]>
Commit | Line | Data |
---|---|---|
2a9721f1 SH |
1 | .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux" |
2 | .SH "NAME" | |
aab2702d | 3 | ip-xfrm \- transform configuration |
2a9721f1 SH |
4 | .SH "SYNOPSIS" |
5 | .sp | |
6 | .ad l | |
7 | .in +8 | |
8 | .ti -8 | |
9 | .B ip | |
10 | .RI "[ " OPTIONS " ]" | |
11 | .B xfrm | |
12 | .RI " { " COMMAND " | " | |
13 | .BR help " }" | |
14 | .sp | |
15 | ||
16 | .ti -8 | |
17 | .B "ip xfrm" | |
18 | .IR XFRM-OBJECT " { " COMMAND " | " | |
19 | .BR help " }" | |
20 | .sp | |
21 | ||
22 | .ti -8 | |
23 | .IR XFRM-OBJECT " :=" | |
24 | .BR state " | " policy " | " monitor | |
25 | .sp | |
26 | ||
27 | .ti -8 | |
28 | .BR "ip xfrm state" " { " add " | " update " } " | |
29 | .IR ID " [ " ALGO-LIST " ]" | |
30 | .RB "[ " mode | |
31 | .IR MODE " ]" | |
32 | .RB "[ " mark | |
33 | .I MARK | |
34 | .RB "[ " mask | |
35 | .IR MASK " ] ]" | |
36 | .RB "[ " reqid | |
37 | .IR REQID " ]" | |
38 | .RB "[ " seq | |
39 | .IR SEQ " ]" | |
40 | .RB "[ " replay-window | |
41 | .IR SIZE " ]" | |
42 | .RB "[ " replay-seq | |
43 | .IR SEQ " ]" | |
44 | .RB "[ " replay-oseq | |
45 | .IR SEQ " ]" | |
eeb669a7 ND |
46 | .RB "[ " replay-seq-hi |
47 | .IR SEQ " ]" | |
48 | .RB "[ " replay-oseq-hi | |
49 | .IR SEQ " ]" | |
2a9721f1 SH |
50 | .RB "[ " flag |
51 | .IR FLAG-LIST " ]" | |
52 | .RB "[ " sel | |
53 | .IR SELECTOR " ] [ " LIMIT-LIST " ]" | |
54 | .RB "[ " encap | |
55 | .IR ENCAP " ]" | |
56 | .RB "[ " coa | |
57 | .IR ADDR "[/" PLEN "] ]" | |
58 | .RB "[ " ctx | |
59 | .IR CTX " ]" | |
60 | ||
61 | .ti -8 | |
62 | .B "ip xfrm state allocspi" | |
63 | .I ID | |
64 | .RB "[ " mode | |
65 | .IR MODE " ]" | |
66 | .RB "[ " mark | |
67 | .I MARK | |
68 | .RB "[ " mask | |
69 | .IR MASK " ] ]" | |
70 | .RB "[ " reqid | |
71 | .IR REQID " ]" | |
72 | .RB "[ " seq | |
73 | .IR SEQ " ]" | |
74 | .RB "[ " min | |
75 | .I SPI | |
76 | .B max | |
77 | .IR SPI " ]" | |
78 | ||
79 | .ti -8 | |
80 | .BR "ip xfrm state" " { " delete " | " get " } " | |
81 | .I ID | |
82 | .RB "[ " mark | |
83 | .I MARK | |
84 | .RB "[ " mask | |
85 | .IR MASK " ] ]" | |
86 | ||
87 | .ti -8 | |
88 | .BR "ip xfrm state" " { " deleteall " | " list " } [" | |
89 | .IR ID " ]" | |
90 | .RB "[ " mode | |
91 | .IR MODE " ]" | |
92 | .RB "[ " reqid | |
93 | .IR REQID " ]" | |
94 | .RB "[ " flag | |
95 | .IR FLAG-LIST " ]" | |
96 | ||
97 | .ti -8 | |
98 | .BR "ip xfrm state flush" " [ " proto | |
99 | .IR XFRM-PROTO " ]" | |
100 | ||
101 | .ti -8 | |
102 | .BR "ip xfrm state count" | |
103 | ||
104 | .ti -8 | |
105 | .IR ID " :=" | |
106 | .RB "[ " src | |
107 | .IR ADDR " ]" | |
108 | .RB "[ " dst | |
109 | .IR ADDR " ]" | |
110 | .RB "[ " proto | |
111 | .IR XFRM-PROTO " ]" | |
112 | .RB "[ " spi | |
113 | .IR SPI " ]" | |
114 | ||
115 | .ti -8 | |
116 | .IR XFRM-PROTO " :=" | |
117 | .BR esp " | " ah " | " comp " | " route2 " | " hao | |
118 | ||
119 | .ti -8 | |
120 | .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO | |
121 | ||
122 | .ti -8 | |
123 | .IR ALGO " :=" | |
f3b9aa3d | 124 | .RB "{ " enc " | " auth " } " |
29665f92 | 125 | .IR ALGO-NAME " " ALGO-KEYMAT " |" |
2a9721f1 | 126 | .br |
