Provided by: openswan_2.4.4-3ubuntu1_i386 bug

NAME

       ipsec spigrp - group/ungroup IPSEC Security Associations

SYNOPSIS

       ipsec spigrp

       ipsec  spigrp  [  --label  label ] af1 dst1 spi1 proto1 [ af2 dst2 spi2
       proto2 [ af3 dst3 spi3 proto3 [ af4 dst4 spi4 proto4 ] ] ]

       ipsec spigrp [ --label label ] --said SA1 [ SA2 [ SA3 [ SA4 ] ] ]

       ipsec spigrp --help

       ipsec spigrp --version

DESCRIPTION

       Spigrp groups IPSEC Security Associations (SAs)  together  or  ungroups
       previously  grouped  SAs.  An entry in the IPSEC extended routing table
       can only point (via a destination address, a Security Parameters  Index
       (SPI) and a protocol identifier) to one SA.  If more than one transform
       must be applied to a given type of packet, this can be accomplished  by
       setting   up   several  SAs  with  the  same  destination  address  but
       potentially different  SPIs  and  protocols,  and  grouping  them  with
       spigrp.

       The  SAs  to  be  grouped,  specified  by destination address (DNS name
       lookup, IPv4 dotted quad  or  IPv6  coloned  hex),  SPI  (’0x’-prefixed
       hexadecimal  number)  and  protocol ("ah", "esp", "comp" or "tun"), are
       listed from the inside transform to the outside; in  other  words,  the
       transforms  are applied in the order of the command line and removed in
       the reverse order.  The resulting SA group is referred to by its  first
       SA (by af1, dst1, spi1 and proto1).

       The  --said option indicates that the SA IDs are to be specified as one
       argument each, in the format <proto><af><spi>@<dest>.  The SA IDs  must
       all  be  specified  as separate parameters without the --said option or
       all as monolithic parameters after the --said option.

       The SAs must already exist and must not already be part of a group.

       If spigrp is invoked with only one SA specification,  it  ungroups  the
       previously-grouped set of SAs containing the SA specified.

       The   --label   option  identifies  all  responses  from  that  command
       invocation with a user-supplied label, provided as an argument  to  the
       label  option.  This can be helpful for debugging one invocation of the
       command out of a large number.

       The command form with no additional arguments  lists  the  contents  of
       /proc/net/ipsec_spigrp.    The   format  of  /proc/net/ipsec_spigrp  is
       discussed in ipsec_spigrp(5).

EXAMPLES

       ipsec spigrp inet gw2 0x113 tun inet gw2 0x115 esp inet gw2 0x116 ah
              groups 3 SAs  together,  all  destined  for  gw2,  but  with  an
              IPv4-in-IPv4 tunnel SA applied first with SPI 0x113, then an ESP
              header to encrypt the packet with SPI 0x115, and finally  an  AH
              header to authenticate the packet with SPI 0x116.

       ipsec spigrp --said tun.113@gw2 esp.115@gw2 ah.116@gw2
              groups  3  SAs  together,  all  destined  for  gw2,  but with an
              IPv4-in-IPv4 tunnel SA applied first with SPI 0x113, then an ESP
              header  to  encrypt the packet with SPI 0x115, and finally an AH
              header to authenticate the packet with SPI 0x116.

       ipsec     spigrp     --said     tun:233@3049:1::1     esp:235@3049:1::1
       ah:236@3049:1::1
              groups 3 SAs together, all destined for 3049:1::1, but  with  an
              IPv6-in-IPv6 tunnel SA applied first with SPI 0x233, then an ESP
              header to encrypt the packet with SPI 0x235, and finally  an  AH
              header to authenticate the packet with SPI 0x236.

       ipsec  spigrp inet6 3049:1::1 0x233 tun inet6 3049:1::1 0x235 esp inet6
       3049:1::1 0x236 ah
              groups  3  SAs together, all destined for 3049:1::1, but with an
              IPv6-in-IPv6 tunnel SA applied first with SPI 0x233, then an ESP
              header  to  encrypt the packet with SPI 0x235, and finally an AH
              header to authenticate the packet with SPI 0x236.

FILES

       /proc/net/ipsec_spigrp, /usr/bin/ipsec

SEE ALSO

       ipsec(8),     ipsec_manual(8),     ipsec_tncfg(8),     ipsec_eroute(8),
       ipsec_spi(8), ipsec_klipsdebug(8), ipsec_spigrp(5)

HISTORY

       Written  for  the Linux FreeS/WAN project <http://www.freeswan.org/> by
       Richard Guy Briggs.

BUGS

       Yes, it really is limited to a maximum of four SAs, although admittedly
       it’s hard to see why you would need more.

                                  21 Jun 2000                  IPSEC_SPIGRP(8)