1 .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
3 ip-xfrm \- transform configuration
12 .RI " { " COMMAND " | "
18 .IR XFRM-OBJECT " { " COMMAND " | "
24 .BR state " | " policy " | " monitor
28 .BR "ip xfrm state" " { " add " | " update " } "
29 .IR ID " [ " ALGO-LIST " ]"
40 .RB "[ " replay-window
46 .RB "[ " replay-seq-hi
48 .RB "[ " replay-oseq-hi
53 .IR SELECTOR " ] [ " LIMIT-LIST " ]"
57 .IR ADDR "[/" PLEN "] ]"
61 .IR EXTRA-FLAG-LIST " ]"
64 .B "ip xfrm state allocspi"
82 .BR "ip xfrm state" " { " delete " | " get " } "
90 .BR "ip xfrm state" " { " deleteall " | " list " } ["
100 .BR "ip xfrm state flush" " [ " proto
104 .BR "ip xfrm state count"
119 .BR esp " | " ah " | " comp " | " route2 " | " hao
122 .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
126 .RB "{ " enc " | " auth " } "
127 .IR ALGO-NAME " " ALGO-KEYMAT " |"
130 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |"
133 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |"
140 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
143 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
147 .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | "
148 .BR af-unspec " | " align4 " | " esn
153 .IR ADDR "[/" PLEN "] ]"
155 .IR ADDR "[/" PLEN "] ]"
166 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
171 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
177 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
180 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
186 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
189 .RB "{ " byte-soft " | " byte-hard " }"
192 .RB "{ " packet-soft " | " packet-hard " }"
197 .RB "{ " espinudp " | " espinudp-nonike " }"
198 .IR SPORT " " DPORT " " OADDR
201 .IR EXTRA-FLAG-LIST " := [ " EXTRA-FLAG-LIST " ] " EXTRA-FLAG
204 .IR EXTRA-FLAG " := "
208 .BR "ip xfrm policy" " { " add " | " update " }"
228 .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
231 .BR "ip xfrm policy" " { " delete " | " get " }"
232 .RI "{ " SELECTOR " | "
247 .BR "ip xfrm policy" " { " deleteall " | " list " }"
248 .RI "[ " SELECTOR " ]"
263 .B "ip xfrm policy flush"
268 .B "ip xfrm policy count"
271 .B "ip xfrm policy set"
273 .IR LBITS " " RBITS " ]"
275 .IR LBITS " " RBITS " ]"
280 .IR ADDR "[/" PLEN "] ]"
282 .IR ADDR "[/" PLEN "] ]"
292 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
297 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
303 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
307 .BR in " | " out " | " fwd
315 .BR allow " | " block
318 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
322 .BR localok " | " icmp
325 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
331 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
334 .RB "{ " byte-soft " | " byte-hard " }"
337 .RB "{ " packet-soft " | " packet-hard " }"
341 .IR TMPL-LIST " := [ " TMPL-LIST " ]"
367 .BR esp " | " ah " | " comp " | " route2 " | " hao
371 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
375 .BR required " | " use
378 .BR "ip xfrm monitor" " ["
383 .IR LISTofXFRM-OBJECTS " ]"
386 .IR LISTofXFRM-OBJECTS " := [ " LISTofXFRM-OBJECTS " ] " XFRM-OBJECT
389 .IR XFRM-OBJECT " := "
390 .BR acquire " | " expire " | " SA " | " policy " | " aevent " | " report
397 xfrm is an IP framework for transforming packets (such as encrypting
398 their payloads). This framework is used to implement the IPsec protocol
401 object operating on the Security Association Database, and the
403 object operating on the Security Policy Database). It is also used for
404 the IP Payload Compression Protocol and features of Mobile IPv6.
408 ip xfrm state add add new state into xfrm
409 ip xfrm state update update existing state in xfrm
410 ip xfrm state allocspi allocate an SPI value
411 ip xfrm state delete delete existing state in xfrm
412 ip xfrm state get get existing state in xfrm
413 ip xfrm state deleteall delete all existing state in xfrm
414 ip xfrm state list print out the list of existing state in xfrm
415 ip xfrm state flush flush all state in xfrm
416 ip xfrm state count count all existing state in xfrm
421 is specified by a source address, destination address,
422 .RI "transform protocol " XFRM-PROTO ","
423 and/or Security Parameter Index
425 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
430 specifies a transform protocol:
431 .RB "IPsec Encapsulating Security Payload (" esp "),"
432 .RB "IPsec Authentication Header (" ah "),"
433 .RB "IP Payload Compression (" comp "),"
434 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
435 .RB "Mobile IPv6 Home Address Option (" hao ")."
