Seth Woolley's Man Viewer

Manual for spi - man 8 spi

([section] manual, -k keyword, -K [section] search, -f whatis)
man plain no title

IPSEC_SPI(8)                                                      IPSEC_SPI(8)



NAME
       ipsec(5,8) spi(5,8) - manage IPSEC Security Associations

SYNOPSIS
       Note: In the following,
       <SA> means: --af (inet | inet6) --edst daddr --spi spi(5,8) --proto proto OR
       --said said,
       <life> means: --life (soft | hard)-(allocations |  bytes  |  addtime  |
       usetime | packets)=value[,...]

       ipsec(5,8) spi(5,8)

       ipsec(5,8)  spi(5,8) <SA> --src src --ah hmac-md5-96|hmac-sha1-96 [ --replay_win-
       dow replayw ] [ <life> ] --authkey akey

       ipsec(5,8) spi(5,8) <SA> --src src --esp  3des  [  --replay_window  replayw  ]  [
       <life> ] --enckey ekey

       ipsec(5,8) spi(5,8) <SA> --src src --esp 3des-md5-96|3des-sha1-96 [ --replay_win-
       dow replayw ] [ <life> ] --enckey ekey --authkey akey

       ipsec(5,8) spi(5,8) <SA> --src src --comp deflate

       ipsec(5,8) spi(5,8) <SA> --ip4 --src encap-src --dst encap-dst

       ipsec(5,8) spi(5,8) <SA> --ip6 --src encap-src --dst encap-dst

       ipsec(5,8) spi(5,8) <SA> --del

       ipsec(5,8) spi(5,8) --help

       ipsec(5,8) spi(5,8) --version

       ipsec(5,8) spi(5,8) --clear


DESCRIPTION
       Spi creates and deletes IPSEC Security Associations.  A Security  Asso-
       ciation  (SA)  is  a  transform through which packet contents are to be
       processed before being forwarded.  A transform can be  an  IPv4-in-IPv4
       or  an  IPv6-in-IPv6  encapsulation,  an  IPSEC  Authentication  Header
       (authentication with no encryption), or an IPSEC Encapsulation Security
       Payload (encryption, possibly including authentication).

       When a packet is passed from a higher networking layer through an IPSEC
       virtual(5,8)  interface,  a  search  in(1,8)  the  extended  routing  table  (see
       ipsec_eroute(8))  yields  an  effective destination address, a Security
       Parameters Index (SPI) and a IP protocol number.  When an IPSEC  packet
       arrives  from the network, its ostensible destination, an SPI and an IP
       protocol specified by its outermost IPSEC header are used.  The  desti-
       nation/SPI/protocol  combination is used to select(2,7,2 select_tut) a relevant SA.  (See
       ipsec_spigrp(8) for discussion of  how  multiple  transforms  are  com-
       bined.)

       The  af, daddr, spi(5,8) and proto arguments specify the SA to be created or
       deleted.  af is the address family (inet for  IPv4,  inet6  for  IPv6).
       Daddr  is  a destination address in(1,8) dotted-decimal notation for IPv4 or
       in(1,8) a coloned hex notation for IPv6.  Spi is a number, preceded by  '0x'
       for  hexadecimal, between 0x100 and 0xffffffff; values from 0x0 to 0xff
       are reserved.  Proto is an ASCII string(3,n), "ah", "esp", "comp" or  "tun",
       specifying the IP protocol.  The protocol must agree with the algorithm
       selected.

       Alternatively, the said argument can also specify an SA to  be  created
       or  deleted.   Said  combines  the  three  parameters  above,  such as:
       "tun.101@1.2.3.4" or "tun:101@1:2::3:4", where the  address  family  is
       specified  by "." for IPv4 and ":" for IPv6. The address family indica-
       tors substitute the "0x" for hexadecimal.

       The source address, src, must also be provided for the  inbound  policy
       check  to function.  The source address does not need to be included if(3,n)
       inbound policy checking has been disabled.

       Keys vectors must be entered as hexadecimal or  base64  numbers.   They
       should be cryptographically strong random(3,4,6) numbers.

       All  hexadecimal  numbers  are entered as strings of hexadecimal digits
       (0-9 and a-f), without spaces, preceded by '0x', where each hexadecimal
       digit  represents 4 bits.  All base64 numbers are entered as strings of
       base64 digits
        (0-9, A-Z, a-z, '+' and '/'), without spaces, preceded by '0s',  where
       each hexadecimal digit represents 6 bits and '=' is used for padding.

       The  deletion of an SA which has been grouped will result in(1,8) the entire
       chain being deleted.

       The  form  with  no  additional  arguments  lists   the   contents   of
       /proc(5,n)/net/ipsec_spi.  The format of /proc(5,n)/net/ipsec_spi is discussed in(1,8)
       ipsec_spi(5).

       The lifetime severity of soft sets a limit when the key management dae-
       mons  are  asked to rekey the SA.  The lifetime severity of hard sets a
       limit when the SA must expire.  The lifetime type allocations tells the
       system  when  to  expire  the SA because it is being shared by too many
       eroutes (not currently used).  The lifetime type  of  bytes  tells  the
       system  to expire the SA after a certain number of bytes have been pro-
       cessed with that SA.  The lifetime type of addtime tells the system  to
       expire  the  SA a certain number of seconds after the SA was installed.
       The lifetime type of usetime tells the system to expire the SA  a  cer-
       tain  number  of  seconds after that SA has processed its first packet.
       The lifetime type of packets tells the system to expire the SA after  a
       certain number of packets have been processed with that SA.

