Provided by: openswan_2.4.4-3ubuntu1_i386 bug

NAME

       ipsec_eroute - list of existing eroutes

SYNOPSIS

       ipsec eroute

       cat /proc/net/ipsec_eroute

DESCRIPTION

       /proc/net/ipsec_eroute  lists  the IPSEC extended routing tables, which
       control what (if any) processing is applied  to  non-encrypted  packets
       arriving  for  IPSEC  processing and forwarding.  At this point it is a
       read-only file.

       A table entry consists of:

       +  packet count,

       +  source address with mask and source port (0  if  all  ports  or  not
          applicable)

       +  a  ’->’  separator  for visual and automated parsing between src and
          dst

       +  destination address with mask and destination port (0 if  all  ports
          or not applicable)

       +  a  ’=>’ separator for visual and automated parsing between selection
          criteria and SAID to use

       +  SAID (Security Association IDentifier), comprised of:

       +     protocol (proto),

       +     address family (af), where ’.’ stands for IPv4 and ’:’ for IPv6

       +     Security Parameters Index (SPI),

       +     effective  destination  (edst),  where  the  packet   should   be
             forwarded  after processing (normally the other security gateway)
             together indicate which Security Association should  be  used  to
             process the packet,

       +  a  ’:’  separating  the  SAID  from the transport protocol (0 if all
          protocols)

       +  source identity text string with no whitespace, in parens,

       +  destination identity text string with no whitespace, in parens

       Addresses are written  as  IPv4  dotted  quads  or  IPv6  coloned  hex,
       protocol  is  one of "ah", "esp", "comp" or "tun" and SPIs are prefixed
       hexadecimal numbers where the prefix ’.’ is for IPv4 and the prefix ’:’
       is for IPv6

       SAIDs are written as "protoafSPI@edst".  There are also 5 "magic" SAIDs
       which have special meaning:

       +  %drop means that matches are to be dropped

       +  %reject means that matches are to be dropped and an  ICMP  returned,
          if possible to inform

       +  %trap  means  that  matches are to trigger an ACQUIRE message to the
          Key Management daemon(s) and a hold eroute will be put in  place  to
          prevent subsequent packets also triggering ACQUIRE messages.

       +  %hold  means that matches are to stored until the eroute is replaced
          or until that eroute gets reaped

       +  %pass means that matches  are  to  allowed  to  pass  without  IPSEC
          processing

EXAMPLES

       1867          172.31.252.0/24:0       ->      0.0.0.0/0:0            =>
       tun0x130@192.168.43.1:0
               ()     ()

       means that 1,867 packets have been sent to an eroute that has been  set
       up  to  protect  traffic  between the subnet 172.31.252.0 with a subnet
       mask of 24 bits and the default address/mask represented by an  address
       of  0.0.0.0  with  a subnet mask of 0 bits using the local machine as a
       security gateway on this end of the tunnel and the machine 192.168.43.1
       on  the  other end of the tunnel with a Security Association IDentifier
       of  tun0x130@192.168.43.1  which  means  that  it  is  a  tunnel   mode
       connection (4, IPPROTO_IPIP) with a Security Parameters Index of 130 in
       hexadecimal with no identies defined for either end.

       746         192.168.2.110/32:0      ->     192.168.2.120/32:25       =>
       esp0x130@192.168.2.120:6
               ()     ()

       means that 746 packets have been sent to an eroute that has been set up
       to protect traffic sent from any port on the host 192.168.2.110 to  the
       SMTP  (TCP,  port  25)  port  on the host 192.168.2.120 with a Security
       Association IDentifier of tun0x130@192.168.2.120 which means that it is
       a  transport mode connection with a Security Parameters Index of 130 in
       hexadecimal with no identies defined for either end.

       125 3049:1::/64 -> 0:0/0 => tun:130@3058:4::5     ()   ()

       means that 125 packets have been sent to an eroute that has been set up
       to protect traffic between the subnet 3049:1:: with a subnet mask of 64
       bits and the default address/mask represented by an address of 0:0 with
       a  subnet  mask of 0 bits using the local machine as a security gateway
       on this end of the tunnel and the machine 3058:4::5 on the other end of
       the  tunnel with a Security Association IDentifier of tun:130@3058:4::5
       which means that it  is  a  tunnel  mode  connection  with  a  Security
       Parameters  Index  of  130  in hexadecimal with no identies defined for
       either end.

       42 192.168.6.0/24:0 -> 192.168.7.0/24:0 => %passthrough

       means that 42 packets have been sent to an eroute that has been set  up
       to  pass  the traffic from the subnet 192.168.6.0 with a subnet mask of
       24 bits and to subnet 192.168.7.0 with a subnet mask of 24 bits without
       any IPSEC processing with no identies defined for either end.

       2112 192.168.8.55/32:0 -> 192.168.9.47/24:0 => %hold   (east)    ()

       means  that  2112 packets have been sent to an eroute that has been set
       up to  hold  the  traffic  from  the  host  192.168.8.55  and  to  host
       192.168.9.47 until a key exchange from a Key Management daemon succeeds
       and puts in an SA or fails and puts in a pass or drop eroute  depending
       on  the  default  configuration with the local client defined as "east"
       and no identy defined for the remote end.

       2001     192.168.2.110/32:0  -> 192.168.2.120/32:0 =>
               esp0xe6de@192.168.2.120:0  ()   ()

       means that 2001 packets have been sent to an eroute that has  been  set
       up  to  protect  traffic  between  the  host 192.168.2.110 and the host
       192.168.2.120 using 192.168.2.110 as a security gateway on this end  of
       the  connection  and  the machine 192.168.2.120 on the other end of the
       connection    with    a    Security    Association    IDentifier     of
       esp0xe6de@192.168.2.120  which  means  that  it  is  a  transport  mode
       connection with a Security Parameters  Index  of  e6de  in  hexadecimal
       using  Encapsuation Security Payload protocol (50, IPPROTO_ESP) with no
       identies defined for either end.

       1984     3049:1::110/128   -> 3049:1::120/128   =>
               ah:f5ed@3049:1::120   ()   ()

       means that 1984 packets have been sent to an eroute that has  been  set
       up  to  authenticate  traffic between the host 3049:1::110 and the host
       3049:1::120 using 3049:1::110 as a security gateway on this end of  the
       connection  and  the  machine  3049:1::120  on  the  other  end  of the
       connection    with    a    Security    Association    IDentifier     of
       ah:f5ed@3049:1::120  which means that it is a transport mode connection
       with  a  Security  Parameters  Index  of  f5ed  in  hexadecimal   using
       Authentication  Header  protocol  (51,  IPPROTO_AH)  with  no  identies
       defined for either end.

FILES

       /proc/net/ipsec_eroute, /usr/bin/ipsec

SEE ALSO

       ipsec(8),      ipsec_manual(8),      ipsec_tncfg(5),      ipsec_spi(5),
       ipsec_spigrp(5),          ipsec_klipsdebug(5),         ipsec_eroute(8),
       ipsec_version(5), ipsec_pf_key(5)

HISTORY

       Written for the Linux FreeS/WAN project  <http://www.freeswan.org/>  by
       Richard Guy Briggs.

                                  20 Sep 2001                  IPSEC_EROUTE(5)