1 .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
3 ip-xfrm \- transform configuration
12 .RI " { " COMMAND " | "
18 .IR XFRM-OBJECT " { " COMMAND " | "
24 .BR state " | " policy " | " monitor
28 .BR "ip xfrm state" " { " add " | " update " } "
29 .IR ID " [ " ALGO-LIST " ]"
40 .RB "[ " replay-window
46 .RB "[ " replay-seq-hi
48 .RB "[ " replay-oseq-hi
53 .IR SELECTOR " ] [ " LIMIT-LIST " ]"
57 .IR ADDR "[/" PLEN "] ]"
62 .B "ip xfrm state allocspi"
80 .BR "ip xfrm state" " { " delete " | " get " } "
88 .BR "ip xfrm state" " { " deleteall " | " list " } ["
98 .BR "ip xfrm state flush" " [ " proto
102 .BR "ip xfrm state count"
117 .BR esp " | " ah " | " comp " | " route2 " | " hao
120 .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
124 .RB "{ " enc " | " auth " } "
125 .IR ALGO-NAME " " ALGO-KEYMAT " |"
128 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |"
131 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |"
138 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
141 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
145 .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | "
146 .BR af-unspec " | " align4 " | " esn
151 .IR ADDR "[/" PLEN "] ]"
153 .IR ADDR "[/" PLEN "] ]"
164 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
169 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
175 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
178 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
184 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
187 .RB "{ " byte-soft " | " byte-hard " }"
190 .RB "{ " packet-soft " | " packet-hard " }"
195 .RB "{ " espinudp " | " espinudp-nonike " }"
196 .IR SPORT " " DPORT " " OADDR
199 .BR "ip xfrm policy" " { " add " | " update " }"
219 .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
222 .BR "ip xfrm policy" " { " delete " | " get " }"
223 .RI "{ " SELECTOR " | "
238 .BR "ip xfrm policy" " { " deleteall " | " list " }"
239 .RI "[ " SELECTOR " ]"
252 .B "ip xfrm policy flush"
257 .B "ip xfrm policy count"
260 .B "ip xfrm policy set"
262 .IR LBITS " " RBITS " ]"
264 .IR LBITS " " RBITS " ]"
269 .IR ADDR "[/" PLEN "] ]"
271 .IR ADDR "[/" PLEN "] ]"
281 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
286 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
292 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
296 .BR in " | " out " | " fwd
304 .BR allow " | " block
307 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
311 .BR localok " | " icmp
314 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
320 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
323 .RB "{ " byte-soft " | " byte-hard " }"
326 .RB "{ " packet-soft " | " packet-hard " }"
330 .IR TMPL-LIST " := [ " TMPL-LIST " ]"
356 .BR esp " | " ah " | " comp " | " route2 " | " hao
360 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
364 .BR required " | " use
367 .BR "ip xfrm monitor" " [ " all " |"
368 .IR LISTofXFRM-OBJECTS " ]"
371 .IR LISTofXFRM-OBJECTS " := [ " LISTofXFRM-OBJECTS " ] " XFRM-OBJECT
374 .IR XFRM-OBJECT " := "
375 .BR acquire " | " expire " | " SA " | " policy " | " aevent " | " report
382 xfrm is an IP framework for transforming packets (such as encrypting
383 their payloads). This framework is used to implement the IPsec protocol
386 object operating on the Security Association Database, and the
388 object operating on the Security Policy Database). It is also used for
389 the IP Payload Compression Protocol and features of Mobile IPv6.
393 ip xfrm state add add new state into xfrm
394 ip xfrm state update update existing state in xfrm
395 ip xfrm state allocspi allocate an SPI value
396 ip xfrm state delete delete existing state in xfrm
397 ip xfrm state get get existing state in xfrm
398 ip xfrm state deleteall delete all existing state in xfrm
399 ip xfrm state list print out the list of existing state in xfrm
400 ip xfrm state flush flush all state in xfrm
401 ip xfrm state count count all existing state in xfrm
406 is specified by a source address, destination address,
407 .RI "transform protocol " XFRM-PROTO ","
408 and/or Security Parameter Index
410 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
415 specifies a transform protocol:
416 .RB "IPsec Encapsulating Security Payload (" esp "),"
417 .RB "IPsec Authentication Header (" ah "),"
418 .RB "IP Payload Compression (" comp "),"
419 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
420 .RB "Mobile IPv6 Home Address Option (" hao ")."
