IPSEC_SPISection: Maintenance Commands (8)
Updated: 30 Nov 1998
Index Return to Main Contents
NAMEipsec spi - manage IPSEC Security Associations
Note: In the following, <SA> means: --edst daddr --spi spi --proto proto OR --said said
ipsec spi <SA> --ah hmac-md5-96|hmac-sha1-96 [ --replay_window replayw ] --authkey akey
ipsec spi <SA> --esp 3des --replay_window replayw ] --enckey ekey
ipsec spi <SA> --esp 3des-md5-96|3des-sha1-96 [ --replay_window replayw ] --enckey ekey --authkey akey
ipsec spi <SA> --esp null-md5-96|null-sha1-96 [ --replay_window replayw ] --authkey akey
ipsec spi <SA> --ip4 --src encap-src --dst encap-dst
ipsec spi <SA> --del
ipsec spi --help
ipsec spi --version
ipsec spi --clear
DESCRIPTIONSpi creates and deletes IPSEC Security Associations. A Security Association (SA) is a transform through which packet contents are to be processed before being forwarded. A transform can be an IP-in-IP encapsulation, an IPSEC Authentication Header (authentication with no encryption), or an IPSEC Encapsulation Security Payload (encryption, possibly including authentication).
When a packet is passed from a higher networking layer through an IPSEC virtual interface, a search in the extended routing table (see ipsec_eroute(8)) yields an effective destination address, a Security Parameters Index (SPI) and a IP protocol number. When an IPSEC packet arrives from the network, its ostensible destination, an SPI and an IP protocol specified by its outermost IPSEC header are used. The destination/SPI/protocol combination is used to select a relevant SA. (See ipsec_spigrp(8) for discussion of how multiple transforms are combined.)
The daddr, spi and proto arguments specify the SA to be created or deleted. Daddr is a dotted-decimal IPv4 destination address. Spi is a number, preceded by '0x' for hexadecimal, between 0x100 and 0xffffffff; values from 0x0 to 0xff are reserved. Proto is an ASCII string, "ah", "esp" or "tun", specifying the IP protocol. The protocol must agree with the algorithm selected.
Alternatively, the said argument can also specify an SA to be created or deleted. Said combines the three parameters above, such as: "firstname.lastname@example.org"
Keys vectors must be entered as hexadecimal or base64 numbers. They should be cryptographically strong random numbers.
All hexadecimal numbers are entered as strings of hexadecimal digits (0-9 and
a-f), without spaces, preceded by '0x', where each hexadecimal digit represents
4 bits. All base64 numbers are entered as strings of base64 digits
EXAMPLESTo keep line lengths down and reduce clutter, some of the long keys in these examples have been abbreviated by replacing part of their text with ``...''. Keys used when the programs are actually run must, of course, be the full length required for the particular algorithm.
ipsec spi --edst gw2 --spi 0x125 --proto esp \
sets up an SA to gw2 with an SPI of 0x125 and protocol ESP (50) using 3DES encryption with integral MD5-96 authentication transform, using an encryption key of 0x6630...97ce and an authentication key of 0x9941...71df (see note above about abbreviated keys).
ipsec spi --said email@example.com --del
deletes an SA to 192.168.100.100 with an SPI of 0x987 and protocol IPIP (4).
SEE ALSOipsec_tncfg(8), ipsec_eroute(8), ipsec_spigrp(8), ipsec_klipsdebug(8)
HISTORYWritten for the Linux FreeS/WAN project <http://www.xs4all.nl/~freeswan/> by Richard Guy Briggs.
BUGSThe syntax is messy and the transform naming needs work.
This document was created by man2html, using the manual pages.
Time: 21:22:50 GMT, February 08, 2000