439 contains one or more algorithms to use. Each algorithm
445 .RB "encryption (" enc "),"
446 .RB "authentication (" auth " or " auth-trunc "),"
447 .RB "authenticated encryption with associated data (" aead "), or"
448 .RB "compression (" comp ")"
454 .RB "(for all except " comp ")"
457 which may include both a key and a salt or nonce value; refer to the
460 .RB "(for " auth-trunc " only)"
461 the truncation length
465 .RB "(for " aead " only)"
466 the Integrity Check Value length
473 Encryption algorithms include
474 .BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
475 .BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
476 .BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."
478 Authentication algorithms include
479 .BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
480 .BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd610) ", and " xcbc(aes) "."
482 Authenticated encryption with associated data (AEAD) algorithms include
483 .BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
485 Compression algorithms include
486 .BR deflate ", " lzs ", and " lzjh "."
492 specifies a mode of operation for the transform protocol. IPsec and IP Payload
493 Compression modes are
494 .BR transport ", " tunnel ","
495 and (for IPsec ESP only) Bound End-to-End Tunnel
497 Mobile IPv6 modes are route optimization
500 .RB "(" in_trigger ")."
504 contains one or more of the following optional flags:
505 .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
506 .BR af-unspec ", " align4 ", or " esn "."
510 selects the traffic that will be controlled by the policy, based on the source
511 address, the destination address, the network device, and/or
516 selects traffic by protocol. For the
517 .BR tcp ", " udp ", " sctp ", or " dccp
518 protocols, the source and destination port can optionally be specified.
520 .BR icmp ", " ipv6-icmp ", or " mobility-header
521 protocols, the type and code numbers can optionally be specified.
524 protocol, the key can optionally be specified as a dotted-quad or number.
525 Other protocols can be selected by name or number
530 sets limits in seconds, bytes, or numbers of packets.
534 encapsulates packets with protocol
535 .BR espinudp " or " espinudp-nonike ","
536 .RI "using source port " SPORT ", destination port " DPORT
537 .RI ", and original address " OADDR "."
543 ip xfrm policy add add a new policy
544 ip xfrm policy update update an existing policy
545 ip xfrm policy delete delete an existing policy
546 ip xfrm policy get get an existing policy
547 ip xfrm policy deleteall delete all existing xfrm policies
548 ip xfrm policy list print out the list of xfrm policies
549 ip xfrm policy flush flush policies
554 selects the traffic that will be controlled by the policy, based on the source
555 address, the destination address, the network device, and/or
560 selects traffic by protocol. For the
561 .BR tcp ", " udp ", " sctp ", or " dccp
562 protocols, the source and destination port can optionally be specified.
564 .BR icmp ", " ipv6-icmp ", or " mobility-header
565 protocols, the type and code numbers can optionally be specified.
568 protocol, the key can optionally be specified as a dotted-quad or number.
569 Other protocols can be selected by name or number
574 selects the policy direction as
575 .BR in ", " out ", or " fwd "."
579 sets the security context.
584 .BR main " (default) or " sub "."
589 .BR allow " (default) or " block "."
593 is a number that defaults to zero.
597 contains one or both of the following optional flags:
598 .BR local " or " icmp "."
602 sets limits in seconds, bytes, or numbers of packets.
606 is a template list specified using
607 .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
611 is specified by a source address, destination address,
612 .RI "transform protocol " XFRM-PROTO ","
613 and/or Security Parameter Index
615 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
620 specifies a transform protocol:
621 .RB "IPsec Encapsulating Security Payload (" esp "),"
622 .RB "IPsec Authentication Header (" ah "),"
623 .RB "IP Payload Compression (" comp "),"
624 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
625 .RB "Mobile IPv6 Home Address Option (" hao ")."
629 specifies a mode of operation for the transform protocol. IPsec and IP Payload
630 Compression modes are
631 .BR transport ", " tunnel ","
632 and (for IPsec ESP only) Bound End-to-End Tunnel
634 Mobile IPv6 modes are route optimization
637 .RB "(" in_trigger ")."
642 .BR required " (default) or " use "."
648 ip xfrm policy count count existing policies
652 Use one or more -s options to display more details, including policy hash table
659 ip xfrm policy set configure the policy hash table
663 Security policies whose address prefix lengths are greater than or equal
664 policy hash table thresholds are hashed. Others are stored in the
665 policy_inexact chained list.
669 specifies the minimum local address prefix length of policies that are
670 stored in the Security Policy Database hash table.
674 specifies the minimum remote address prefix length of policies that are
675 stored in the Security Policy Database hash table.
681 ip xfrm monitor state monitoring for xfrm objects
685 The xfrm objects to monitor can be optionally specified.
690 option is set, the program listens to all network namespaces that have a
691 nsid assigned into the network namespace were the program is running.
692 A prefix is displayed to show the network namespace where the message
696 [nsid 1]Flushed state proto 0
701 Manpage revised by David Ward <david.ward@ll.mit.edu>
703 Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
705 Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>