|
IPSEC_SPISection: Maintenance Commands (8)Updated: 30 Nov 1998 Index Return to Main Contents NAMEipsec spi - manage IPSEC Security AssociationsSYNOPSISNote: In the following, <SA> means: --edst daddr --spi spi --proto proto OR --said said ipsec spi <SA> --ah hmac-md5-96|hmac-sha1-96 [ --replay_window replayw ] --authkey akey ipsec spi <SA> --esp 3des --replay_window replayw ] --enckey ekey ipsec spi <SA> --esp 3des-md5-96|3des-sha1-96 [ --replay_window replayw ] --enckey ekey --authkey akey ipsec spi <SA> --esp null-md5-96|null-sha1-96 [ --replay_window replayw ] --authkey akey ipsec spi <SA> --ip4 --src encap-src --dst encap-dst ipsec spi <SA> --del ipsec spi --help ipsec spi --version ipsec spi --clear DESCRIPTIONSpi creates and deletes IPSEC Security Associations. A Security Association (SA) is a transform through which packet contents are to be processed before being forwarded. A transform can be an IP-in-IP encapsulation, an IPSEC Authentication Header (authentication with no encryption), or an IPSEC Encapsulation Security Payload (encryption, possibly including authentication).When a packet is passed from a higher networking layer through an IPSEC virtual interface, a search in the extended routing table (see ipsec_eroute(8)) yields an effective destination address, a Security Parameters Index (SPI) and a IP protocol number. When an IPSEC packet arrives from the network, its ostensible destination, an SPI and an IP protocol specified by its outermost IPSEC header are used. The destination/SPI/protocol combination is used to select a relevant SA. (See ipsec_spigrp(8) for discussion of how multiple transforms are combined.) The daddr, spi and proto arguments specify the SA to be created or deleted. Daddr is a dotted-decimal IPv4 destination address. Spi is a number, preceded by '0x' for hexadecimal, between 0x100 and 0xffffffff; values from 0x0 to 0xff are reserved. Proto is an ASCII string, "ah", "esp" or "tun", specifying the IP protocol. The protocol must agree with the algorithm selected. Alternatively, the said argument can also specify an SA to be created or deleted. Said combines the three parameters above, such as: "tun0x101@1.2.3.4" Keys vectors must be entered as hexadecimal or base64 numbers. They should be cryptographically strong random numbers. All hexadecimal numbers are entered as strings of hexadecimal digits (0-9 and
a-f), without spaces, preceded by '0x', where each hexadecimal digit represents
4 bits. All base64 numbers are entered as strings of base64 digits The deletion of an SA which has been grouped will result in the entire chain being deleted. OPTIONS
EXAMPLESTo keep line lengths down and reduce clutter, some of the long keys in these examples have been abbreviated by replacing part of their text with ``...''. Keys used when the programs are actually run must, of course, be the full length required for the particular algorithm.ipsec spi --edst gw2 --spi 0x125 --proto esp \ sets up an SA to gw2 with an SPI of 0x125 and protocol ESP (50) using 3DES encryption with integral MD5-96 authentication transform, using an encryption key of 0x6630...97ce and an authentication key of 0x9941...71df (see note above about abbreviated keys). ipsec spi --said tun0x987@192.168.100.100 --del deletes an SA to 192.168.100.100 with an SPI of 0x987 and protocol IPIP (4). FILES/dev/ipsecSEE ALSOipsec_tncfg(8), ipsec_eroute(8), ipsec_spigrp(8), ipsec_klipsdebug(8)HISTORYWritten for the Linux FreeS/WAN project <http://www.xs4all.nl/~freeswan/> by Richard Guy Briggs.BUGSThe syntax is messy and the transform naming needs work.
IndexThis document was created by man2html, using the manual pages. Time: 21:22:50 GMT, February 08, 2000 Content-type: text/html |