Provided by: openswan_2.4.4-3ubuntu1_i386 bug


       ipsec_spi - list IPSEC Security Associations


       ipsec spi

       cat /proc/net/ipsec_spi


       /proc/net/ipsec_spi  is  a  read-only file that lists the current IPSEC
       Security Associations.  A Security  Association  (SA)  is  a  transform
       through  which  packet  contents  are  to  be  processed  before  being
       forwarded.   A  transform  can  be  an  IPv4-in-IPv4  or   IPv6-in-IPv6
       encapsulation,  an  IPSEC Authentication Header (authentication with no
       encryption), or an IPSEC Encapsulation  Security  Payload  (encryption,
       possibly including authentication).

       When a packet is passed from a higher networking layer through an IPSEC
       virtual  interface,  a  search  in  the  extended  routing  table  (see
       ipsec_eroute(5))  yields  a  IP protocol number , a Security Parameters
       Index (SPI) and an effective destination address When an  IPSEC  packet
       arrives  from the network, its ostensible destination, an SPI and an IP
       protocol specified  by  its  outermost  IPSEC  header  are  used.   The
       destination/SPI/protocol  combination  is used to select a relevant SA.
       (See ipsec_spigrp(5) for discussion  of  how  multiple  transforms  are

       An  spi  ,  proto,  daddr and address_family arguments specify an SAID.
       Proto is an ASCII string, "ah", "esp", "comp" or "tun", specifying  the
       IP  protocol.   Spi is a number, preceded by ’.’ indicating hexadecimal
       and IPv4  or  by  ’:’  indicating  hexadecimal  and  IPv6,  where  each
       hexadecimal  digit  represents  4  bits,  between 0x100 and 0xffffffff;
       values from 0x0 to 0xff are reserved.  Daddr is a  dotted-decimal  IPv4
       destination address or a coloned hex IPv6 destination address.

       An SAID combines the three parameters above, such as: "tun.101@"
       for IPv4 or "tun:101@3049:1::1" for IPv6

       A table entry consists of:

       +  SAID

       +  <transform name (proto,encalg,authalg)>:

       +  direction (dir=)

       +  source address (src=)

       +  source and destination addresses and masks for inner  header  policy
          check addresses (policy=), as dotted-quads or coloned hex, separated
          by ’->’, for IPv4-in-IPv4 or IPv6-in-IPv6 SAs only

       +  initialisation vector length and value (iv_bits=, iv=) if non-zero

       +  out-of-order window size, number of  out-of-order  errors,  sequence
          number, recently received packet bitmask, maximum difference between
          sequence numbers (ooowin=, ooo_errs=, seq=, bit=, max_seq_diff=)  if
          SA is AH or ESP and if individual items are non-zero

       +  extra flags (flags=) if any are set

       +  authenticator length in bits (alen=) if non-zero

       +  authentication key length in bits (aklen=) if non-zero

       +  authentication errors (auth_errs=) if non-zero

       +  encryption key length in bits (eklen=) if non-zero

       +  encryption size errors (encr_size_errs=) if non-zero

       +  encryption padding error warnings (encr_pad_errs=) if non-zero

       +  lifetimes  legend, c=Current status, s=Soft limit when exceeded will
          initiate  rekeying,  h=Hard  limit  will  cause  termination  of  SA

       +     number of connections to which the SA is allocated (c), that will
             cause a rekey (s), that will cause an expiry (h) (alloc=), if any
             value is non-zero

       +     number  of  bytes  processesd  by  this SA (c), that will cause a
             rekey (s), that will cause an expiry (h) (bytes=), if  any  value
             is non-zero

       +     time  since  the  SA was added (c), until rekey (s), until expiry
             (h), in seconds (add=)

       +     time since the SA was first used  (c),  until  rekey  (s),  until
             expiry (h), in seconds (used=), if any value is non-zero

       +     number  of  packets  processesd by this SA (c), that will cause a
             rekey (s), that will cause an expiry (h) (packets=), if any value
             is non-zero

       +  time  since the last packet was processed, in seconds (idle=), if SA
          has been used

          average compression ratio (ratio=)


       tun.12a@ IPIP: dir=out src=

       is an outbound IPv4-in-IPv4 (protocol 4) tunnel-mode SA set up  between
       machines   and  with  an  SPI  of  12a  in
       hexadecimal that has passed about 14 kilobytes of traffic in 14 packets
       since  it  was created, 269 seconds ago, first used 149 seconds ago and
       has been idle for 23 seconds.

       esp:9a35fc02@3049:1::1 ESP_3DES_HMAC_MD5:
             dir=in src=9a35fc02@3049:1::2
             ooowin=32 seq=7149 bit=0xffffffff
             alen=128 aklen=128 eklen=192

       is an inbound  Encapsulating  Security  Payload  (protocol  50)  SA  on
       machine  3049:1::1  with  an  SPI  of  9a35fc02  that  uses 3DES as the
       encryption cipher, HMAC MD5 as the authentication algorithm, an out-of-
       order  window  of  32 packets, a present sequence number of 7149, every
       one of the last 32 sequence numbers  was  received,  the  authenticator
       length  and  keys is 128 bits, the encryption key is 192 bits (actually
       168 for 3DES since 1 of 8 bits is a parity bit), has passed 1.2  Mbytes
       of  data  in  7149 packets, was added 4593 seconds ago, first used 3858
       seconds ago and has been idle for 23 seconds.


       /proc/net/ipsec_spi, /usr/bin/ipsec


       ipsec(8),     ipsec_manual(8),     ipsec_tncfg(5),     ipsec_eroute(5),
       ipsec_spigrp(5),  ipsec_klipsdebug(5),  ipsec_spi(8), ipsec_version(5),


       Written for the Linux FreeS/WAN project  <>  by
       Richard Guy Briggs.


       The  add  and use times are awkward, displayed in seconds since machine
       start.  It would be better to display them in seconds  before  now  for
       human readability.

                                  26 Jun 2000                     IPSEC_SPI(5)