1 .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
3 ip-xfrm \- transform configuration
12 .RI " { " COMMAND " | "
18 .IR XFRM-OBJECT " { " COMMAND " | "
24 .BR state " | " policy " | " monitor
28 .BR "ip xfrm state" " { " add " | " update " } "
29 .IR ID " [ " ALGO-LIST " ]"
40 .RB "[ " replay-window
49 .IR SELECTOR " ] [ " LIMIT-LIST " ]"
53 .IR ADDR "[/" PLEN "] ]"
58 .B "ip xfrm state allocspi"
76 .BR "ip xfrm state" " { " delete " | " get " } "
84 .BR "ip xfrm state" " { " deleteall " | " list " } ["
94 .BR "ip xfrm state flush" " [ " proto
98 .BR "ip xfrm state count"
113 .BR esp " | " ah " | " comp " | " route2 " | " hao
116 .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
120 .RB "{ " enc " | " auth " } "
121 .IR ALGO-NAME " " ALGO-KEYMAT " |"
124 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |"
127 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |"
134 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
137 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
141 .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | " af-unspec " | " align4
146 .IR ADDR "[/" PLEN "] ]"
148 .IR ADDR "[/" PLEN "] ]"
159 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
164 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
170 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
173 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
179 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
182 .RB "{ " byte-soft " | " byte-hard " }"
185 .RB "{ " packet-soft " | " packet-hard " }"
190 .RB "{ " espinudp " | " espinudp-nonike " }"
191 .IR SPORT " " DPORT " " OADDR
194 .BR "ip xfrm policy" " { " add " | " update " }"
214 .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
217 .BR "ip xfrm policy" " { " delete " | " get " }"
218 .RI "{ " SELECTOR " | "
233 .BR "ip xfrm policy" " { " deleteall " | " list " }"
234 .RI "[ " SELECTOR " ]"
247 .B "ip xfrm policy flush"
252 .B "ip xfrm policy count"
257 .IR ADDR "[/" PLEN "] ]"
259 .IR ADDR "[/" PLEN "] ]"
269 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
274 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
280 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
284 .BR in " | " out " | " fwd
292 .BR allow " | " block
295 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
299 .BR localok " | " icmp
302 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
308 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
311 .RB "{ " byte-soft " | " byte-hard " }"
314 .RB "{ " packet-soft " | " packet-hard " }"
318 .IR TMPL-LIST " := [ " TMPL-LIST " ]"
344 .BR esp " | " ah " | " comp " | " route2 " | " hao
348 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
352 .BR required " | " use
355 .BR "ip xfrm monitor" " [ " all " |"
356 .IR LISTofXFRM-OBJECTS " ]"
363 xfrm is an IP framework for transforming packets (such as encrypting
364 their payloads). This framework is used to implement the IPsec protocol
367 object operating on the Security Association Database, and the
369 object operating on the Security Policy Database). It is also used for
370 the IP Payload Compression Protocol and features of Mobile IPv6.
372 .SS ip xfrm state add - add new state into xfrm
374 .SS ip xfrm state update - update existing state in xfrm
376 .SS ip xfrm state allocspi - allocate an SPI value
378 .SS ip xfrm state delete - delete existing state in xfrm
380 .SS ip xfrm state get - get existing state in xfrm
382 .SS ip xfrm state deleteall - delete all existing state in xfrm
384 .SS ip xfrm state list - print out the list of existing state in xfrm
386 .SS ip xfrm state flush - flush all state in xfrm
388 .SS ip xfrm state count - count all existing state in xfrm
392 is specified by a source address, destination address,
393 .RI "transform protocol " XFRM-PROTO ","
394 and/or Security Parameter Index
396 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
401 specifies a transform protocol:
402 .RB "IPsec Encapsulating Security Payload (" esp "),"
403 .RB "IPsec Authentication Header (" ah "),"
404 .RB "IP Payload Compression (" comp "),"
405 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
406 .RB "Mobile IPv6 Home Address Option (" hao ")."
