Seth Woolley's Man Viewer

Manual for eroute - man eroute

([section] manual, -k keyword, -K [section] search, -f whatis)
man plain no title 

IPSEC_EROUTE(8)                                                IPSEC_EROUTE(8)



NAME
       ipsec(5,8) eroute(5,8) - manipulate IPSEC extended routing tables

SYNOPSIS
       ipsec(5,8) eroute(5,8)

       ipsec(5,8)  eroute(5,8) --add --eraf (inet | inet6) --src src/srcmaskbits|srcmask
       --dst dst/dstmaskbits|dstmask <SAID>

       ipsec(5,8) eroute(5,8) --replace --eraf (inet | inet6) --src src/srcmaskbits|src-
       mask --dst dst/dstmaskbits|dstmask <SAID>

       ipsec(5,8)  eroute(5,8) --del --eraf (inet | inet6) --src src/srcmaskbits|srcmask
       --dst dst/dstmaskbits|dstmask

       ipsec(5,8) eroute(5,8) --clear

       ipsec(5,8) eroute(5,8) --help

       ipsec(5,8) eroute(5,8) --version

       Where <SAID> is --af (inet | inet6) --edst edst --spi spi(5,8) --proto proto
       OR --said said OR --said (%passthrough | %passthrough4 | %passthrough6)

DESCRIPTION
       Eroute manages the IPSEC extended routing tables,  which  control  what
       (if(3,n)  any)  processing  is applied to non-encrypted packets arriving for
       IPSEC processing and forwarding.  The form with no additional arguments
       lists  the  contents  of /proc(5,n)/net/ipsec_eroute.  The --add form adds a
       table entry, the --replace form replaces a table entry, while the --del
       form deletes one.  The --clear form deletes the entire table.

       A table entry consists of:

       +  source and destination addresses, with masks, for selection of pack-
          ets

       +  Security Association IDentifier, comprised of:

       +     protocol (proto), indicating (together with the effective  desti-
             nation and the security parameters index) which Security Associa-
             tion should be used to process the packet

       +     address family (af),

       +     Security Parameters Index (spi(5,8)), indicating  (together  with  the
             effective  destination  and  protocol) which Security Association
             should be used to process the packet  (must  be  larger  than  or
             equal to 0x100)

       +     effective  destination  (edst),  where  the packet should be for-
             warded after processing (normally the other security gateway)

       +  OR

       +     SAID (said), indicating which Security Association should be used
             to process the packet

       Addresses  are written as IPv4 dotted quads or IPv6 coloned hex, proto-
       col is one of "ah", "esp", "comp" or "tun" and SPIs are prefixed  hexa-
       decimal numbers where '.' represents IPv4 and ':' stands for IPv6.

       SAIDs  are  written  as "protoafSPI@address".  There are also 5 "magic(4,5)"
       SAIDs which have special meaning:

       +  %drop means that matches are to be dropped

       +  %reject means that matches are to be dropped and an  ICMP  returned,
          if(3,n) possible to inform

       +  %trap  means  that  matches are to trigger an ACQUIRE message to the
          Key Management daemon(s) and a hold eroute(5,8) will be put in(1,8)  place  to
          prevent subsequent packets also triggering ACQUIRE messages.

       +  %hold  means that matches are to stored until the eroute(5,8) is replaced
          or until that eroute(5,8) gets(3,n) reaped

       +  %pass means that matches are to allowed to pass without  IPSEC  pro-
          cessing

       The format of /proc(5,n)/net/ipsec_eroute is listed in(1,8) ipsec_eroute(5).

EXAMPLES
       ipsec(5,8) eroute(5,8) --add --eraf inet --src 192.168.0.1/32 \
          --dst 192.168.2.0/24 --af inet --edst 192.168.0.2 \
          --spi 0x135 --proto tun

       sets  up an eroute(5,8) on a Security Gateway to protect traffic between the
       host(1,5) 192.168.0.1 and the subnet 192.168.2.0 with 24 bits of subnet mask
       via  Security  Gateway  192.168.0.2 using the Security Association with
       address 192.168.0.2, Security Parameters Index 0x135 and  protocol  tun
       (50, IPPROTO_ESP).

       ipsec(5,8) eroute(5,8) --add --eraf inet6 --src 3049:1::1/128 \
          --dst 3049:2::/64 --af inet6 --edst 3049:1::2 \
          --spi 0x145 --proto tun

       sets  up an eroute(5,8) on a Security Gateway to protect traffic between the
       host(1,5) 3049:1::1 and the subnet 3049:2:: with 64 bits of subnet mask  via
       Security  Gateway 3049:1::2 using the Security Association with address
       3049:1::2, Security  Parameters  Index  0x145  and  protocol  tun  (50,
       IPPROTO_ESP).

       ipsec(5,8) eroute(5,8) --replace --eraf inet --src company.com/24 \
          --dst ftp.ngo.org/32 --said tun.135@gw.ngo.org

       replaces an eroute(5,8) on a Security Gateway to protect traffic between the
       subnet company.com with 24 bits of subnet mask and the host(1,5) ftp.ngo.org
       via  Security  Gateway  gw.ngo.org  using the Security Association with
       Security Association ID tun0x135@gw.ngo.org

       ipsec(5,8) eroute(5,8) --del --eraf inet --src company.com/24 \
          --dst www.ietf.org/32 --said %passthrough4

       deletes an eroute(5,8) on a Security Gateway that  allowed  traffic  between
       the  subnet  company.com  with  24  bits  of  subnet  mask and the host(1,5)
       www.ietf.org to pass in(1,8) the clear(1,3x,3x clrtobot), unprocessed.

FILES
       /proc(5,n)/net/ipsec_eroute, /usr/local/bin/ipsec(5,8)

SEE ALSO
       ipsec(5,8)(8),  ipsec_manual(8),  ipsec_tncfg(8),  ipsec_spi(8),  ipsec_spi-
       grp(8), ipsec_klipsdebug(8), ipsec_eroute(5)

HISTORY
       Written  for  the Linux FreeS/WAN project <http://www.freeswan.org/> by
       Richard Guy Briggs.



                                  21 Jun 2000                  IPSEC_EROUTE(8)

References for this manual (incoming links)