Provided by: openswan_2.4.12+dfsg-1.3_i386 bug

NAME

       ipsec_eroute - list of existing eroutes

SYNOPSIS

       ipsec eroute
              cat/proc/net/ipsec_eroute

OBSOLETE

       Note  that  eroute  is only supported on the classic KLIPS stack. It is
       not supported on any other stack and  will  be  completely  removed  in
       future versions. A replacement command still needs to be designed

DESCRIPTION

       /proc/net/ipsec_eroute  lists  the IPSEC extended routing tables, which
       control what (if any) processing is applied  to  non-encrypted  packets
       arriving  for  IPSEC  processing  and forwarding. At this point it is a
       read-only file.

       A table entry consists of:

       +      packet count,

       +      source address with mask and source port (0 if all ports or  not
              applicable)

       +      a  ’->’  separator  for visual and automated parsing between src
              and dst

       +      destination address with mask and destination  port  (0  if  all
              ports or not applicable)

       +      a  ’=>’  separator  for  visual  and  automated  parsing between
              selection criteria and SAID to use

       +      SAID (Security Association IDentifier), comprised of:

       +      protocol (proto),

       +      address family (af), where ’.’ stands for IPv4 and ’:’ for IPv6

       +      Security Parameters Index (SPI),

       +      effective  destination  (edst),  where  the  packet  should   be
              forwarded after processing (normally the other security gateway)
              together indicate which Security Association should be  used  to
              process the packet,

       +      a  ’:’ separating the SAID from the transport protocol (0 if all
              protocols)

       +      source identity text string with no whitespace, in parens,

       +      destination identity text string with no whitespace, in parens

       Addresses are written  as  IPv4  dotted  quads  or  IPv6  coloned  hex,
       protocol  is  one of "ah", "esp", "comp" or "tun" and SPIs are prefixed
       hexadecimal numbers where the prefix ’.’ is for IPv4 and the prefix ’:’
       is for IPv6

       SAIDs  are written as "protoafSPI@edst". There are also 5 "magic" SAIDs
       which have special meaning:

       +      %drop means that matches are to be dropped

       +      %reject means that  matches  are  to  be  dropped  and  an  ICMP
              returned, if possible to inform

       +      %trap  means  that  matches are to trigger an ACQUIRE message to
              the Key Management daemon(s) and a hold eroute will  be  put  in
              place  to  prevent  subsequent  packets  also triggering ACQUIRE
              messages.

       +      %hold means that matches are  to  stored  until  the  eroute  is
              replaced or until that eroute gets reaped

       +      %pass  means  that  matches are to allowed to pass without IPSEC
              processing

EXAMPLES

       1867  172.31.252.0/24:0  ->  0.0.0.0/0:0   =>   tun0x130@192.168.43.1:0
       () ()

       means  that 1,867 packets have been sent to an eroute that has been set
       up to protect traffic between the subnet  172.31.252.0  with  a  subnet
       mask  of 24 bits and the default address/mask represented by an address
       of 0.0.0.0 with a subnet mask of 0 bits using the local  machine  as  a
       security gateway on this end of the tunnel and the machine 192.168.43.1
       on the other end of the tunnel with a Security  Association  IDentifier
       of   tun0x130@192.168.43.1  which  means  that  it  is  a  tunnel  mode
       connection (4, IPPROTO_IPIP) with a Security Parameters Index of 130 in
       hexadecimal with no identies defined for either end.

       746       192.168.2.110/32:0       ->       192.168.2.120/32:25      =>
       esp0x130@192.168.2.120:6      () ()

       means that 746 packets have been sent to an eroute that has been set up
       to  protect traffic sent from any port on the host 192.168.2.110 to the
       SMTP (TCP, port 25) port on the  host  192.168.2.120  with  a  Security
       Association IDentifier of tun0x130@192.168.2.120 which means that it is
       a transport mode connection with a Security Parameters Index of 130  in
       hexadecimal with no identies defined for either end.

       125 3049:1::/64 -> 0:0/0 => tun:130@3058:4::5 () ()

       means that 125 packets have been sent to an eroute that has been set up
       to protect traffic between the subnet 3049:1:: with a subnet mask of 64
       bits and the default address/mask represented by an address of 0:0 with
       a subnet mask of 0 bits using the local machine as a  security  gateway
       on this end of the tunnel and the machine 3058:4::5 on the other end of
       the tunnel with a Security Association IDentifier of  tun:130@3058:4::5
       which  means  that  it  is  a  tunnel  mode  connection with a Security
       Parameters Index of 130 in hexadecimal with  no  identies  defined  for
       either end.

       42 192.168.6.0/24:0 -> 192.168.7.0/24:0 => %passthrough

       means  that 42 packets have been sent to an eroute that has been set up
       to pass the traffic from the subnet 192.168.6.0 with a subnet  mask  of
       24 bits and to subnet 192.168.7.0 with a subnet mask of 24 bits without
       any IPSEC processing with no identies defined for either end.

       2112 192.168.8.55/32:0 -> 192.168.9.47/24:0 => %hold (east) ()

       means that 2112 packets have been sent to an eroute that has  been  set
       up  to  hold  the  traffic  from  the  host  192.168.8.55  and  to host
       192.168.9.47 until a key exchange from a Key Management daemon succeeds
       and  puts in an SA or fails and puts in a pass or drop eroute depending
       on the default configuration with the local client  defined  as  "east"
       and no identy defined for the remote end.

       2001       192.168.2.110/32:0       ->       192.168.2.120/32:0      =>
       esp0xe6de@192.168.2.120:0 () ()

       means that 2001 packets have been sent to an eroute that has  been  set
       up  to  protect  traffic  between  the  host 192.168.2.110 and the host
       192.168.2.120 using 192.168.2.110 as a security gateway on this end  of
       the  connection  and  the machine 192.168.2.120 on the other end of the
       connection    with    a    Security    Association    IDentifier     of
       esp0xe6de@192.168.2.120  which  means  that  it  is  a  transport  mode
       connection with a Security Parameters  Index  of  e6de  in  hexadecimal
       using  Encapsuation Security Payload protocol (50, IPPROTO_ESP) with no
       identies defined for either end.

       1984 3049:1::110/128 -> 3049:1::120/128 =>      ah:f5ed@3049:1::120  ()
       ()

       means  that  1984 packets have been sent to an eroute that has been set
       up to authenticate traffic between the host 3049:1::110  and  the  host
       3049:1::120  using 3049:1::110 as a security gateway on this end of the
       connection and  the  machine  3049:1::120  on  the  other  end  of  the
       connection     with    a    Security    Association    IDentifier    of
       ah:f5ed@3049:1::120 which means that it is a transport mode  connection
       with   a  Security  Parameters  Index  of  f5ed  in  hexadecimal  using
       Authentication  Header  protocol  (51,  IPPROTO_AH)  with  no  identies
       defined for either end.

FILES

       /proc/net/ipsec_eroute, /usr/bin/ipsec

SEE ALSO

       ipsec(8),      ipsec_manual(8),      ipsec_tncfg(5),      ipsec_spi(5),
       ipsec_spigrp(5),         ipsec_klipsdebug(5),          ipsec_eroute(8),
       ipsec_version(5), ipsec_pf_key(5)

HISTORY

       Written  for  the  Linux  FreeS/WAN  project <http://www.freeswan.org/:
       http://www.freeswan.org/> by Richard Guy Briggs.

                                                               IPSEC_EROUTE(5)