Provided by: openswan_2.6.38-1_amd64 
NAME
ipsec_eroute - manipulate IPSEC extended routing tables
SYNOPSIS
ipsec eroute --add --eraf (inet | inet6) --src src/srcmaskbits|srcmask --dst
dst/dstmaskbits|dstmask [[--transport-proto transport-protocol]] [--src-port
source-port] [--dst-port dest-port] [<SAID>]
ipsec eroute --replace --eraf (inet | inet6) --src src/srcmaskbits|srcmask --dst
dst/dstmaskbits|dstmask [[--transport-proto transport-protocol]] [--src-port
source-port] [--dst-port dest-port] [<SAID>]
ipsec eroute --del--del--eraf (inet | inet6)
--srcsrc/srcmaskbits|srcmask--dstdst/dstmaskbits|dstmask [[--transport-proto
transport-protocol]] [--src-port source-port] [--dst-port dest-port] [<SAID>]
ipsec eroute --clear
ipsec eroute --help
ipsec eroute --version
SAID DESCRIPTION
Where <SAID> is --af (inet | inet6) --edst edst --spi spi --proto proto OR --said said OR
--said (%passthrough | %passthrough4 | %passthrough6 | %drop | %reject | %trap | %hold |
%pass )
DESCRIPTION
Eroute manages the IPSEC extended routing tables, which control what (if any) processing
is applied to non-encrypted packets arriving for IPSEC processing and forwarding. The form
with no additional arguments lists the contents of /proc/net/ipsec_eroute. The --add form
adds a table entry, the --replace form replaces a table entry, while the --del form
deletes one. The --clear form deletes the entire table.
A table entry consists of:
+
source and destination addresses, with masks, source and destination ports and
protocol for selection of packets. The source and destination ports are only legal if
the transport protocol is TCP or UDP. A port can be specified as either decimal,
hexadecimal (leading 0x), octal (leading 0) or a name listed in the first column of
/etc/services. A transport protocol can be specified as either decimal, hexadecimal
(leading 0x), octal (leading 0) or a name listed in the first column of
/etc/protocols. If a transport protocol or port is not specified then it defaults to 0
which means all protocols or all ports respectively.
+
Security Association IDentifier, comprised of:
+
protocol (proto), indicating (together with the effective destination and the security
parameters index) which Security Association should be used to process the packet
+
address family (af),
+
Security Parameters Index (spi), indicating (together with the effective destination
and protocol) which Security Association should be used to process the packet (must be
larger than or equal to 0x100)
+
effective destination (edst), where the packet should be forwarded after processing
(normally the other security gateway)
+
OR
+
SAID (said), indicating which Security Association should be used to process the
packet
Addresses are written as IPv4 dotted quads or IPv6 coloned hex, protocol is one of "ah",
"esp", "comp" or "tun" and SPIs are prefixed hexadecimal numbers where ´.´ represents IPv4
and ´:´ stands for IPv6.
SAIDs are written as "protoafSPI@address". There are also 5 "magic" SAIDs which have
special meaning:
+
%drop means that matches are to be dropped
+
%reject means that matches are to be dropped and an ICMP returned, if possible to
inform
+
%trap means that matches are to trigger an ACQUIRE message to the Key Management
daemon(s) and a hold eroute will be put in place to prevent subsequent packets also
triggering ACQUIRE messages.
+
%hold means that matches are to stored until the eroute is replaced or until that
eroute gets reaped
+
%pass means that matches are to allowed to pass without IPSEC processing
The format of /proc/net/ipsec_eroute is listed in ipsec_eroute(5).
EXAMPLES
ipsec eroute --add --eraf inet --src 192.168.0.1/32 \
--dst 192.168.2.0/24 --af inet --edst 192.168.0.2 \
--spi 0x135 --proto tun
sets up an eroute on a Security Gateway to protect traffic between the host 192.168.0.1
and the subnet 192.168.2.0 with 24 bits of subnet mask via Security Gateway 192.168.0.2
using the Security Association with address 192.168.0.2, Security Parameters Index 0x135
and protocol tun (50, IPPROTO_ESP).
ipsec eroute --add --eraf inet6 --src 3049:1::1/128 \
--dst 3049:2::/64 --af inet6 --edst 3049:1::2 \
--spi 0x145 --proto tun
sets up an eroute on a Security Gateway to protect traffic between the host 3049:1::1 and
the subnet 3049:2:: with 64 bits of subnet mask via Security Gateway 3049:1::2 using the
Security Association with address 3049:1::2, Security Parameters Index 0x145 and protocol
tun (50, IPPROTO_ESP).
ipsec eroute --replace --eraf inet --src company.com/24 \
--dst ftp.ngo.org/32 --said tun.135@gw.ngo.org
replaces an eroute on a Security Gateway to protect traffic between the subnet company.com
with 24 bits of subnet mask and the host ftp.ngo.org via Security Gateway gw.ngo.org using
the Security Association with Security Association ID tun0x135@gw.ngo.org
ipsec eroute --del --eraf inet --src company.com/24 \
--dst www.ietf.org/32 --said %passthrough4
deletes an eroute on a Security Gateway that allowed traffic between the subnet
company.com with 24 bits of subnet mask and the host www.ietf.org to pass in the clear,
unprocessed.
ipsec eroute --add --eraf inet --src company.com/24 \
--dst mail.ngo.org/32 --transport-proto 6 \
--dst-port 110 --said tun.135@mail.ngo.org
sets up an eroute on on a Security Gateway to protect only TCP traffic on port 110 (pop3)
between the subnet company.com with 24 bits of subnet mask and the host ftp.ngo.org via
Security Gateway mail.ngo.org using the Security Association with Security Association ID
tun0x135@mail.ngo.org. Note that any other traffic bound for mail.ngo.org that is routed
via the ipsec device will be dropped. If you wish to allow other traffic to pass through
then you must add a %pass rule. For example the following rule when combined with the
above will ensure that POP3 messages read from mail.ngo.org will be encrypted but all
other traffic to/from mail.ngo.org will be in clear text.
ipsec eroute --add --eraf inet --src company.com/24 \
--dst mail.ngo.org/32 --said %pass
FILES
/proc/net/ipsec_eroute, /usr/local/bin/ipsec
SEE ALSO
ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_spi(8), ipsec_spigrp(8),
ipsec_klipsdebug(8), ipsec_eroute(5)
HISTORY
Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by Richard Guy Briggs.
[FIXME: source] 03 April 2007 IPSEC_EROUTE(8)