsec_eroute</A>(5),
|
|
<A HREF="ipsec_spigrp.5.html">ipsec_spigrp</A>(5), <A HREF="ipsec_klipsdebug.5.html">ipsec_klipsdebug</A>(5), <A HREF="ipsec_spi.8.html">ipsec_spi</A>(8), <A HREF="ipsec_version.5.html">ipsec_version</A>(5),
|
|
<A HREF="ipsec_pf_key.5.html">ipsec_pf_key</A>(5)
|
|
<A NAME="lbAH"> </A>
|
|
<H2>HISTORY</H2>
|
|
|
|
Written for the Linux FreeS/WAN project
|
|
<<A HREF="http://www.freeswan.org/">http://www.freeswan.org/</A>>
|
|
by Richard Guy Briggs.
|
|
<A NAME="lbAI"> </A>
|
|
<H2>BUGS</H2>
|
|
|
|
The add and use times are awkward, displayed in seconds since machine
|
|
start. It would be better to display them in seconds before now for
|
|
human readability.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<P>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT><A HREF="#lbAB">NAME</A><DD>
|
|
<DT><A HREF="#lbAC">SYNOPSIS</A><DD>
|
|
<DT><A HREF="#lbAD">DESCRIPTION</A><DD>
|
|
<DT><A HREF="#lbAE">EXAMPLES</A><DD>
|
|
<DT><A HREF="#lbAF">FILES</A><DD>
|
|
<DT><A HREF="#lbAG">SEE ALSO</A><DD>
|
|
<DT><A HREF="#lbAH">HISTORY</A><DD>
|
|
<DT><A HREF="#lbAI">BUGS</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
<A HREF="http://localhost/cgi-bin/man/man2html">man2html</A>,
|
|
using the manual pages.<BR>
|
|
Time: 21:40:18 GMT, November 11, 2003
|
|
</BODY>
|
|
</HTML>
|