2a9721f1 | 127 | .B auth-trunc |
29665f92 | 128 | .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |" |
f3b9aa3d DW |
129 | .br |
130 | .B aead | |
29665f92 | 131 | .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |" |
f3b9aa3d DW |
132 | .br |
133 | .B comp | |
134 | .IR ALGO-NAME | |
2a9721f1 SH |
135 | |
136 | .ti -8 | |
137 | .IR MODE " := " | |
29665f92 | 138 | .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger |
2a9721f1 SH |
139 | |
140 | .ti -8 | |
141 | .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG | |
142 | ||
143 | .ti -8 | |
144 | .IR FLAG " :=" | |
eeb669a7 ND |
145 | .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | " |
146 | .BR af-unspec " | " align4 " | " esn | |
2a9721f1 SH |
147 | |
148 | .ti -8 | |
149 | .IR SELECTOR " :=" | |
150 | .RB "[ " src | |
151 | .IR ADDR "[/" PLEN "] ]" | |
152 | .RB "[ " dst | |
153 | .IR ADDR "[/" PLEN "] ]" | |
154 | .RB "[ " dev | |
155 | .IR DEV " ]" | |
156 | .br | |
157 | .RI "[ " UPSPEC " ]" | |
158 | ||
159 | .ti -8 | |
160 | .IR UPSPEC " := " | |
161 | .BR proto " {" | |
162 | .IR PROTO " |" | |
163 | .br | |
164 | .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport | |
165 | .IR PORT " ]" | |
166 | .RB "[ " dport | |
167 | .IR PORT " ] |" | |
168 | .br | |
169 | .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type | |
170 | .IR NUMBER " ]" | |
171 | .RB "[ " code | |
172 | .IR NUMBER " ] |" | |
173 | .br | |
174 | .BR gre " [ " key | |
175 | .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }" | |
176 | ||
177 | .ti -8 | |
178 | .IR LIMIT-LIST " := [ " LIMIT-LIST " ]" | |
179 | .B limit | |
180 | .I LIMIT | |
181 | ||
182 | .ti -8 | |
183 | .IR LIMIT " :=" | |
184 | .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }" | |
185 | .IR "SECONDS" " |" | |
186 | .br | |
187 | .RB "{ " byte-soft " | " byte-hard " }" | |
188 | .IR SIZE " |" | |
189 | .br | |
190 | .RB "{ " packet-soft " | " packet-hard " }" | |
191 | .I COUNT | |
192 | ||
193 | .ti -8 | |
194 | .IR ENCAP " :=" | |
195 | .RB "{ " espinudp " | " espinudp-nonike " }" | |
196 | .IR SPORT " " DPORT " " OADDR | |
197 | ||
198 | .ti -8 | |
199 | .BR "ip xfrm policy" " { " add " | " update " }" | |
200 | .I SELECTOR | |
201 | .B dir | |
202 | .I DIR | |
203 | .RB "[ " ctx | |
204 | .IR CTX " ]" | |
205 | .RB "[ " mark | |
206 | .I MARK | |
207 | .RB "[ " mask | |
208 | .IR MASK " ] ]" | |
209 | .RB "[ " index | |
210 | .IR INDEX " ]" | |
211 | .RB "[ " ptype | |
212 | .IR PTYPE " ]" | |
213 | .RB "[ " action | |
214 | .IR ACTION " ]" | |
215 | .RB "[ " priority | |
216 | .IR PRIORITY " ]" | |
217 | .RB "[ " flag | |
218 | .IR FLAG-LIST " ]" | |
219 | .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]" | |
220 | ||
221 | .ti -8 | |
222 | .BR "ip xfrm policy" " { " delete " | " get " }" | |
223 | .RI "{ " SELECTOR " | " | |
224 | .B index | |
225 | .IR INDEX " }" | |
226 | .B dir | |
227 | .I DIR | |
228 | .RB "[ " ctx | |
229 | .IR CTX " ]" | |
230 | .RB "[ " mark | |
231 | .I MARK | |
232 | .RB "[ " mask | |
233 | .IR MASK " ] ]" | |
234 | .RB "[ " ptype | |
235 | .IR PTYPE " ]" | |
236 | ||
237 | .ti -8 | |
238 | .BR "ip xfrm policy" " { " deleteall " | " list " }" | |
