1 .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
3 ip-xfrm \- transform configuration
12 .RI " { " COMMAND " | "
18 .IR XFRM-OBJECT " { " COMMAND " | "
24 .BR state " | " policy " | " monitor
28 .BR "ip xfrm state" " { " add " | " update " } "
29 .IR ID " [ " ALGO-LIST " ]"
40 .RB "[ " replay-window
46 .RB "[ " replay-seq-hi
48 .RB "[ " replay-oseq-hi
53 .IR SELECTOR " ] [ " LIMIT-LIST " ]"
57 .IR ADDR "[/" PLEN "] ]"
61 .IR EXTRA-FLAG-LIST " ]"
66 .B "ip xfrm state allocspi"
84 .BR "ip xfrm state" " { " delete " | " get " } "
92 .BR "ip xfrm state" " { " deleteall " | " list " } ["
102 .BR "ip xfrm state flush" " [ " proto
106 .BR "ip xfrm state count"
121 .BR esp " | " ah " | " comp " | " route2 " | " hao
124 .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
128 .RB "{ " enc " | " auth " } "
129 .IR ALGO-NAME " " ALGO-KEYMAT " |"
132 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |"
135 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |"
142 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
145 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
149 .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | "
150 .BR af-unspec " | " align4 " | " esn
155 .IR ADDR "[/" PLEN "] ]"
157 .IR ADDR "[/" PLEN "] ]"
168 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
173 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
179 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
182 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
188 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
191 .RB "{ " byte-soft " | " byte-hard " }"
194 .RB "{ " packet-soft " | " packet-hard " }"
199 .RB "{ " espinudp " | " espinudp-nonike " }"
200 .IR SPORT " " DPORT " " OADDR
203 .IR EXTRA-FLAG-LIST " := [ " EXTRA-FLAG-LIST " ] " EXTRA-FLAG
206 .IR EXTRA-FLAG " := "
210 .BR "ip xfrm policy" " { " add " | " update " }"
230 .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
233 .BR "ip xfrm policy" " { " delete " | " get " }"
234 .RI "{ " SELECTOR " | "
249 .BR "ip xfrm policy" " { " deleteall " | " list " }"
251 .RI "[ " SELECTOR " ]"
266 .B "ip xfrm policy flush"
271 .B "ip xfrm policy count"
274 .B "ip xfrm policy set"
276 .IR LBITS " " RBITS " ]"
278 .IR LBITS " " RBITS " ]"
283 .IR ADDR "[/" PLEN "] ]"
285 .IR ADDR "[/" PLEN "] ]"
295 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
300 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
306 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
310 .BR in " | " out " | " fwd
318 .BR allow " | " block
321 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
325 .BR localok " | " icmp
328 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
334 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
337 .RB "{ " byte-soft " | " byte-hard " }"
340 .RB "{ " packet-soft " | " packet-hard " }"
344 .IR TMPL-LIST " := [ " TMPL-LIST " ]"
370 .BR esp " | " ah " | " comp " | " route2 " | " hao
374 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
378 .BR required " | " use
381 .BR "ip xfrm monitor" " ["
386 .IR LISTofXFRM-OBJECTS " ]"
389 .IR LISTofXFRM-OBJECTS " := [ " LISTofXFRM-OBJECTS " ] " XFRM-OBJECT
392 .IR XFRM-OBJECT " := "
393 .BR acquire " | " expire " | " SA " | " policy " | " aevent " | " report
400 xfrm is an IP framework for transforming packets (such as encrypting
401 their payloads). This framework is used to implement the IPsec protocol
404 object operating on the Security Association Database, and the
406 object operating on the Security Policy Database). It is also used for
407 the IP Payload Compression Protocol and features of Mobile IPv6.
411 ip xfrm state add add new state into xfrm
412 ip xfrm state update update existing state in xfrm
413 ip xfrm state allocspi allocate an SPI value
414 ip xfrm state delete delete existing state in xfrm
415 ip xfrm state get get existing state in xfrm
416 ip xfrm state deleteall delete all existing state in xfrm
417 ip xfrm state list print out the list of existing state in xfrm
418 ip xfrm state flush flush all state in xfrm
419 ip xfrm state count count all existing state in xfrm
424 is specified by a source address, destination address,
425 .RI "transform protocol " XFRM-PROTO ","
426 and/or Security Parameter Index
428 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
433 specifies a transform protocol:
434 .RB "IPsec Encapsulating Security Payload (" esp "),"
435 .RB "IPsec Authentication Header (" ah "),"
436 .RB "IP Payload Compression (" comp "),"
437 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
438 .RB "Mobile IPv6 Home Address Option (" hao ")."
