Provided by: openswan_2.4.12+dfsg-1.3_i386 bug

NAME

       ipsec spigrp - group/ungroup IPSEC Security Associations

SYNOPSIS

       ipsec spigrp
              ipsecspigrp [--label label] af1dst1spi1proto1
             [af2dst2spi2proto2 [af3dst3spi3proto3 [af4dst4spi4proto4]]]
              ipsecspigrp [--label label] --said SA1 [SA2 [SA3 [SA4]]]
              ipsecspigrp --help
              ipsecspigrp --version

OBSOLETE

       Note that spi is only supported on the classic KLIPS stack. It  is  not
       supported  on  any other stack and will be completely removed in future
       versions. A replacement command still needs to be designed

DESCRIPTION

       Spigrp groups IPSEC Security Associations (SAs)  together  or  ungroups
       previously  grouped  SAs.  An entry in the IPSEC extended routing table
       can only point (via a destination address, a Security Parameters  Index
       (SPI)  and a protocol identifier) to one SA. If more than one transform
       must be applied to a given type of packet, this can be accomplished  by
       setting   up   several  SAs  with  the  same  destination  address  but
       potentially different  SPIs  and  protocols,  and  grouping  them  with
       spigrp.

       The  SAs  to  be  grouped,  specified  by destination address (DNS name
       lookup, IPv4 dotted quad  or  IPv6  coloned  hex),  SPI  (’0x’-prefixed
       hexadecimal  number)  and  protocol ("ah", "esp", "comp" or "tun"), are
       listed from the inside transform to the outside; in  other  words,  the
       transforms  are applied in the order of the command line and removed in
       the reverse order. The resulting SA group is referred to by  its  first
       SA (by af1, dst1, spi1 and proto1).

       The  --said option indicates that the SA IDs are to be specified as one
       argument each, in the format <proto><af><spi>@<dest>. The SA  IDs  must
       all  be  specified  as separate parameters without the --said option or
       all as monolithic parameters after the --said option.

       The SAs must already exist and must not already be part of a group.

       If spigrp is invoked with only one SA specification,  it  ungroups  the
       previously-grouped set of SAs containing the SA specified.

       The   --label   option  identifies  all  responses  from  that  command
       invocation with a user-supplied label, provided as an argument  to  the
       label  option.  This can be helpful for debugging one invocation of the
       command out of a large number.

       The command form with no additional arguments  lists  the  contents  of
       /proc/net/ipsec_spigrp.   The   format   of  /proc/net/ipsec_spigrp  is
       discussed in ipsec_spigrp(5).

EXAMPLES

       ipsec spigrp inet gw2 0x113 tun inet gw2 0x115 esp inet gw2 0x116 ah
              groups 3 SAs  together,  all  destined  for  gw2,  but  with  an
              IPv4-in-IPv4 tunnel SA applied first with SPI 0x113, then an ESP
              header to encrypt the packet with SPI 0x115, and finally  an  AH
              header to authenticate the packet with SPI 0x116.

       ipsec spigrp --said tun.113@gw2 esp.115@gw2 ah.116@gw2
              groups  3  SAs  together,  all  destined  for  gw2,  but with an
              IPv4-in-IPv4 tunnel SA applied first with SPI 0x113, then an ESP
              header  to  encrypt the packet with SPI 0x115, and finally an AH
              header to authenticate the packet with SPI 0x116.

       ipsec     spigrp     --said     tun:233@3049:1::1     esp:235@3049:1::1
       ah:236@3049:1::1
              groups 3 SAs together, all destined for 3049:1::1, but  with  an
              IPv6-in-IPv6 tunnel SA applied first with SPI 0x233, then an ESP
              header to encrypt the packet with SPI 0x235, and finally  an  AH
              header to authenticate the packet with SPI 0x236.

       ipsec  spigrp inet6 3049:1::1 0x233 tun inet6 3049:1::1 0x235 esp inet6
       3049:1::1 0x236 ah
              groups  3  SAs together, all destined for 3049:1::1, but with an
              IPv6-in-IPv6 tunnel SA applied first with SPI 0x233, then an ESP
              header  to  encrypt the packet with SPI 0x235, and finally an AH
              header to authenticate the packet with SPI 0x236.

FILES

       /proc/net/ipsec_spigrp, /usr/bin/ipsec

SEE ALSO

       ipsec(8),     ipsec_manual(8),     ipsec_tncfg(8),     ipsec_eroute(8),
       ipsec_spi(8), ipsec_klipsdebug(8), ipsec_spigrp(5)

HISTORY

       Written  for  the  Linux  FreeS/WAN  project <http://www.freeswan.org/:
       http://www.freeswan.org/> by Richard Guy Briggs.

BUGS

       Yes, it really is limited to a maximum of four SAs, although admittedly
       it’s hard to see why you would need more.

                                                               IPSEC_SPIGRP(8)