Provided by: openswan_2.6.38-1_amd64 bug

NAME
       ipsec_spigrp - list IPSEC Security Association groupings


SYNOPSIS
       ipsec spigrp
             cat/proc/net/ipsec_spigrp


OBSOLETE
       Note that spigrp is only supported on the classic KLIPS stack. It is not supported on any
       other stack and will be completely removed in future versions. A replacement command still
       needs to be designed


DESCRIPTION
       /proc/net/ipsec_spigrp is a read-only file that lists groups of IPSEC Security
       Associations (SAs).

       An entry in the IPSEC extended routing table can only point (via an SAID) to one SA. If
       more than one transform must be applied to a given type of packet, this can be
       accomplished by setting up several SAs with the same destination address but potentially
       different SPIs and protocols, and grouping them with ipsec_spigrp(8).

       The SA groups are listed, one line per connection/group, as a sequence of SAs to be
       applied (or that should have been applied, in the case of an incoming packet) from inside
       to outside the packet. An SA is identified by its SAID, which consists of protocol ("ah",
       "esp", "comp" or "tun"), SPI (with ´.´ for IPv4 or ´:´ for IPv6 prefixed hexadecimal
       number ) and destination address (IPv4 dotted quad or IPv6 coloned hex) prefixed by ´@´,
       in the format <proto><af><spi>@<dest>.


EXAMPLES
       tun.3d0@192.168.2.110
           comp.3d0@192.168.2.110 esp.187a101b@192.168.2.110 ah.187a101a@192.168.2.110

       is a group of 3 SAs, destined for 192.168.2.110 with an IPv4-in-IPv4 tunnel SA applied
       first with an SPI of 3d0 in hexadecimal, followed by a Deflate compression header to
       compress the packet with CPI of 3d0 in hexadecimal, followed by an Encapsulating Security
       Payload header to encrypt the packet with SPI 187a101b in hexadecimal, followed by an
       Authentication Header to authenticate the packet with SPI 187a101a in hexadecimal, applied
       from inside to outside the packet. This could be an incoming or outgoing group, depending
       on the address of the local machine.

       tun:3d0@3049:1::2
           comp:3d0@3049:1::2 esp:187a101b@3049:1::2 ah:187a101a@3049:1::2

       is a group of 3 SAs, destined for 3049:1::2 with an IPv6-in-IPv6 tunnel SA applied first
       with an SPI of 3d0 in hexadecimal, followed by a Deflate compression header to compress
       the packet with CPI of 3d0 in hexadecimal, followed by an Encapsulating Security Payload
       header to encrypt the packet with SPI 187a101b in hexadecimal, followed by an
       Authentication Header to authenticate the packet with SPI 187a101a in hexadecimal, applied
       from inside to outside the packet. This could be an incoming or outgoing group, depending
       on the address of the local machine.


FILES
       /proc/net/ipsec_spigrp, /usr/local/bin/ipsec


SEE ALSO
       ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5), ipsec_spi(5),
       ipsec_klipsdebug(5), ipsec_spigrp(8), ipsec_version(5), ipsec_pf_key(5)


HISTORY
       Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by Richard Guy Briggs.


BUGS
       :-)

[FIXME: source]                             10/06/2010                            IPSEC_SPIGRP(5)