Seth Woolley's Man Viewer

Manual for spigrp - man 8 spigrp

([section] manual, -k keyword, -K [section] search, -f whatis)
man plain no title

IPSEC_SPIGRP(8)                                                IPSEC_SPIGRP(8)



NAME
       ipsec(5,8) spigrp(5,8) - group/ungroup IPSEC Security Associations

SYNOPSIS
       ipsec(5,8) spigrp(5,8)

       ipsec(5,8)  spigrp(5,8)  [  --label  label ] af1 dst1 spi1 proto1 [ af2 dst2 spi2
       proto2 [ af3 dst3 spi3 proto3 [ af4 dst4 spi4 proto4 ] ] ]

       ipsec(5,8) spigrp(5,8) [ --label label ] --said SA1 [ SA2 [ SA3 [ SA4 ] ] ]

       ipsec(5,8) spigrp(5,8) --help

       ipsec(5,8) spigrp(5,8) --version


DESCRIPTION
       Spigrp groups IPSEC Security Associations (SAs)  together  or  ungroups
       previously  grouped  SAs.  An entry in(1,8) the IPSEC extended routing table
       can only point (via a destination address, a Security Parameters  Index
       (SPI) and a protocol identifier) to one SA.  If more than one transform
       must be applied to a given type of packet, this can be accomplished  by
       setting  up  several  SAs  with the same destination address but poten-
       tially different SPIs and protocols, and grouping them with spigrp(5,8).

       The SAs to be grouped,  specified  by  destination  address  (DNS  name
       lookup, IPv4 dotted quad or IPv6 coloned hex), SPI ('0x'-prefixed hexa-
       decimal number) and protocol ("ah", "esp", "comp" or "tun"), are listed
       from  the  inside  transform to the outside; in(1,8) other words, the trans-
       forms are applied in(1,8) the order of the command line and removed  in(1,8)  the
       reverse  order.   The resulting SA group is referred to by its first SA
       (by af1, dst1, spi1 and proto1).

       The --said option indicates that the SA IDs are to be specified as  one
       argument  each, in(1,8) the format <proto><af><spi(5,8)>@<dest>.  The SA IDs must
       all be specified as separate parameters without the  --said  option  or
       all as monolithic parameters after the --said option.

       The SAs must already exist and must not already be part of a group.

       If  spigrp(5,8)  is  invoked with only one SA specification, it ungroups the
       previously-grouped set(7,n,1 builtins) of SAs containing the SA specified.

       The --label option identifies all responses from that  command  invoca-
       tion  with  a user-supplied label, provided as an argument to the label
       option.  This can be helpful for debugging one invocation of  the  com-
       mand out of a large number.

       The  command  form  with  no additional arguments lists the contents of
       /proc(5,n)/net/ipsec_spigrp.  The format of /proc(5,n)/net/ipsec_spigrp  is  dis-
       cussed in(1,8) ipsec_spigrp(5).

EXAMPLES
       ipsec(5,8) spigrp(5,8) inet gw2 0x113 tun inet gw2 0x115 esp inet gw2 0x116 ah
              groups  3  SAs  together,  all  destined  for  gw2,  but with an
              IPv4-in-IPv4 tunnel SA applied first with SPI 0x113, then an ESP
              header  to  encrypt the packet with SPI 0x115, and finally an AH
              header to authenticate the packet with SPI 0x116.


       ipsec(5,8) spigrp(5,8) --said tun.113@gw2 esp.115@gw2 ah.116@gw2
              groups 3 SAs  together,  all  destined  for  gw2,  but  with  an
              IPv4-in-IPv4 tunnel SA applied first with SPI 0x113, then an ESP
              header to encrypt the packet with SPI 0x115, and finally  an  AH
              header to authenticate the packet with SPI 0x116.


       ipsec(5,8)     spigrp(5,8)     --said     tun:233@3049:1::1     esp:235@3049:1::1
       ah:236@3049:1::1
              groups  3  SAs together, all destined for 3049:1::1, but with an
              IPv6-in-IPv6 tunnel SA applied first with SPI 0x233, then an ESP
              header  to  encrypt the packet with SPI 0x235, and finally an AH
              header to authenticate the packet with SPI 0x236.


       ipsec(5,8) spigrp(5,8) inet6 3049:1::1 0x233 tun inet6 3049:1::1 0x235 esp  inet6
       3049:1::1 0x236 ah
              groups 3 SAs together, all destined for 3049:1::1, but  with  an
              IPv6-in-IPv6 tunnel SA applied first with SPI 0x233, then an ESP
              header to encrypt the packet with SPI 0x235, and finally  an  AH
              header to authenticate the packet with SPI 0x236.


FILES
       /proc(5,n)/net/ipsec_spigrp, /usr/local/bin/ipsec(5,8)

SEE ALSO
       ipsec(5,8)(8),     ipsec_manual(8),     ipsec_tncfg(8),     ipsec_eroute(8),
       ipsec_spi(8), ipsec_klipsdebug(8), ipsec_spigrp(5)

HISTORY
       Written for the Linux FreeS/WAN project  <http://www.freeswan.org/>  by
       Richard Guy Briggs.

BUGS
       Yes, it really is limited to a maximum of four SAs, although admittedly
       it's hard to see why you would need more.



                                  21 Jun 2000                  IPSEC_SPIGRP(8)

References for this manual (incoming links)