424 contains one or more algorithms to use. Each algorithm
430 .RB "encryption (" enc "),"
431 .RB "authentication (" auth " or " auth-trunc "),"
432 .RB "authenticated encryption with associated data (" aead "), or"
433 .RB "compression (" comp ")"
439 .RB "(for all except " comp ")"
442 which may include both a key and a salt or nonce value; refer to the
445 .RB "(for " auth-trunc " only)"
446 the truncation length
450 .RB "(for " aead " only)"
451 the Integrity Check Value length
458 Encryption algorithms include
459 .BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
460 .BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
461 .BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."
463 Authentication algorithms include
464 .BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
465 .BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd610) ", and " xcbc(aes) "."
467 Authenticated encryption with associated data (AEAD) algorithms include
468 .BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
470 Compression algorithms include
471 .BR deflate ", " lzs ", and " lzjh "."
477 specifies a mode of operation for the transform protocol. IPsec and IP Payload
478 Compression modes are
479 .BR transport ", " tunnel ","
480 and (for IPsec ESP only) Bound End-to-End Tunnel
482 Mobile IPv6 modes are route optimization
485 .RB "(" in_trigger ")."
489 contains one or more of the following optional flags:
490 .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
491 .BR af-unspec ", " align4 ", or " esn "."
495 selects the traffic that will be controlled by the policy, based on the source
496 address, the destination address, the network device, and/or
501 selects traffic by protocol. For the
502 .BR tcp ", " udp ", " sctp ", or " dccp
503 protocols, the source and destination port can optionally be specified.
505 .BR icmp ", " ipv6-icmp ", or " mobility-header
506 protocols, the type and code numbers can optionally be specified.
509 protocol, the key can optionally be specified as a dotted-quad or number.
510 Other protocols can be selected by name or number
515 sets limits in seconds, bytes, or numbers of packets.
519 encapsulates packets with protocol
520 .BR espinudp " or " espinudp-nonike ","
521 .RI "using source port " SPORT ", destination port " DPORT
522 .RI ", and original address " OADDR "."
528 ip xfrm policy add add a new policy
529 ip xfrm policy update update an existing policy
530 ip xfrm policy delete delete an existing policy
531 ip xfrm policy get get an existing policy
532 ip xfrm policy deleteall delete all existing xfrm policies
533 ip xfrm policy list print out the list of xfrm policies
534 ip xfrm policy flush flush policies
539 selects the traffic that will be controlled by the policy, based on the source
540 address, the destination address, the network device, and/or
545 selects traffic by protocol. For the
546 .BR tcp ", " udp ", " sctp ", or " dccp
547 protocols, the source and destination port can optionally be specified.
549 .BR icmp ", " ipv6-icmp ", or " mobility-header
550 protocols, the type and code numbers can optionally be specified.
553 protocol, the key can optionally be specified as a dotted-quad or number.
554 Other protocols can be selected by name or number
559 selects the policy direction as
560 .BR in ", " out ", or " fwd "."
564 sets the security context.
569 .BR main " (default) or " sub "."
574 .BR allow " (default) or " block "."
578 is a number that defaults to zero.
582 contains one or both of the following optional flags:
583 .BR local " or " icmp "."
587 sets limits in seconds, bytes, or numbers of packets.
591 is a template list specified using
592 .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
596 is specified by a source address, destination address,
597 .RI "transform protocol " XFRM-PROTO ","
598 and/or Security Parameter Index
600 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
605 specifies a transform protocol:
606 .RB "IPsec Encapsulating Security Payload (" esp "),"
607 .RB "IPsec Authentication Header (" ah "),"
608 .RB "IP Payload Compression (" comp "),"
609 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
610 .RB "Mobile IPv6 Home Address Option (" hao ")."
614 specifies a mode of operation for the transform protocol. IPsec and IP Payload
615 Compression modes are
616 .BR transport ", " tunnel ","
617 and (for IPsec ESP only) Bound End-to-End Tunnel
619 Mobile IPv6 modes are route optimization
622 .RB "(" in_trigger ")."
627 .BR required " (default) or " use "."
633 ip xfrm policy count count existing policies
637 Use one or more -s options to display more details, including policy hash table
644 ip xfrm policy set configure the policy hash table
648 Security policies whose address prefix lengths are greater than or equal
649 policy hash table thresholds are hashed. Others are stored in the
650 policy_inexact chained list.
654 specifies the minimum local address prefix length of policies that are
655 stored in the Security Policy Database hash table.
659 specifies the minimum remote address prefix length of policies that are
660 stored in the Security Policy Database hash table.
666 ip xfrm monitor state monitoring for xfrm objects
670 The xfrm objects to monitor can be optionally specified.
673 Manpage revised by David Ward <david.ward@ll.mit.edu>
675 Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>