442 contains one or more algorithms to use. Each algorithm
448 .RB "encryption (" enc "),"
449 .RB "authentication (" auth " or " auth-trunc "),"
450 .RB "authenticated encryption with associated data (" aead "), or"
451 .RB "compression (" comp ")"
457 .RB "(for all except " comp ")"
460 which may include both a key and a salt or nonce value; refer to the
463 .RB "(for " auth-trunc " only)"
464 the truncation length
468 .RB "(for " aead " only)"
469 the Integrity Check Value length
476 Encryption algorithms include
477 .BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
478 .BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
479 .BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."
481 Authentication algorithms include
482 .BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
483 .BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd160) ", and " xcbc(aes) "."
485 Authenticated encryption with associated data (AEAD) algorithms include
486 .BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
488 Compression algorithms include
489 .BR deflate ", " lzs ", and " lzjh "."
495 specifies a mode of operation for the transform protocol. IPsec and IP Payload
496 Compression modes are
497 .BR transport ", " tunnel ","
498 and (for IPsec ESP only) Bound End-to-End Tunnel
500 Mobile IPv6 modes are route optimization
503 .RB "(" in_trigger ")."
507 contains one or more of the following optional flags:
508 .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
509 .BR af-unspec ", " align4 ", or " esn "."
513 selects the traffic that will be controlled by the policy, based on the source
514 address, the destination address, the network device, and/or
519 selects traffic by protocol. For the
520 .BR tcp ", " udp ", " sctp ", or " dccp
521 protocols, the source and destination port can optionally be specified.
523 .BR icmp ", " ipv6-icmp ", or " mobility-header
524 protocols, the type and code numbers can optionally be specified.
527 protocol, the key can optionally be specified as a dotted-quad or number.
528 Other protocols can be selected by name or number
533 sets limits in seconds, bytes, or numbers of packets.
537 encapsulates packets with protocol
538 .BR espinudp " or " espinudp-nonike ","
539 .RI "using source port " SPORT ", destination port " DPORT
540 .RI ", and original address " OADDR "."
544 used to match xfrm policies and states
548 used to set the output mark to influence the routing
549 of the packets emitted by the state
555 ip xfrm policy add add a new policy
556 ip xfrm policy update update an existing policy
557 ip xfrm policy delete delete an existing policy
558 ip xfrm policy get get an existing policy
559 ip xfrm policy deleteall delete all existing xfrm policies
560 ip xfrm policy list print out the list of xfrm policies
561 ip xfrm policy flush flush policies
566 filter (remove) all socket policies from the output.
570 selects the traffic that will be controlled by the policy, based on the source
571 address, the destination address, the network device, and/or
576 selects traffic by protocol. For the
577 .BR tcp ", " udp ", " sctp ", or " dccp
578 protocols, the source and destination port can optionally be specified.
580 .BR icmp ", " ipv6-icmp ", or " mobility-header
581 protocols, the type and code numbers can optionally be specified.
584 protocol, the key can optionally be specified as a dotted-quad or number.
585 Other protocols can be selected by name or number
590 selects the policy direction as
591 .BR in ", " out ", or " fwd "."
595 sets the security context.
600 .BR main " (default) or " sub "."
605 .BR allow " (default) or " block "."
609 is a number that defaults to zero.
613 contains one or both of the following optional flags:
614 .BR local " or " icmp "."
618 sets limits in seconds, bytes, or numbers of packets.
622 is a template list specified using
623 .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
627 is specified by a source address, destination address,
628 .RI "transform protocol " XFRM-PROTO ","
629 and/or Security Parameter Index
631 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
636 specifies a transform protocol:
637 .RB "IPsec Encapsulating Security Payload (" esp "),"
638 .RB "IPsec Authentication Header (" ah "),"
639 .RB "IP Payload Compression (" comp "),"
640 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
641 .RB "Mobile IPv6 Home Address Option (" hao ")."
645 specifies a mode of operation for the transform protocol. IPsec and IP Payload
646 Compression modes are
647 .BR transport ", " tunnel ","
648 and (for IPsec ESP only) Bound End-to-End Tunnel
650 Mobile IPv6 modes are route optimization
653 .RB "(" in_trigger ")."
658 .BR required " (default) or " use "."
664 ip xfrm policy count count existing policies
668 Use one or more -s options to display more details, including policy hash table
675 ip xfrm policy set configure the policy hash table
679 Security policies whose address prefix lengths are greater than or equal
680 policy hash table thresholds are hashed. Others are stored in the
681 policy_inexact chained list.
685 specifies the minimum local address prefix length of policies that are
686 stored in the Security Policy Database hash table.
690 specifies the minimum remote address prefix length of policies that are
691 stored in the Security Policy Database hash table.
697 ip xfrm monitor state monitoring for xfrm objects
701 The xfrm objects to monitor can be optionally specified.
706 option is set, the program listens to all network namespaces that have a
707 nsid assigned into the network namespace were the program is running.
708 A prefix is displayed to show the network namespace where the message
712 [nsid 1]Flushed state proto 0
717 Manpage revised by David Ward <david.ward@ll.mit.edu>
719 Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
721 Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>