410 contains one or more algorithms to use. Each algorithm
416 .RB "encryption (" enc "),"
417 .RB "authentication (" auth " or " auth-trunc "),"
418 .RB "authenticated encryption with associated data (" aead "), or"
419 .RB "compression (" comp ")"
425 .RB "(for all except " comp ")"
428 which may include both a key and a salt or nonce value; refer to the
431 .RB "(for " auth-trunc " only)"
432 the truncation length
436 .RB "(for " aead " only)"
437 the Integrity Check Value length
444 Encryption algorithms include
445 .BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
446 .BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
447 .BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."
449 Authentication algorithms include
450 .BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
451 .BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd610) ", and " xcbc(aes) "."
453 Authenticated encryption with associated data (AEAD) algorithms include
454 .BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
456 Compression algorithms include
457 .BR deflate ", " lzs ", and " lzjh "."
463 specifies a mode of operation for the transform protocol. IPsec and IP Payload
464 Compression modes are
465 .BR transport ", " tunnel ","
466 and (for IPsec ESP only) Bound End-to-End Tunnel
468 Mobile IPv6 modes are route optimization
471 .RB "(" in_trigger ")."
475 contains one or more of the following optional flags:
476 .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
477 .BR af-unspec ", or " align4 "."
481 selects the traffic that will be controlled by the policy, based on the source
482 address, the destination address, the network device, and/or
487 selects traffic by protocol. For the
488 .BR tcp ", " udp ", " sctp ", or " dccp
489 protocols, the source and destination port can optionally be specified.
491 .BR icmp ", " ipv6-icmp ", or " mobility-header
492 protocols, the type and code numbers can optionally be specified.
495 protocol, the key can optionally be specified as a dotted-quad or number.
496 Other protocols can be selected by name or number
501 sets limits in seconds, bytes, or numbers of packets.
505 encapsulates packets with protocol
506 .BR espinudp " or " espinudp-nonike ","
507 .RI "using source port " SPORT ", destination port " DPORT
508 .RI ", and original address " OADDR "."
510 .SS ip xfrm policy add - add a new policy
512 .SS ip xfrm policy update - update an existing policy
514 .SS ip xfrm policy delete - delete an existing policy
516 .SS ip xfrm policy get - get an existing policy
518 .SS ip xfrm policy deleteall - delete all existing xfrm policies
520 .SS ip xfrm policy list - print out the list of xfrm policies
522 .SS ip xfrm policy flush - flush policies
524 .SS ip xfrm policy count - count existing policies
528 selects the traffic that will be controlled by the policy, based on the source
529 address, the destination address, the network device, and/or
534 selects traffic by protocol. For the
535 .BR tcp ", " udp ", " sctp ", or " dccp
536 protocols, the source and destination port can optionally be specified.
538 .BR icmp ", " ipv6-icmp ", or " mobility-header
539 protocols, the type and code numbers can optionally be specified.
542 protocol, the key can optionally be specified as a dotted-quad or number.
543 Other protocols can be selected by name or number
548 selects the policy direction as
549 .BR in ", " out ", or " fwd "."
553 sets the security context.
558 .BR main " (default) or " sub "."
563 .BR allow " (default) or " block "."
567 is a number that defaults to zero.
571 contains one or both of the following optional flags:
572 .BR local " or " icmp "."
576 sets limits in seconds, bytes, or numbers of packets.
580 is a template list specified using
581 .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
585 is specified by a source address, destination address,
586 .RI "transform protocol " XFRM-PROTO ","
587 and/or Security Parameter Index
589 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
594 specifies a transform protocol:
595 .RB "IPsec Encapsulating Security Payload (" esp "),"
596 .RB "IPsec Authentication Header (" ah "),"
597 .RB "IP Payload Compression (" comp "),"
598 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
599 .RB "Mobile IPv6 Home Address Option (" hao ")."
603 specifies a mode of operation for the transform protocol. IPsec and IP Payload
604 Compression modes are
605 .BR transport ", " tunnel ","
606 and (for IPsec ESP only) Bound End-to-End Tunnel
608 Mobile IPv6 modes are route optimization
611 .RB "(" in_trigger ")."
616 .BR required " (default) or " use "."
618 .SS ip xfrm monitor - state monitoring for xfrm objects
619 The xfrm objects to monitor can be optionally specified.
622 Manpage revised by David Ward <david.ward@ll.mit.edu>