Provided by: openswan_2.6.23+dfsg-1ubuntu1_i386 bug

NAME

       ipsec spigrp - group/ungroup IPSEC Security Associations

SYNOPSIS

       ipsec spigrp
             ipsecspigrp [--label label] af1dst1spi1proto1
             [af2dst2spi2proto2 [af3dst3spi3proto3 [af4dst4spi4proto4]]]
             ipsecspigrp [--label label] --said SA1 [SA2 [SA3 [SA4]]]
             ipsecspigrp --help
             ipsecspigrp --version

OBSOLETE

       Note that spi is only supported on the classic KLIPS stack. It is not
       supported on any other stack and will be completely removed in future
       versions. A replacement command still needs to be designed

DESCRIPTION

       Spigrp groups IPSEC Security Associations (SAs) together or ungroups
       previously grouped SAs. An entry in the IPSEC extended routing table
       can only point (via a destination address, a Security Parameters Index
       (SPI) and a protocol identifier) to one SA. If more than one transform
       must be applied to a given type of packet, this can be accomplished by
       setting up several SAs with the same destination address but
       potentially different SPIs and protocols, and grouping them with
       spigrp.

       The SAs to be grouped, specified by destination address (DNS name
       lookup, IPv4 dotted quad or IPv6 coloned hex), SPI (´0x´-prefixed
       hexadecimal number) and protocol ("ah", "esp", "comp" or "tun"), are
       listed from the inside transform to the outside; in other words, the
       transforms are applied in the order of the command line and removed in
       the reverse order. The resulting SA group is referred to by its first
       SA (by af1, dst1, spi1 and proto1).

       The --said option indicates that the SA IDs are to be specified as one
       argument each, in the format <proto><af><spi>@<dest>. The SA IDs must
       all be specified as separate parameters without the --said option or
       all as monolithic parameters after the --said option.

       The SAs must already exist and must not already be part of a group.

       If spigrp is invoked with only one SA specification, it ungroups the
       previously-grouped set of SAs containing the SA specified.

       The --label option identifies all responses from that command
       invocation with a user-supplied label, provided as an argument to the
       label option. This can be helpful for debugging one invocation of the
       command out of a large number.

       The command form with no additional arguments lists the contents of
       /proc/net/ipsec_spigrp. The format of /proc/net/ipsec_spigrp is
       discussed in ipsec_spigrp(5).

EXAMPLES

       ipsec spigrp inet gw2 0x113 tun inet gw2 0x115 esp inet gw2 0x116 ah
           groups 3 SAs together, all destined for gw2, but with an
           IPv4-in-IPv4 tunnel SA applied first with SPI 0x113, then an ESP
           header to encrypt the packet with SPI 0x115, and finally an AH
           header to authenticate the packet with SPI 0x116.

       ipsec spigrp --said tun.113@gw2 esp.115@gw2 ah.116@gw2
           groups 3 SAs together, all destined for gw2, but with an
           IPv4-in-IPv4 tunnel SA applied first with SPI 0x113, then an ESP
           header to encrypt the packet with SPI 0x115, and finally an AH
           header to authenticate the packet with SPI 0x116.

       ipsec spigrp --said tun:233@3049:1::1 esp:235@3049:1::1
       ah:236@3049:1::1
           groups 3 SAs together, all destined for 3049:1::1, but with an
           IPv6-in-IPv6 tunnel SA applied first with SPI 0x233, then an ESP
           header to encrypt the packet with SPI 0x235, and finally an AH
           header to authenticate the packet with SPI 0x236.

       ipsec spigrp inet6 3049:1::1 0x233 tun inet6 3049:1::1 0x235 esp inet6
       3049:1::1 0x236 ah
           groups 3 SAs together, all destined for 3049:1::1, but with an
           IPv6-in-IPv6 tunnel SA applied first with SPI 0x233, then an ESP
           header to encrypt the packet with SPI 0x235, and finally an AH
           header to authenticate the packet with SPI 0x236.

FILES

       /proc/net/ipsec_spigrp, /usr/bin/ipsec

SEE ALSO

       ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_eroute(8),
       ipsec_spi(8), ipsec_klipsdebug(8), ipsec_spigrp(5)

HISTORY

       Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by
       Richard Guy Briggs.

BUGS

       Yes, it really is limited to a maximum of four SAs, although admittedly
       it´s hard to see why you would need more.