239 | .RI "[ " SELECTOR " ]" | |
240 | .RB "[ " dir | |
241 | .IR DIR " ]" | |
242 | .RB "[ " index | |
243 | .IR INDEX " ]" | |
244 | .RB "[ " ptype | |
245 | .IR PTYPE " ]" | |
246 | .RB "[ " action | |
247 | .IR ACTION " ]" | |
248 | .RB "[ " priority | |
249 | .IR PRIORITY " ]" | |
250 | ||
251 | .ti -8 | |
252 | .B "ip xfrm policy flush" | |
253 | .RB "[ " ptype | |
254 | .IR PTYPE " ]" | |
255 | ||
256 | .ti -8 | |
257 | .B "ip xfrm policy count" | |
258 | ||
259 | .ti -8 | |
260 | .IR SELECTOR " :=" | |
261 | .RB "[ " src | |
262 | .IR ADDR "[/" PLEN "] ]" | |
263 | .RB "[ " dst | |
264 | .IR ADDR "[/" PLEN "] ]" | |
265 | .RB "[ " dev | |
266 | .IR DEV " ]" | |
267 | .RI "[ " UPSPEC " ]" | |
268 | ||
269 | .ti -8 | |
270 | .IR UPSPEC " := " | |
271 | .BR proto " {" | |
272 | .IR PROTO " |" | |
273 | .br | |
274 | .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport | |
275 | .IR PORT " ]" | |
276 | .RB "[ " dport | |
277 | .IR PORT " ] |" | |
278 | .br | |
279 | .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type | |
280 | .IR NUMBER " ]" | |
281 | .RB "[ " code | |
282 | .IR NUMBER " ] |" | |
283 | .br | |
284 | .BR gre " [ " key | |
285 | .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }" | |
286 | ||
287 | .ti -8 | |
288 | .IR DIR " := " | |
289 | .BR in " | " out " | " fwd | |
290 | ||
291 | .ti -8 | |
292 | .IR PTYPE " := " | |
293 | .BR main " | " sub | |
294 | ||
295 | .ti -8 | |
296 | .IR ACTION " := " | |
297 | .BR allow " | " block | |
298 | ||
299 | .ti -8 | |
300 | .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG | |
301 | ||
302 | .ti -8 | |
303 | .IR FLAG " :=" | |
304 | .BR localok " | " icmp | |
305 | ||
306 | .ti -8 | |
307 | .IR LIMIT-LIST " := [ " LIMIT-LIST " ]" | |
308 | .B limit | |
309 | .I LIMIT | |
310 | ||
311 | .ti -8 | |
312 | .IR LIMIT " :=" | |
313 | .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }" | |
314 | .IR "SECONDS" " |" | |
315 | .br | |
316 | .RB "{ " byte-soft " | " byte-hard " }" | |
317 | .IR SIZE " |" | |
318 | .br | |
319 | .RB "{ " packet-soft " | " packet-hard " }" | |
320 | .I COUNT | |
321 | ||
322 | .ti -8 | |
323 | .IR TMPL-LIST " := [ " TMPL-LIST " ]" | |
324 | .B tmpl | |
325 | .I TMPL | |
326 | ||
327 | .ti -8 | |
328 | .IR TMPL " := " ID | |
329 | .RB "[ " mode | |
330 | .IR MODE " ]" | |
331 | .RB "[ " reqid | |
332 | .IR REQID " ]" | |
333 | .RB "[ " level | |
334 | .IR LEVEL " ]" | |
335 | ||
336 | .ti -8 | |
337 | .IR ID " :=" | |
338 | .RB "[ " src | |
339 | .IR ADDR " ]" | |
340 | .RB "[ " dst | |
341 | .IR ADDR " ]" | |
342 | .RB "[ " proto | |
343 | .IR XFRM-PROTO " ]" | |
344 | .RB "[ " spi | |
345 | .IR SPI " ]" | |
346 | ||
347 | .ti -8 | |
348 | .IR XFRM-PROTO " :=" | |
349 | .BR esp " | " ah " | " comp " | " route2 " | " hao | |
350 | ||
351 | .ti -8 | |
352 | .IR MODE " := " | |
29665f92 | 353 | .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger |
2a9721f1 SH |
354 | |
355 | .ti -8 | |
356 | .IR LEVEL " :=" | |
357 | .BR required " | " use | |
358 | ||
359 | .ti -8 | |
360 | .BR "ip xfrm monitor" " [ " all " |" | |
361 | .IR LISTofXFRM-OBJECTS " ]" | |
362 | ||
