Provided by: openswan_2.4.12+dfsg-1.3_i386 bug

NAME

       ipsec eroute - manipulate IPSEC extended routing tables

SYNOPSIS

       ipsec eroute

       ipsec  eroute --add --eraf (inet | inet6) --src src/srcmaskbits|srcmask
       --dst dst/dstmaskbits|dstmask [ --transport-proto transport-protocol  ]
       [ --src-port source-port ] [ --dst-port dest-port ] <SAID>

       ipsec    eroute    --replace    --eraf    (inet    |    inet6)    --src
       src/srcmaskbits|srcmask      --dst      dst/dstmaskbits|dstmask       [
       --transport-proto  transport-protocol  ]  [  --src-port source-port ] [
       --dst-port dest-port ] <SAID>

       ipsec eroute --del --eraf (inet | inet6) --src  src/srcmaskbits|srcmask
       --dst  dst/dstmaskbits|dstmask [ --transport-proto transport-protocol ]
       [ --src-port source-port ] [ --dst-port dest-port ]

       ipsec eroute --clear

       ipsec eroute --help

       ipsec eroute --version

       Where <SAID> is --af (inet | inet6) --edst edst --spi spi --proto proto
       OR  --said said OR --said (%passthrough | %passthrough4 | %passthrough6
       | %drop | %reject | %trap | %hold | %pass )

DESCRIPTION

       Eroute manages the IPSEC extended routing tables,  which  control  what
       (if  any)  processing  is applied to non-encrypted packets arriving for
       IPSEC processing and forwarding.  The form with no additional arguments
       lists  the  contents  of /proc/net/ipsec_eroute.  The --add form adds a
       table entry, the --replace form replaces a table entry, while the --del
       form deletes one.  The --clear form deletes the entire table.

       A table entry consists of:

       +  source and destination addresses, with masks, source and destination
          ports and  protocol  for  selection  of  packets.   The  source  and
          destination ports are only legal if the transport protocol is TCP or
          UDP.  A  port  can  be  specified  as  either  decimal,  hexadecimal
          (leading 0x), octal (leading 0) or a name listed in the first column
          of /etc/services.  A transport protocol can be specified  as  either
          decimal,  hexadecimal  (leading  0x),  octal  (leading  0) or a name
          listed in the  first  column  of  /etc/protocols.   If  a  transport
          protocol  or port is not specified then it defaults to 0 which means
          all protocols or all ports respectively.

       +  Security Association IDentifier, comprised of:

       +     protocol  (proto),  indicating  (together  with   the   effective
             destination  and  the  security  parameters index) which Security
             Association should be used to process the packet

       +     address family (af),

       +     Security Parameters Index (spi), indicating  (together  with  the
             effective  destination  and  protocol) which Security Association
             should be used to process the packet  (must  be  larger  than  or
             equal to 0x100)

       +     effective   destination   (edst),  where  the  packet  should  be
             forwarded after processing (normally the other security gateway)

       +  OR

       +     SAID (said), indicating which Security Association should be used
             to process the packet

       Addresses  are  written  as  IPv4  dotted  quads  or  IPv6 coloned hex,
       protocol is one of "ah", "esp", "comp" or "tun" and SPIs  are  prefixed
       hexadecimal  numbers where ’.’ represents IPv4 and ’:’ stands for IPv6.

       SAIDs are written as "protoafSPI@address".  There are  also  5  "magic"
       SAIDs which have special meaning:

       +  %drop means that matches are to be dropped

       +  %reject  means  that matches are to be dropped and an ICMP returned,
          if possible to inform

       +  %trap means that matches are to trigger an ACQUIRE  message  to  the
          Key  Management  daemon(s) and a hold eroute will be put in place to
          prevent subsequent packets also triggering ACQUIRE messages.

       +  %hold means that matches are to stored until the eroute is  replaced
          or until that eroute gets reaped

       +  %pass  means  that  matches  are  to  allowed  to pass without IPSEC
          processing

       The format of /proc/net/ipsec_eroute is listed in ipsec_eroute(5).

EXAMPLES

       ipsec eroute --add --eraf inet --src 192.168.0.1/32 \
          --dst 192.168.2.0/24 --af inet --edst 192.168.0.2 \
          --spi 0x135 --proto tun

       sets up an eroute on a Security Gateway to protect traffic between  the
       host 192.168.0.1 and the subnet 192.168.2.0 with 24 bits of subnet mask
       via Security Gateway 192.168.0.2 using the  Security  Association  with
       address  192.168.0.2,  Security Parameters Index 0x135 and protocol tun
       (50, IPPROTO_ESP).

       ipsec eroute --add --eraf inet6 --src 3049:1::1/128 \
          --dst 3049:2::/64 --af inet6 --edst 3049:1::2 \
          --spi 0x145 --proto tun

       sets up an eroute on a Security Gateway to protect traffic between  the
       host  3049:1::1 and the subnet 3049:2:: with 64 bits of subnet mask via
       Security Gateway 3049:1::2 using the Security Association with  address
       3049:1::2,  Security  Parameters  Index  0x145  and  protocol  tun (50,
       IPPROTO_ESP).

       ipsec eroute --replace --eraf inet --src company.com/24 \
          --dst ftp.ngo.org/32 --said tun.135@gw.ngo.org

       replaces an eroute on a Security Gateway to protect traffic between the
       subnet company.com with 24 bits of subnet mask and the host ftp.ngo.org
       via Security Gateway gw.ngo.org using  the  Security  Association  with
       Security Association ID tun0x135@gw.ngo.org

       ipsec eroute --del --eraf inet --src company.com/24 \
          --dst www.ietf.org/32 --said %passthrough4

       deletes  an  eroute  on a Security Gateway that allowed traffic between
       the subnet company.com with  24  bits  of  subnet  mask  and  the  host
       www.ietf.org to pass in the clear, unprocessed.

       ipsec eroute --add --eraf inet --src company.com/24 \
          --dst mail.ngo.org/32 --transport-proto 6 \
          --dst-port 110 --said tun.135@mail.ngo.org

       sets  up an eroute on on a Security Gateway to protect only TCP traffic
       on port 110 (pop3) between the  subnet  company.com  with  24  bits  of
       subnet  mask and the host ftp.ngo.org via Security Gateway mail.ngo.org
       using  the  Security   Association   with   Security   Association   ID
       tun0x135@mail.ngo.org.    Note   that   any  other  traffic  bound  for
       mail.ngo.org that is routed via the ipsec device will be  dropped.   If
       you  wish  to  allow  other traffic to pass through then you must add a
       %pass rule.  For example the following  rule  when  combined  with  the
       above  will  ensure  that  POP3 messages read from mail.ngo.org will be
       encrypted but all other traffic to/from mail.ngo.org will be  in  clear
       text.

       ipsec eroute --add --eraf inet --src company.com/24 \
          --dst mail.ngo.org/32 --said %pass

FILES

       /proc/net/ipsec_eroute, /usr/bin/ipsec

SEE ALSO

       ipsec(8),      ipsec_manual(8),      ipsec_tncfg(8),      ipsec_spi(8),
       ipsec_spigrp(8), ipsec_klipsdebug(8), ipsec_eroute(5)

HISTORY

       Written for the Linux FreeS/WAN project  <http://www.freeswan.org/>  by
       Richard Guy Briggs.

                                  21 Jun 2000                  IPSEC_EROUTE(8)