.B ipsec
.B eroute
.PP
.B ipsec
.B eroute
.B \-\-add
.B \-\-eraf (inet | inet6)
.B \-\-src
src/srcmaskbits|srcmask
.B \-\-dst
dst/dstmaskbits|dstmask
[
.B \-\-transport\-proto
transport-protocol
]
[
.B \-\-src\-port
source-port
]
[
.B \-\-dst\-port
dest-port
]
ipsec_eroute(5).
and the subnet
.BR 192.168.2.0
with
.BR 24
bits of subnet mask via Security Gateway
.BR 192.168.0.2
using the Security Association with address
.BR 192.168.0.2 ,
Security Parameters Index
.BR 0x135
and protocol
.BR tun
(50, IPPROTO_ESP).
.LP
.B "ipsec eroute \-\-add \-\-eraf inet6 \-\-src 3049:1::1/128 \e"
.br
.B "   \-\-dst 3049:2::/64 \-\-af inet6 \-\-edst 3049:1::2 \e"
.br
.B "   \-\-spi 0x145 \-\-proto tun"
.LP
sets up an
.BR eroute
on a Security Gateway to protect traffic between the host
.BR 3049:1::1
and the subnet
.BR 3049:2::
with
.BR 64
bits of subnet mask via Security Gateway
.BR 3049:1::2
using the Security Association with address
.BR 3049:1::2 ,
Security Parameters Index
.BR 0x145
and protocol
.BR tun
(50, IPPROTO_ESP).
.LP
.B "ipsec eroute \-\-replace \-\-eraf inet \-\-src company.com/24 \e"
.br
.B "   \-\-dst ftp.ngo.org/32 \-\-said tun.135@gw.ngo.org"
.LP
replaces an
.BR eroute
on a Security Gateway to protect traffic between the subnet
.BR company.com 
with
.BR 24
bits of subnet mask and the host
.BR ftp.ngo.org
via Security Gateway
.BR gw.ngo.org
.BR www.ietf.org
to pass in the clear, unprocessed.
.LP
.B "ipsec eroute \-\-add \-\-eraf inet \-\-src company.com/24 \e"
.br
.B "   \-\-dst mail.ngo.org/32 \-\-transport-proto 6 \e"
.br
.B "   \-\-dst\-port 110 \-\-said tun.135@mail.ngo.org"
.LP
sets up an 
.BR eroute
on on a Security Gateway to protect only TCP traffic on port 110
(pop3) between the subnet
.BR company.com 
with
.BR 24
bits of subnet mask and the host
.BR ftp.ngo.org
via Security Gateway
.BR mail.ngo.org
using the Security Association with Security Association ID
.BR tun0x135@mail.ngo.org.
Note that any other traffic bound for
.BR mail.ngo.org
that is routed via the ipsec device will be dropped.  If you wish to
allow other traffic to pass through then you must add a %pass rule.
For example the following rule when combined with the above will
ensure that POP3 messages read from
.BR mail.ngo.org
will be encrypted but all other traffic to/from
.BR mail.ngo.org
will be in clear text.
.LP
.B "ipsec eroute \-\-add \-\-eraf inet \-\-src company.com/24 \e"
.br
.B "   \-\-dst mail.ngo.org/32 \-\-said %pass"
.br
.LP
.SH FILES
/proc/net/ipsec_eroute, /usr/sbin/ipsec
.SH "SEE ALSO"
ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_spi(8),
ipsec_spigrp(8), ipsec_klipsdebug(8), ipsec_eroute(5)
.SH HISTORY
Written for the Linux FreeS/WAN project
ipsec_version(5) and ipsec_pf_key(5)
.\" and correct FILES sections to no longer refer to /dev/ipsec which has
.\" been removed since PF_KEY does not use it.
.\"
.\" Revision 1.20  2000/06/21 16:54:57  rgb
.\" Added 'no additional args' text for listing contents of
.\" /proc/net/ipsec_* files.
.\"
.\" Revision 1.19  1999/07/19 18:47:24  henry
.\" fix slightly-misformed comments
.\"
.\" Revision 1.18  1999/04/06 04:54:37  rgb
.\" Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
.\" patch shell fixes.
.\"
.\"