Provided by: openswan_2.4.9+dfsg-1build1_i386 bug


       ipsec_spi - list IPSEC Security Associations


       ipsec spi


       Note  that  eroute  is only supported on the classic KLIPS stack. It is
       not supported on any other stack and  will  be  completely  removed  in
       future versions. A replacement command still needs to be designed


       /proc/net/ipsec_spi  is  a  read-only file that lists the current IPSEC
       Security Associations. A  Security  Association  (SA)  is  a  transform
       through  which  packet  contents  are  to  be  processed  before  being
       forwarded.  A  transform  can  be  an  IPv4-in-IPv4   or   IPv6-in-IPv6
       encapsulation,  an  IPSEC Authentication Header (authentication with no
       encryption), or an IPSEC Encapsulation  Security  Payload  (encryption,
       possibly including authentication).

       When a packet is passed from a higher networking layer through an IPSEC
       virtual  interface,  a  search  in  the  extended  routing  table  (see
       ipsec_eroute(5))  yields  a  IP protocol number , a Security Parameters
       Index (SPI) and an effective destination address When an  IPSEC  packet
       arrives  from the network, its ostensible destination, an SPI and an IP
       protocol  specified  by  its  outermost  IPSEC  header  are  used.  The
       destination/SPI/protocol  combination  is used to select a relevant SA.
       (See ipsec_spigrp(5) for discussion  of  how  multiple  transforms  are

       An  spi  ,  proto,  daddr and address_family arguments specify an SAID.
       Proto is an ASCII string, "ah", "esp", "comp" or "tun", specifying  the
       IP  protocol.  Spi  is a number, preceded by ’.’ indicating hexadecimal
       and IPv4  or  by  ’:’  indicating  hexadecimal  and  IPv6,  where  each
       hexadecimal  digit  represents  4  bits,  between 0x100 and 0xffffffff;
       values from 0x0 to 0xff are reserved. Daddr is  a  dotted-decimal  IPv4
       destination address or a coloned hex IPv6 destination address.

       An SAID combines the three parameters above, such as: "tun.101@"
       for IPv4 or "tun:101@3049:1::1" for IPv6

       A table entry consists of:

       +      SAID

       +      <transform name (proto,encalg,authalg)>:

       +      direction (dir=)

       +      source address (src=)

       +      source and destination addresses  and  masks  for  inner  header
              policy  check  addresses  (policy=),  as dotted-quads or coloned
              hex, separated by ’->’, for  IPv4-in-IPv4  or  IPv6-in-IPv6  SAs

       +      initialisation  vector  length  and  value  (iv_bits=,  iv=)  if

       +      out-of-order  window  size,  number  of   out-of-order   errors,
              sequence  number,  recently  received  packet  bitmask,  maximum
              difference between sequence numbers (ooowin=,  ooo_errs=,  seq=,
              bit=,  max_seq_diff=) if SA is AH or ESP and if individual items
              are non-zero

       +      extra flags (flags=) if any are set

       +      authenticator length in bits (alen=) if non-zero

       +      authentication key length in bits (aklen=) if non-zero

       +      authentication errors (auth_errs=) if non-zero

       +      encryption key length in bits (eklen=) if non-zero

       +      encryption size errors (encr_size_errs=) if non-zero

       +      encryption padding error warnings (encr_pad_errs=) if non-zero

       +      lifetimes legend, c=Current status, s=Soft limit  when  exceeded
              will  initiate  rekeying, h=Hard limit will cause termination of
              SA (life(c,s,h)=)

       +      number of connections to which the SA  is  allocated  (c),  that
              will  cause a rekey (s), that will cause an expiry (h) (alloc=),
              if any value is non-zero

       +      number of bytes processesd by this SA (c),  that  will  cause  a
              rekey  (s), that will cause an expiry (h) (bytes=), if any value
              is non-zero

       +      time since the SA was added (c), until rekey (s),  until  expiry
              (h), in seconds (add=)

       +      time  since  the  SA  was first used (c), until rekey (s), until
              expiry (h), in seconds (used=), if any value is non-zero

       +      number of packets processesd by this SA (c), that will  cause  a
              rekey  (s),  that  will  cause  an expiry (h) (packets=), if any
              value is non-zero

       +      time since the last packet was processed, in seconds (idle=), if
              SA has been used

              average compression ratio (ratio=)


       tun.12a@        IPIP:        dir=out       src=
       use(149,0,0)packets(14,0,0)     idle=23

       is  an outbound IPv4-in-IPv4 (protocol 4) tunnel-mode SA set up between
       machines  and  with  an  SPI  of   12a   in
       hexadecimal that has passed about 14 kilobytes of traffic in 14 packets
       since it was created, 269 seconds ago, first used 149 seconds  ago  and
       has been idle for 23 seconds.

       esp:9a35fc02@3049:1::1           ESP_3DES_HMAC_MD5:              dir=in
       src=9a35fc02@3049:1::2        ooowin=32     seq=7149     bit=0xffffffff
       alen=128                       aklen=128                      eklen=192
       use(3858,0,0)packets(7149,0,0)     idle=23

       is  an  inbound  Encapsulating  Security  Payload  (protocol  50) SA on
       machine 3049:1::1 with an  SPI  of  9a35fc02  that  uses  3DES  as  the
       encryption  cipher,  HMAC  MD5  as  the  authentication  algorithm,  an
       out-of-order window of 32 packets, a present sequence number  of  7149,
       every   one   of  the  last  32  sequence  numbers  was  received,  the
       authenticator length and keys is 128 bits, the encryption  key  is  192
       bits  (actually  168  for  3DES since 1 of 8 bits is a parity bit), has
       passed 1.2 Mbytes of data in 7149 packets, was added 4593 seconds  ago,
       first used 3858 seconds ago and has been idle for 23 seconds.


       /proc/net/ipsec_spi, /usr/bin/ipsec


       ipsec(8),     ipsec_manual(8),     ipsec_tncfg(5),     ipsec_eroute(5),
       ipsec_spigrp(5), ipsec_klipsdebug(5),  ipsec_spi(8),  ipsec_version(5),


       Written  for  the  Linux  FreeS/WAN  project <> by Richard Guy Briggs.


       The add and use times are awkward, displayed in seconds  since  machine
       start.  It  would  be  better to display them in seconds before now for
       human readability.