Provided by: openswan_2.6.28+dfsg-5ubuntu2_i386 bug

NAME

       ipsec_eroute - list of existing eroutes

SYNOPSIS

       ipsec eroute
             cat/proc/net/ipsec_eroute

OBSOLETE

       Note that eroute is only supported on the classic KLIPS stack. It is
       not supported on any other stack and will be completely removed in
       future versions. A replacement command still needs to be designed

DESCRIPTION

       /proc/net/ipsec_eroute lists the IPSEC extended routing tables, which
       control what (if any) processing is applied to non-encrypted packets
       arriving for IPSEC processing and forwarding. At this point it is a
       read-only file.

       A table entry consists of:

       +
           packet count,

       +
           source address with mask and source port (0 if all ports or not
           applicable)

       +
           a ´->´ separator for visual and automated parsing between src and
           dst

       +
           destination address with mask and destination port (0 if all ports
           or not applicable)

       +
           a ´=>´ separator for visual and automated parsing between selection
           criteria and SAID to use

       +
           SAID (Security Association IDentifier), comprised of:

       +
           protocol (proto),

       +
           address family (af), where ´.´ stands for IPv4 and ´:´ for IPv6

       +
           Security Parameters Index (SPI),

       +
           effective destination (edst), where the packet should be forwarded
           after processing (normally the other security gateway) together
           indicate which Security Association should be used to process the
           packet,

       +
           a ´:´ separating the SAID from the transport protocol (0 if all
           protocols)

       +
           source identity text string with no whitespace, in parens,

       +
           destination identity text string with no whitespace, in parens

       Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
       protocol is one of "ah", "esp", "comp" or "tun" and SPIs are prefixed
       hexadecimal numbers where the prefix ´.´ is for IPv4 and the prefix ´:´
       is for IPv6

       SAIDs are written as "protoafSPI@edst". There are also 5 "magic" SAIDs
       which have special meaning:

       +
           %drop means that matches are to be dropped

       +
           %reject means that matches are to be dropped and an ICMP returned,
           if possible to inform

       +
           %trap means that matches are to trigger an ACQUIRE message to the
           Key Management daemon(s) and a hold eroute will be put in place to
           prevent subsequent packets also triggering ACQUIRE messages.

       +
           %hold means that matches are to stored until the eroute is replaced
           or until that eroute gets reaped

       +
           %pass means that matches are to allowed to pass without IPSEC
           processing

EXAMPLES

       1867 172.31.252.0/24:0 -> 0.0.0.0/0:0 => tun0x130@192.168.43.1:0

        () ()

       means that 1,867 packets have been sent to an eroute that has been set
       up to protect traffic between the subnet 172.31.252.0 with a subnet
       mask of 24 bits and the default address/mask represented by an address
       of 0.0.0.0 with a subnet mask of 0 bits using the local machine as a
       security gateway on this end of the tunnel and the machine 192.168.43.1
       on the other end of the tunnel with a Security Association IDentifier
       of tun0x130@192.168.43.1 which means that it is a tunnel mode
       connection (4, IPPROTO_IPIP) with a Security Parameters Index of 130 in
       hexadecimal with no identies defined for either end.

       746 192.168.2.110/32:0 -> 192.168.2.120/32:25 =>
       esp0x130@192.168.2.120:6

        () ()

       means that 746 packets have been sent to an eroute that has been set up
       to protect traffic sent from any port on the host 192.168.2.110 to the
       SMTP (TCP, port 25) port on the host 192.168.2.120 with a Security
       Association IDentifier of tun0x130@192.168.2.120 which means that it is
       a transport mode connection with a Security Parameters Index of 130 in
       hexadecimal with no identies defined for either end.

       125 3049:1::/64 -> 0:0/0 => tun:130@3058:4::5 () ()

       means that 125 packets have been sent to an eroute that has been set up
       to protect traffic between the subnet 3049:1:: with a subnet mask of 64
       bits and the default address/mask represented by an address of 0:0 with
       a subnet mask of 0 bits using the local machine as a security gateway
       on this end of the tunnel and the machine 3058:4::5 on the other end of
       the tunnel with a Security Association IDentifier of tun:130@3058:4::5
       which means that it is a tunnel mode connection with a Security
       Parameters Index of 130 in hexadecimal with no identies defined for
       either end.

       42 192.168.6.0/24:0 -> 192.168.7.0/24:0 => %passthrough

       means that 42 packets have been sent to an eroute that has been set up
       to pass the traffic from the subnet 192.168.6.0 with a subnet mask of
       24 bits and to subnet 192.168.7.0 with a subnet mask of 24 bits without
       any IPSEC processing with no identies defined for either end.

       2112 192.168.8.55/32:0 -> 192.168.9.47/24:0 => %hold (east) ()

       means that 2112 packets have been sent to an eroute that has been set
       up to hold the traffic from the host 192.168.8.55 and to host
       192.168.9.47 until a key exchange from a Key Management daemon succeeds
       and puts in an SA or fails and puts in a pass or drop eroute depending
       on the default configuration with the local client defined as "east"
       and no identy defined for the remote end.

       2001 192.168.2.110/32:0 -> 192.168.2.120/32:0 =>

        esp0xe6de@192.168.2.120:0 () ()

       means that 2001 packets have been sent to an eroute that has been set
       up to protect traffic between the host 192.168.2.110 and the host
       192.168.2.120 using 192.168.2.110 as a security gateway on this end of
       the connection and the machine 192.168.2.120 on the other end of the
       connection with a Security Association IDentifier of
       esp0xe6de@192.168.2.120 which means that it is a transport mode
       connection with a Security Parameters Index of e6de in hexadecimal
       using Encapsuation Security Payload protocol (50, IPPROTO_ESP) with no
       identies defined for either end.

       1984 3049:1::110/128 -> 3049:1::120/128 =>

        ah:f5ed@3049:1::120 () ()

       means that 1984 packets have been sent to an eroute that has been set
       up to authenticate traffic between the host 3049:1::110 and the host
       3049:1::120 using 3049:1::110 as a security gateway on this end of the
       connection and the machine 3049:1::120 on the other end of the
       connection with a Security Association IDentifier of
       ah:f5ed@3049:1::120 which means that it is a transport mode connection
       with a Security Parameters Index of f5ed in hexadecimal using
       Authentication Header protocol (51, IPPROTO_AH) with no identies
       defined for either end.

FILES

       /proc/net/ipsec_eroute, /usr/local/bin/ipsec

SEE ALSO

       ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_spi(5),
       ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_eroute(8),
       ipsec_version(5), ipsec_pf_key(5)

HISTORY

       Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by
       Richard Guy Briggs.

[FIXME: source]                   02/25/2010                   IPSEC_EROUTE(5)