.br
Note: In the following,
.br
.B <SA>
means:
.B \-\-af
(inet | inet6)
.B \-\-edst
daddr
.B \-\-spi
spi
.B \-\-proto
proto OR
.B \-\-said
said,
.br
.B <life>
means:
.B \-\-life
(soft | hard)\-(allocations | bytes | addtime | usetime | packets)=value[,...]
.PP
.B ipsec
.B spi
.PP
.B ipsec
.B spi
.B <SA>
.B \-\-src
src
.B \-\-ah
.BR hmac-md5-96 | hmac-sha1-96
[
.B \-\-replay_window
replayw ]
[
.B <life>
]
.B \-\-authkey
akey
.PP
.B ipsec
.B spi
.B <SA>
.B \-\-src
src
.B \-\-esp
.BR 3des
[
.B \-\-replay_window
replayw ]
[
.B <life>
[
.B <life>
]
.B \-\-enckey
ekey
.B \-\-authkey
akey
.PP
.B ipsec
.B spi
.B <SA>
.B \-\-src
src
.B \-\-comp
.BR deflate
.PP
.B ipsec
.B spi
.B <SA>
.B \-\-ip4
.B \-\-src
encap-src
.B \-\-dst
encap-dst
.PP
.B ipsec
.B spi
.B <SA>
.B \-\-ip6
.B \-\-src
encap-src
.B \-\-dst
encap-dst
.PP
.B ipsec
.B spi
.B <SA>
.B \-\-del
.PP
.B ipsec
.B spi
.B \-\-help
.PP
.B ipsec
.B spi
.B \-\-version
.PP
.B ipsec
.B spi
.B \-\-clear
.PP
.SH DESCRIPTION
Security Parameters Index (SPI) and a IP protocol number.
When an IPSEC packet arrives from the network,
its ostensible destination, an SPI and an IP protocol
specified by its outermost IPSEC header are used.
The destination/SPI/protocol combination is used to select a relevant SA.
(See
.IR ipsec_spigrp (8)
for discussion of how multiple transforms are combined.)
.PP
The
.IR af ,
.IR daddr ,
.I spi
and
.I proto
arguments specify the SA to be created or deleted.
.I af
is the address family (inet for IPv4, inet6 for IPv6).
.I Daddr
is a destination address
in dotted-decimal notation for IPv4
or in a coloned hex notation for IPv6.
.I Spi
is a number, preceded by '0x' for hexadecimal,
between
.B 0x100
and
.BR 0xffffffff ;
values from
.B 0x0
to
.B 0xff
are reserved.
.I Proto
is an ASCII string, "ah", "esp", "comp" or "tun", specifying the IP protocol.
The protocol must agree with the algorithm selected.
.PP
Alternatively, the
.I said
argument can also specify an SA to be created or deleted.
.I Said
combines the three parameters above, such as: "tun.101@1.2.3.4" or "tun:101@1:2::3:4",
where the address family is specified by "." for IPv4 and ":" for IPv6. The address
family indicators substitute the "0x" for hexadecimal.
.PP
The source address,
.IR src ,
must also be provided for the inbound policy check to
function. The source address does not need to be included if inbound
policy checking has been disabled.
.PP
Keys vectors must be entered as hexadecimal or base64 numbers.
ipsec_spi(5).
.PP
The lifetime severity of
.B soft
sets a limit when the key management daemons are asked to rekey the SA.
The lifetime severity of
.B hard
sets a limit when the SA must expire.
The lifetime type
.B allocations
tells the system when to expire the SA because it is being shared by too many
eroutes (not currently used). The lifetime type of
.B bytes
tells the system to expire the SA after a certain number of bytes have been
processed with that SA. The lifetime type of
.B addtime
tells the system to expire the SA a certain number of seconds after the SA was
installed. The lifetime type of
.B usetime
tells the system to expire the SA a certain number of seconds after that SA has
processed its first packet. The lifetime type of
.B packets
tells the system to expire the SA after a certain number of packets have been
processed with that SA.