363 | .in -8 | |
364 | .ad b | |
365 | ||
366 | .SH DESCRIPTION | |
367 | ||
368 | xfrm is an IP framework for transforming packets (such as encrypting | |
369 | their payloads). This framework is used to implement the IPsec protocol | |
370 | suite (with the | |
371 | .B state | |
372 | object operating on the Security Association Database, and the | |
373 | .B policy | |
374 | object operating on the Security Policy Database). It is also used for | |
375 | the IP Payload Compression Protocol and features of Mobile IPv6. | |
376 | ||
61f541fe | 377 | .TS |
378 | l l. | |
379 | ip xfrm state add add new state into xfrm | |
380 | ip xfrm state update update existing state in xfrm | |
381 | ip xfrm state allocspi allocate an SPI value | |
382 | ip xfrm state delete delete existing state in xfrm | |
383 | ip xfrm state get get existing state in xfrm | |
384 | ip xfrm state deleteall delete all existing state in xfrm | |
385 | ip xfrm state list print out the list of existing state in xfrm | |
386 | ip xfrm state flush flush all state in xfrm | |
387 | ip xfrm state count count all existing state in xfrm | |
388 | ip xfrm monitor state monitoring for xfrm objects | |
389 | .TE | |
2a9721f1 SH |
390 | |
391 | .TP | |
392 | .IR ID | |
393 | is specified by a source address, destination address, | |
394 | .RI "transform protocol " XFRM-PROTO "," | |
395 | and/or Security Parameter Index | |
396 | .IR SPI "." | |
29665f92 DW |
397 | (For IP Payload Compression, the Compression Parameter Index or CPI is used for |
398 | .IR SPI ".)" | |
2a9721f1 SH |
399 | |
400 | .TP | |
401 | .I XFRM-PROTO | |
402 | specifies a transform protocol: | |
403 | .RB "IPsec Encapsulating Security Payload (" esp ")," | |
404 | .RB "IPsec Authentication Header (" ah ")," | |
405 | .RB "IP Payload Compression (" comp ")," | |
406 | .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or" | |
407 | .RB "Mobile IPv6 Home Address Option (" hao ")." | |
408 | ||
409 | .TP | |
410 | .I ALGO-LIST | |
29665f92 DW |
411 | contains one or more algorithms to use. Each algorithm |
412 | .I ALGO | |
413 | is specified by: | |
414 | .RS | |
415 | .IP \[bu] | |
416 | the algorithm type: | |
2a9721f1 | 417 | .RB "encryption (" enc ")," |
29665f92 DW |
418 | .RB "authentication (" auth " or " auth-trunc ")," |
419 | .RB "authenticated encryption with associated data (" aead "), or" | |
420 | .RB "compression (" comp ")" | |
421 | .IP \[bu] | |
422 | the algorithm name | |
423 | .IR ALGO-NAME | |
424 | (see below) | |
425 | .IP \[bu] | |
426 | .RB "(for all except " comp ")" | |
427 | the keying material | |
428 | .IR ALGO-KEYMAT "," | |
429 | which may include both a key and a salt or nonce value; refer to the | |
430 | corresponding RFC | |
431 | .IP \[bu] | |
432 | .RB "(for " auth-trunc " only)" | |
433 | the truncation length | |
434 | .I ALGO-TRUNC-LEN | |
435 | in bits | |
436 | .IP \[bu] | |
437 | .RB "(for " aead " only)" | |
2a9721f1 SH |
438 | the Integrity Check Value length |
439 | .I ALGO-ICV-LEN | |
29665f92 DW |
440 | in bits |
441 | .RE | |
442 | ||
443 | .nh | |
444 | .RS | |
445 | Encryption algorithms include | |