OPTIONS
       --af      specifies the address family (inet for IPv4, inet6 for IPv6)

       --edst    specifies  the  effective  destination  daddr of the Security
                 Association

       --spi     specifies the Security Parameters Index spi(5,8) of  the  Security
                 Association

       --proto   specifies the IP protocol proto of the Security Association

       --said    specifies the Security Association in(1,8) monolithic format

       --ah      add  an  SA  for an IPSEC Authentication Header, specified by
                 the following  transform  identifier  (hmac-md5-96  or  hmac-
                 sha1-96) (RFC2402, obsoletes RFC1826)

       hmac-md5-96
                 transform  following  the  HMAC  and  MD5  standards, using a
                 128-bit key to produce a 96-bit authenticator (RFC2403)

       hmac-sha1-96
                 transform following the HMAC  and  SHA1  standards,  using  a
                 160-bit key to produce a 96-bit authenticator (RFC2404)

       --esp     add an SA for an IPSEC Encapsulation Security Payload, speci-
                 fied by the following transform identifier  (3des,  or  3des-
                 md5-96) (RFC2406, obsoletes RFC1827)

       3des      encryption  transform  following  the  Triple-DES standard in(1,8)
                 Cipher-Block-Chaining mode using a 64-bit iv (internally gen-
                 erated) and a 192-bit 3DES ekey (RFC2451)

       3des-md5-96
                 encryption  transform  following  the  Triple-DES standard in(1,8)
                 Cipher-Block-Chaining mode with  authentication  provided  by
                 HMAC  and  MD5  (96-bit  authenticator),  using  a  64-bit iv
                 (internally generated), a 192-bit 3DES  ekey  and  a  128-bit
                 HMAC-MD5 akey (RFC2451, RFC2403)

       3des-sha1-96
                 encryption  transform  following  the  Triple-DES standard in(1,8)
                 Cipher-Block-Chaining mode with  authentication  provided  by
                 HMAC  and  SHA1  (96-bit  authenticator),  using  a 64-bit iv
                 (internally generated), a 192-bit 3DES  ekey  and  a  160-bit
                 HMAC-SHA1 akey (RFC2451, RFC2404)

       --replay_window replayw
                 sets  the  replay window size; valid values are decimal, 1 to
                 64

       --life life_param[,life_param]
                 sets the lifetime expiry; the format of  life_param  consists
                 of  a comma-separated list of lifetime specifications without
                 spaces; a lifetime specification is comprised of  a  severity
                 of  soft  or  hard  followed by a '-', followed by a lifetime
                 type of allocations, bytes, addtime, usetime or packets  fol-
                 lowed by an '=' and finally by a value

       --comp    add  an SA for IPSEC IP Compression, specified by the follow-
                 ing transform identifier (deflate) (RFC2393)

       deflate   compression transform following the patent-free Deflate  com-
                 pression algorithm (RFC2394)

       --ip4     add an SA for an IPv4-in-IPv4 tunnel from encap-src to encap-
                 dst

       --ip6     add an SA for an IPv6-in-IPv6 tunnel from encap-src to encap-
                 dst

       --src     specify  the  source end of an IP-in-IP tunnel from encap-src
                 to encap-dst and also specifies the  source  address  of  the
                 Security  Association  to  be used in(1,8) inbound policy checking
                 and must be the same address family as af and edst

       --dst     specify the destination end of an IP-in-IP tunnel from encap-
                 src to encap-dst

       --del     delete the specified SA

       --clear   clears the table of SAs

       --help    display synopsis

       --version display version(1,3,5) information

EXAMPLES
       To  keep line lengths down and reduce clutter, some of the long keys in(1,8)
       these examples have been abbreviated by replacing part  of  their  text
       with  ``...''.   Keys  used when the programs are actually run must, of
       course, be the full length required for the particular algorithm.

       ipsec(5,8) spi(5,8) --af inet --edst gw2 --spi 0x125 --proto esp \
          --src gw1 \
          --esp 3des-md5-96 \
          --enckey 0x6630...97ce \
          --authkey 0x9941...71df

       sets up an SA from gw1 to gw2 with an SPI of  0x125  and  protocol  ESP
       (50)  using  3DES encryption with integral MD5-96 authentication trans-
       form, using an encryption key of 0x6630...97ce  and  an  authentication
       key of 0x9941...71df (see note above about abbreviated keys).

       ipsec(5,8) spi(5,8) --af inet6 --edst 3049:9::9000:3100 --spi 0x150 --proto ah \
          --src 3049:9::9000:3101 \
          --ah hmac-md5-96 \
          --authkey 0x1234...2eda \

       sets  up  an SA from 3049:9::9000:3101 to 3049:9::9000:3100 with an SPI
       of 0x150 and protocol AH (50) using  MD5-96  authentication  transform,
       using  an  authentication  key  of  0x1234...2eda (see note above about
       abbreviated keys).

       ipsec(5,8) spi(5,8) --said tun.987@192.168.100.100 --del

       deletes an SA to 192.168.100.100 with an  SPI  of  0x987  and  protocol
       IPv4-in-IPv4 (4).

       ipsec(5,8) spi(5,8) --said tun:500@3049:9::1000:1 --del

       deletes  an  SA  to  3049:9::1000:1  with  an SPI of 0x500 and protocol
       IPv6-in-IPv6 (4).


FILES
       /proc(5,n)/net/ipsec_spi, /usr/local/bin/ipsec(5,8)

SEE ALSO
       ipsec(5,8)(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_eroute(8),  ipsec_spi-
       grp(8), ipsec_klipsdebug(8), ipsec_spi(5)

HISTORY
       Written  for  the Linux FreeS/WAN project <http://www.freeswan.org/> by
       Richard Guy Briggs.

BUGS
       The syntax is messy and the transform naming needs work.



                                  23 Oct 2001                     IPSEC_SPI(8)

References for this manual (incoming links)