.SH OPTIONS
.TP 10
.B \-\-af
specifies the address family (inet for IPv4, inet6 for IPv6)
.TP
.B \-\-edst
specifies the effective destination
.I daddr
of the Security Association
.TP
.B \-\-spi
specifies the Security Parameters Index
.I spi
of the Security Association
.TP
.B \-\-proto
specifies the IP protocol
.I proto
of the Security Association
.TP
.B \-\-said
specifies the Security Association in monolithic format
.TP
.B \-\-ah
add an SA for an IPSEC Authentication Header,
specified by the following transform identifier
(\c
.BR hmac-md5-96
to produce a 96-bit authenticator (RFC2404)
.TP
.B \-\-esp
add an SA for an IPSEC Encapsulation Security Payload,
specified by the following
transform identifier (\c
.BR 3des ,
or
.BR 3des-md5-96 )
(RFC2406, obsoletes RFC1827)
.TP
.B 3des
encryption transform following the Triple-DES standard in
Cipher-Block-Chaining mode using a 64-bit
.I iv
(internally generated) and a 192-bit 3DES
.I ekey
(RFC2451)
.TP
.B 3des-md5-96
encryption transform following the Triple-DES standard in
Cipher-Block-Chaining mode with authentication provided by
HMAC and MD5
(96-bit authenticator),
using a 64-bit
.IR iv
(internally generated), a 192-bit 3DES
.I ekey
and a 128-bit HMAC-MD5
.I akey
(RFC2451, RFC2403)
.TP
.B 3des-sha1-96
encryption transform following the Triple-DES standard in
Cipher-Block-Chaining mode with authentication provided by
HMAC and SHA1
(96-bit authenticator),
using a 64-bit
.IR iv
(internally generated), a 192-bit 3DES
.I ekey
and a 160-bit HMAC-SHA1
.I akey
(RFC2451, RFC2404)
.TP
.BR \-\-replay_window " replayw"
sets the replay window size; valid values are decimal, 1 to 64
.TP
.BR \-\-life " life_param[,life_param]"
sets the lifetime expiry; the format of
.B life_param
consists of a comma-separated list of lifetime specifications without spaces;
compression transform following the patent-free Deflate compression algorithm
(RFC2394)
.TP
.B \-\-ip4
add an SA for an IPv4-in-IPv4
tunnel from
.I encap-src
to
.I encap-dst
.TP
.B \-\-ip6
add an SA for an IPv6-in-IPv6
tunnel from
.I encap-src
to
.I encap-dst
.TP
.B \-\-src
specify the source end of an IP-in-IP tunnel from
.I encap-src
to
.I encap-dst
and also specifies the source address of the Security Association to be
used in inbound policy checking and must be the same address
family as
.I af
and
.I edst
.TP
.B \-\-dst
specify the destination end of an IP-in-IP tunnel from
.I encap-src
to
.I encap-dst
.TP
.B \-\-del
delete the specified SA
.TP
.BR \-\-clear
clears the table of
.BR SA s
.TP
.BR \-\-help
display synopsis
.TP
.BR \-\-version
display version information
.SH EXAMPLES
To keep line lengths down and reduce clutter,
some of the long keys in these examples have been abbreviated
by replacing part of their text with
.RI `` ... ''.
.BR gw1
to
.BR gw2
with an SPI of
.BR 0x125
and protocol
.BR ESP
(50) using
.BR 3DES
encryption with integral
.BR MD5-96
authentication transform, using an encryption key of
.BI 0x6630 ... 97ce
and an authentication key of
.BI 0x9941 ... 71df
(see note above about abbreviated keys).
.LP
.B "ipsec spi \-\-af inet6 \-\-edst 3049:9::9000:3100 \-\-spi 0x150 \-\-proto ah \e"
.br
.B " \-\-src 3049:9::9000:3101 \e"
.br
.B " \-\-ah hmac\-md5\-96 \e"
.br
.BI "\ \ \ \-\-authkey\ 0x1234" "..." "2eda\ \e"
.LP
sets up an SA from
.BR 3049:9::9000:3101
to
.BR 3049:9::9000:3100
with an SPI of
.BR 0x150
and protocol
.BR AH
(50) using
.BR MD5-96
authentication transform, using an authentication key of
.BI 0x1234 ... 2eda
(see note above about abbreviated keys).
.LP
.B "ipsec spi \-\-said tun.987@192.168.100.100 \-\-del "
.LP
deletes an SA to
.BR 192.168.100.100
with an SPI of
.BR 0x987
and protocol
.BR IPv4-in-IPv4
(4).
.LP
.B "ipsec spi \-\-said tun:500@3049:9::1000:1 \-\-del "
.LP
deletes an SA to
ipsec_version(5) and ipsec_pf_key(5)
.\" and correct FILES sections to no longer refer to /dev/ipsec which has
.\" been removed since PF_KEY does not use it.
.\"
.\" Revision 1.23 2000/06/21 16:54:57 rgb
.\" Added 'no additional args' text for listing contents of
.\" /proc/net/ipsec_* files.
.\"
.\" Revision 1.22 1999/08/11 08:35:16 rgb
.\" Update, deleting references to obsolete and insecure algorithms.
.\"
.\" Revision 1.21 1999/07/19 18:53:55 henry
.\" improve font usage in key abbreviations
.\"
.\" Revision 1.20 1999/07/19 18:50:09 henry
.\" fix slightly-misformed comments
.\" abbreviate long keys to avoid long-line complaints
.\"
.\" Revision 1.19 1999/04/06 04:54:38 rgb
.\" Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes
.\" patch shell fixes.
Man(1) output converted with
man2html