446 | .BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) "," | |
447 | .BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) "," | |
448 | .BR cbc(twofish) ", and " rfc3686(ctr(aes)) "." | |
449 | ||
450 | Authentication algorithms include | |
451 | .BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) "," | |
452 | .BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd610) ", and " xcbc(aes) "." | |
453 | ||
454 | Authenticated encryption with associated data (AEAD) algorithms include | |
455 | .BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "." | |
456 | ||
457 | Compression algorithms include | |
458 | .BR deflate ", " lzs ", and " lzjh "." | |
459 | .RE | |
460 | .hy | |
2a9721f1 SH |
461 | |
462 | .TP | |
463 | .I MODE | |
29665f92 DW |
464 | specifies a mode of operation for the transform protocol. IPsec and IP Payload |
465 | Compression modes are | |
466 | .BR transport ", " tunnel "," | |
467 | and (for IPsec ESP only) Bound End-to-End Tunnel | |
468 | .RB "(" beet ")." | |
469 | Mobile IPv6 modes are route optimization | |
470 | .RB "(" ro ")" | |
471 | and inbound trigger | |
472 | .RB "(" in_trigger ")." | |
2a9721f1 SH |
473 | |
474 | .TP | |
475 | .I FLAG-LIST | |
476 | contains one or more of the following optional flags: | |
477 | .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", " | |
eeb669a7 | 478 | .BR af-unspec ", " align4 ", or " esn "." |
2a9721f1 SH |
479 | |
480 | .TP | |
481 | .IR SELECTOR | |
482 | selects the traffic that will be controlled by the policy, based on the source | |
483 | address, the destination address, the network device, and/or | |
484 | .IR UPSPEC "." | |
485 | ||
486 | .TP | |
487 | .IR UPSPEC | |
488 | selects traffic by protocol. For the | |
489 | .BR tcp ", " udp ", " sctp ", or " dccp | |
490 | protocols, the source and destination port can optionally be specified. | |
491 | For the | |
492 | .BR icmp ", " ipv6-icmp ", or " mobility-header | |
493 | protocols, the type and code numbers can optionally be specified. | |
494 | For the | |
495 | .B gre | |
496 | protocol, the key can optionally be specified as a dotted-quad or number. | |
497 | Other protocols can be selected by name or number | |
498 | .IR PROTO "." | |
499 | ||
500 | .TP | |
501 | .I LIMIT-LIST | |
502 | sets limits in seconds, bytes, or numbers of packets. | |
503 | ||
504 | .TP | |
505 | .I ENCAP | |
506 | encapsulates packets with protocol | |
507 | .BR espinudp " or " espinudp-nonike "," | |
508 | .RI "using source port " SPORT ", destination port " DPORT | |
509 | .RI ", and original address " OADDR "." | |
61f541fe | 510 | .sp |
511 | .TS | |
512 | l l. | |
513 | ip xfrm policy add add a new policy | |
514 | ip xfrm policy update update an existing policy | |
515 | ip xfrm policy delete delete an existing policy | |
516 | ip xfrm policy get get an existing policy | |
517 | ip xfrm policy deleteall delete all existing xfrm policies | |
518 | ip xfrm policy list print out the list of xfrm policies | |
519 | ip xfrm policy flush flush policies | |
520 | ip xfrm policy count count existing policies | |
521 | .TE | |
2a9721f1 SH |
522 | |
523 | .TP | |
524 | .IR SELECTOR | |
