Logo

Charles Steinkuehler's LEAF/LRP Website


 

IPSEC_SPI

Section: Maintenance Commands (8)
Updated: 30 Nov 1998
Index Return to Main Contents
 

NAME

ipsec spi - manage IPSEC Security Associations  

SYNOPSIS


Note: In the following, <SA> means: --edst daddr --spi spi --proto proto OR --said said

ipsec spi <SA> --ah hmac-md5-96|hmac-sha1-96 [ --replay_window replayw ] --authkey akey

ipsec spi <SA> --esp 3des --replay_window replayw ] --enckey ekey

ipsec spi <SA> --esp 3des-md5-96|3des-sha1-96 [ --replay_window replayw ] --enckey ekey --authkey akey

ipsec spi <SA> --esp null-md5-96|null-sha1-96 [ --replay_window replayw ] --authkey akey

ipsec spi <SA> --ip4 --src encap-src --dst encap-dst

ipsec spi <SA> --del

ipsec spi --help

ipsec spi --version

ipsec spi --clear

 

DESCRIPTION

Spi creates and deletes IPSEC Security Associations. A Security Association (SA) is a transform through which packet contents are to be processed before being forwarded. A transform can be an IP-in-IP encapsulation, an IPSEC Authentication Header (authentication with no encryption), or an IPSEC Encapsulation Security Payload (encryption, possibly including authentication).

When a packet is passed from a higher networking layer through an IPSEC virtual interface, a search in the extended routing table (see ipsec_eroute(8)) yields an effective destination address, a Security Parameters Index (SPI) and a IP protocol number. When an IPSEC packet arrives from the network, its ostensible destination, an SPI and an IP protocol specified by its outermost IPSEC header are used. The destination/SPI/protocol combination is used to select a relevant SA. (See ipsec_spigrp(8) for discussion of how multiple transforms are combined.)

The daddr, spi and proto arguments specify the SA to be created or deleted. Daddr is a dotted-decimal IPv4 destination address. Spi is a number, preceded by '0x' for hexadecimal, between 0x100 and 0xffffffff; values from 0x0 to 0xff are reserved. Proto is an ASCII string, "ah", "esp" or "tun", specifying the IP protocol. The protocol must agree with the algorithm selected.

Alternatively, the said argument can also specify an SA to be created or deleted. Said combines the three parameters above, such as: "tun0x101@1.2.3.4"

Keys vectors must be entered as hexadecimal or base64 numbers. They should be cryptographically strong random numbers.

All hexadecimal numbers are entered as strings of hexadecimal digits (0-9 and a-f), without spaces, preceded by '0x', where each hexadecimal digit represents 4 bits. All base64 numbers are entered as strings of base64 digits
 (0-9, A-Z, a-z, '+' and '/'), without spaces, preceded by '0s', where each hexadecimal digit represents 6 bits and '=' is used for padding.

The deletion of an SA which has been grouped will result in the entire chain being deleted.  

OPTIONS

--edst
specifies the effective destination daddr of the Security Association
--spi
specifies the Security Parameters Index spi of the Security Association
--proto
specifies the IP protocol proto of the Security Association
--said
specifies the Security Association in monolithic format
--ah
add an SA for an IPSEC Authentication Header, specified by the following transform identifier (hmac-md5-96 or hmac-sha1-96) (RFC2402, obsoletes RFC1826)
hmac-md5-96
transform following the HMAC and MD5 standards, using a 128-bit key to produce a 96-bit authenticator (RFC2403)
hmac-sha1-96
transform following the HMAC and SHA1 standards, using a 160-bit key to produce a 96-bit authenticator (RFC2404)
--esp
add an SA for an IPSEC Encapsulation Security Payload, specified by the following transform identifier (3des, or 3des-md5-96) (RFC2406, obsoletes RFC1827)
3des
encryption transform following the Triple-DES standard in Cipher-Block-Chaining mode using a 64-bit iv (internally generated) and a 192-bit 3DES ekey (RFC2451)
3des-md5-96
encryption transform following the Triple-DES standard in Cipher-Block-Chaining mode with authentication provided by HMAC and MD5 (96-bit authenticator), using a 64-bit iv (internally generated), a 192-bit 3DES ekey and a 128-bit HMAC-MD5 akey (RFC2451, RFC2403)
3des-sha1-96
encryption transform following the Triple-DES standard in Cipher-Block-Chaining mode with authentication provided by HMAC and SHA1 (96-bit authenticator), using a 64-bit iv (internally generated), a 192-bit 3DES ekey and a 160-bit HMAC-SHA1 akey (RFC2451, RFC2404)
null-md5-96
encryption using the identity transform with authentication provided by HMAC and MD5 (96-bit authenticator), using a 128-bit HMAC-MD5 akey (RFC2410, RFC2403)
null-sha1-96
encryption using the identity transform with authentication provided by HMAC and SHA1 (96-bit authenticator), using a 160-bit HMAC-SHA1 akey (RFC2410, RFC2404)
--replay_window replayw
sets the replay window size; valid values are decimal, 1 to 64
--ip4
add an SA for an IP-in-IP tunnel from encap-src to encap-dst
--src
specify the source end of an IP-in-IP tunnel from encap-src to encap-dst
--dst
specify the destination end of an IP-in-IP tunnel from encap-src to encap-dst
--del
delete the specified SA
--clear
clears the table of SAs
--help
display synopsis
--version
display version information
 

EXAMPLES

To keep line lengths down and reduce clutter, some of the long keys in these examples have been abbreviated by replacing part of their text with ``...''. Keys used when the programs are actually run must, of course, be the full length required for the particular algorithm.

ipsec spi --edst gw2 --spi 0x125 --proto esp \
--esp 3des-md5-96 \
   --enckey 0x6630...97ce \
--authkey 0x9941...71df

sets up an SA to gw2 with an SPI of 0x125 and protocol ESP (50) using 3DES encryption with integral MD5-96 authentication transform, using an encryption key of 0x6630...97ce and an authentication key of 0x9941...71df (see note above about abbreviated keys).

ipsec spi --said tun0x987@192.168.100.100 --del

deletes an SA to 192.168.100.100 with an SPI of 0x987 and protocol IPIP (4).

 

FILES

/dev/ipsec  

SEE ALSO

ipsec_tncfg(8), ipsec_eroute(8), ipsec_spigrp(8), ipsec_klipsdebug(8)  

HISTORY

Written for the Linux FreeS/WAN project <http://www.xs4all.nl/~freeswan/> by Richard Guy Briggs.  

BUGS

The syntax is messy and the transform naming needs work.

 


 

Index

NAME
 
SYNOPSIS
 
DESCRIPTION
 
OPTIONS
 
EXAMPLES
 
FILES
 
SEE ALSO
 
HISTORY
 
BUGS
 

This document was created by man2html, using the manual pages.
Time: 21:22:50 GMT, February 08, 2000

Content-type: text/html