Provided by: openswan_2.6.38-1_amd64 bug

NAME

       ipsec_spi - list IPSEC Security Associations

SYNOPSIS

       ipsec spi
             cat/proc/net/ipsec_spi

OBSOLETE

       Note that eroute is only supported on the classic KLIPS stack. It is not supported on any
       other stack and will be completely removed in future versions. A replacement command still
       needs to be designed

DESCRIPTION

       /proc/net/ipsec_spi is a read-only file that lists the current IPSEC Security
       Associations. A Security Association (SA) is a transform through which packet contents are
       to be processed before being forwarded. A transform can be an IPv4-in-IPv4 or IPv6-in-IPv6
       encapsulation, an IPSEC Authentication Header (authentication with no encryption), or an
       IPSEC Encapsulation Security Payload (encryption, possibly including authentication).

       When a packet is passed from a higher networking layer through an IPSEC virtual interface,
       a search in the extended routing table (see ipsec_eroute(5)) yields a IP protocol number ,
       a Security Parameters Index (SPI) and an effective destination address When an IPSEC
       packet arrives from the network, its ostensible destination, an SPI and an IP protocol
       specified by its outermost IPSEC header are used. The destination/SPI/protocol combination
       is used to select a relevant SA. (See ipsec_spigrp(5) for discussion of how multiple
       transforms are combined.)

       An spi , proto, daddr and address_family arguments specify an SAID.  Proto is an ASCII
       string, "ah", "esp", "comp" or "tun", specifying the IP protocol.  Spi is a number,
       preceded by ´.´ indicating hexadecimal and IPv4 or by ´:´ indicating hexadecimal and IPv6,
       where each hexadecimal digit represents 4 bits, between 0x100 and 0xffffffff; values from
       0x0 to 0xff are reserved.  Daddr is a dotted-decimal IPv4 destination address or a coloned
       hex IPv6 destination address.

       An SAID combines the three parameters above, such as: "tun.101@1.2.3.4" for IPv4 or
       "tun:101@3049:1::1" for IPv6

       A table entry consists of:

       +
           SAID

       +
           <transform name (proto,encalg,authalg)>:

       +
           direction (dir=)

       +
           source address (src=)

       +
           source and destination addresses and masks for inner header policy check addresses
           (policy=), as dotted-quads or coloned hex, separated by ´->´, for IPv4-in-IPv4 or
           IPv6-in-IPv6 SAs only

       +
           initialisation vector length and value (iv_bits=, iv=) if non-zero

       +
           out-of-order window size, number of out-of-order errors, sequence number, recently
           received packet bitmask, maximum difference between sequence numbers (ooowin=,
           ooo_errs=, seq=, bit=, max_seq_diff=) if SA is AH or ESP and if individual items are
           non-zero

       +
           extra flags (flags=) if any are set

       +
           authenticator length in bits (alen=) if non-zero

       +
           authentication key length in bits (aklen=) if non-zero

       +
           authentication errors (auth_errs=) if non-zero

       +
           encryption key length in bits (eklen=) if non-zero

       +
           encryption size errors (encr_size_errs=) if non-zero

       +
           encryption padding error warnings (encr_pad_errs=) if non-zero

       +
           lifetimes legend, c=Current status, s=Soft limit when exceeded will initiate rekeying,
           h=Hard limit will cause termination of SA (life(c,s,h)=)

       +
           number of connections to which the SA is allocated (c), that will cause a rekey (s),
           that will cause an expiry (h) (alloc=), if any value is non-zero

       +
           number of bytes processesd by this SA (c), that will cause a rekey (s), that will
           cause an expiry (h) (bytes=), if any value is non-zero

       +
           time since the SA was added (c), until rekey (s), until expiry (h), in seconds (add=)

       +
           time since the SA was first used (c), until rekey (s), until expiry (h), in seconds
           (used=), if any value is non-zero

       +
           number of packets processesd by this SA (c), that will cause a rekey (s), that will
           cause an expiry (h) (packets=), if any value is non-zero

       +
           time since the last packet was processed, in seconds (idle=), if SA has been used

           average compression ratio (ratio=)

EXAMPLES

       tun.12a@192.168.43.1 IPIP: dir=out src=192.168.43.2

        life(c,s,h)=bytes(14073,0,0)add(269,0,0)

        use(149,0,0)packets(14,0,0)

        idle=23

       is an outbound IPv4-in-IPv4 (protocol 4) tunnel-mode SA set up between machines
       192.168.43.2 and 192.168.43.1 with an SPI of 12a in hexadecimal that has passed about 14
       kilobytes of traffic in 14 packets since it was created, 269 seconds ago, first used 149
       seconds ago and has been idle for 23 seconds.

       esp:9a35fc02@3049:1::1 ESP_3DES_HMAC_MD5:

        dir=in src=9a35fc02@3049:1::2

        ooowin=32 seq=7149 bit=0xffffffff

        alen=128 aklen=128 eklen=192

        life(c,s,h)=bytes(1222304,0,0)add(4593,0,0)

        use(3858,0,0)packets(7149,0,0)

        idle=23

       is an inbound Encapsulating Security Payload (protocol 50) SA on machine 3049:1::1 with an
       SPI of 9a35fc02 that uses 3DES as the encryption cipher, HMAC MD5 as the authentication
       algorithm, an out-of-order window of 32 packets, a present sequence number of 7149, every
       one of the last 32 sequence numbers was received, the authenticator length and keys is 128
       bits, the encryption key is 192 bits (actually 168 for 3DES since 1 of 8 bits is a parity
       bit), has passed 1.2 Mbytes of data in 7149 packets, was added 4593 seconds ago, first
       used 3858 seconds ago and has been idle for 23 seconds.

FILES

       /proc/net/ipsec_spi, /usr/local/bin/ipsec

SEE ALSO

       ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5), ipsec_spigrp(5),
       ipsec_klipsdebug(5), ipsec_spi(8), ipsec_version(5), ipsec_pf_key(5)

HISTORY

       Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by Richard Guy Briggs.

BUGS

       The add and use times are awkward, displayed in seconds since machine start. It would be
       better to display them in seconds before now for human readability.

[FIXME: source]                             10/06/2010                               IPSEC_SPI(5)