525 | selects the traffic that will be controlled by the policy, based on the source | |
526 | address, the destination address, the network device, and/or | |
527 | .IR UPSPEC "." | |
528 | ||
529 | .TP | |
530 | .IR UPSPEC | |
531 | selects traffic by protocol. For the | |
532 | .BR tcp ", " udp ", " sctp ", or " dccp | |
533 | protocols, the source and destination port can optionally be specified. | |
534 | For the | |
535 | .BR icmp ", " ipv6-icmp ", or " mobility-header | |
536 | protocols, the type and code numbers can optionally be specified. | |
537 | For the | |
538 | .B gre | |
539 | protocol, the key can optionally be specified as a dotted-quad or number. | |
540 | Other protocols can be selected by name or number | |
541 | .IR PROTO "." | |
542 | ||
543 | .TP | |
544 | .I DIR | |
545 | selects the policy direction as | |
546 | .BR in ", " out ", or " fwd "." | |
547 | ||
548 | .TP | |
549 | .I CTX | |
550 | sets the security context. | |
551 | ||
552 | .TP | |
553 | .I PTYPE | |
554 | can be | |
555 | .BR main " (default) or " sub "." | |
556 | ||
557 | .TP | |
558 | .I ACTION | |
559 | can be | |
560 | .BR allow " (default) or " block "." | |
561 | ||
562 | .TP | |
563 | .I PRIORITY | |
564 | is a number that defaults to zero. | |
565 | ||
566 | .TP | |
567 | .I FLAG-LIST | |
568 | contains one or both of the following optional flags: | |
569 | .BR local " or " icmp "." | |
570 | ||
571 | .TP | |
572 | .I LIMIT-LIST | |
573 | sets limits in seconds, bytes, or numbers of packets. | |
574 | ||
575 | .TP | |
576 | .I TMPL-LIST | |
577 | is a template list specified using | |
578 | .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". " | |
579 | ||
580 | .TP | |
581 | .IR ID | |
582 | is specified by a source address, destination address, | |
583 | .RI "transform protocol " XFRM-PROTO "," | |
584 | and/or Security Parameter Index | |
585 | .IR SPI "." | |
29665f92 DW |
586 | (For IP Payload Compression, the Compression Parameter Index or CPI is used for |
587 | .IR SPI ".)" | |
2a9721f1 SH |
588 | |
589 | .TP | |
590 | .I XFRM-PROTO | |
591 | specifies a transform protocol: | |
592 | .RB "IPsec Encapsulating Security Payload (" esp ")," | |
593 | .RB "IPsec Authentication Header (" ah ")," | |
594 | .RB "IP Payload Compression (" comp ")," | |
595 | .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or" | |
596 | .RB "Mobile IPv6 Home Address Option (" hao ")." | |
597 | ||
598 | .TP | |
599 | .I MODE | |
29665f92 DW |
600 | specifies a mode of operation for the transform protocol. IPsec and IP Payload |
601 | Compression modes are | |
602 | .BR transport ", " tunnel "," | |
603 | and (for IPsec ESP only) Bound End-to-End Tunnel | |
604 | .RB "(" beet ")." | |
605 | Mobile IPv6 modes are route optimization | |
606 | .RB "(" ro ")" | |
607 | and inbound trigger | |
608 | .RB "(" in_trigger ")." | |
2a9721f1 SH |
609 | |
610 | .TP | |
611 | .I LEVEL | |
612 | can be | |
613 | .BR required " (default) or " use "." | |
614 | ||
2a9721f1 SH |
615 | The xfrm objects to monitor can be optionally specified. |
616 | ||
617 | .SH AUTHOR | |
29665f92 | 618 | Manpage revised by David Ward <david.ward@ll.mit.edu> |