1 .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
3 ip-xfrm \- transform configuration
12 .RI " { " COMMAND " | "
18 .IR XFRM-OBJECT " { " COMMAND " | "
24 .BR state " | " policy " | " monitor
28 .BR "ip xfrm state" " { " add " | " update " } "
29 .IR ID " [ " ALGO-LIST " ]"
40 .RB "[ " replay-window
49 .IR SELECTOR " ] [ " LIMIT-LIST " ]"
53 .IR ADDR "[/" PLEN "] ]"
58 .B "ip xfrm state allocspi"
76 .BR "ip xfrm state" " { " delete " | " get " } "
84 .BR "ip xfrm state" " { " deleteall " | " list " } ["
94 .BR "ip xfrm state flush" " [ " proto
98 .BR "ip xfrm state count"
113 .BR esp " | " ah " | " comp " | " route2 " | " hao
116 .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
120 .RB "{ " enc " | " auth " } "
121 .IR ALGO-NAME " " ALGO-KEYMAT " |"
124 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |"
127 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |"
134 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
137 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
141 .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | " af-unspec " | " align4
146 .IR ADDR "[/" PLEN "] ]"
148 .IR ADDR "[/" PLEN "] ]"
159 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
164 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
170 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
173 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
179 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
182 .RB "{ " byte-soft " | " byte-hard " }"
185 .RB "{ " packet-soft " | " packet-hard " }"
190 .RB "{ " espinudp " | " espinudp-nonike " }"
191 .IR SPORT " " DPORT " " OADDR
194 .BR "ip xfrm policy" " { " add " | " update " }"
214 .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
217 .BR "ip xfrm policy" " { " delete " | " get " }"
218 .RI "{ " SELECTOR " | "
233 .BR "ip xfrm policy" " { " deleteall " | " list " }"
234 .RI "[ " SELECTOR " ]"
247 .B "ip xfrm policy flush"
252 .B "ip xfrm policy count"
257 .IR ADDR "[/" PLEN "] ]"
259 .IR ADDR "[/" PLEN "] ]"
269 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
274 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
280 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
284 .BR in " | " out " | " fwd
292 .BR allow " | " block
295 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
299 .BR localok " | " icmp
302 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
308 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
311 .RB "{ " byte-soft " | " byte-hard " }"
314 .RB "{ " packet-soft " | " packet-hard " }"
318 .IR TMPL-LIST " := [ " TMPL-LIST " ]"
344 .BR esp " | " ah " | " comp " | " route2 " | " hao
348 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
352 .BR required " | " use
355 .BR "ip xfrm monitor" " [ " all " |"
356 .IR LISTofXFRM-OBJECTS " ]"
363 xfrm is an IP framework for transforming packets (such as encrypting
364 their payloads). This framework is used to implement the IPsec protocol
367 object operating on the Security Association Database, and the
369 object operating on the Security Policy Database). It is also used for
370 the IP Payload Compression Protocol and features of Mobile IPv6.
374 ip xfrm state add add new state into xfrm
375 ip xfrm state update update existing state in xfrm
376 ip xfrm state allocspi allocate an SPI value
377 ip xfrm state delete delete existing state in xfrm
378 ip xfrm state get get existing state in xfrm
379 ip xfrm state deleteall delete all existing state in xfrm
380 ip xfrm state list print out the list of existing state in xfrm
381 ip xfrm state flush flush all state in xfrm
382 ip xfrm state count count all existing state in xfrm
383 ip xfrm monitor state monitoring for xfrm objects
388 is specified by a source address, destination address,
389 .RI "transform protocol " XFRM-PROTO ","
390 and/or Security Parameter Index
392 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
397 specifies a transform protocol:
398 .RB "IPsec Encapsulating Security Payload (" esp "),"
399 .RB "IPsec Authentication Header (" ah "),"
400 .RB "IP Payload Compression (" comp "),"
401 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
402 .RB "Mobile IPv6 Home Address Option (" hao ")."
406 contains one or more algorithms to use. Each algorithm
412 .RB "encryption (" enc "),"
413 .RB "authentication (" auth " or " auth-trunc "),"
414 .RB "authenticated encryption with associated data (" aead "), or"
415 .RB "compression (" comp ")"
421 .RB "(for all except " comp ")"
424 which may include both a key and a salt or nonce value; refer to the
427 .RB "(for " auth-trunc " only)"
428 the truncation length
432 .RB "(for " aead " only)"
433 the Integrity Check Value length
440 Encryption algorithms include
441 .BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
442 .BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
443 .BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."
445 Authentication algorithms include
446 .BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
447 .BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd610) ", and " xcbc(aes) "."
449 Authenticated encryption with associated data (AEAD) algorithms include
450 .BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
452 Compression algorithms include
453 .BR deflate ", " lzs ", and " lzjh "."
459 specifies a mode of operation for the transform protocol. IPsec and IP Payload
460 Compression modes are
461 .BR transport ", " tunnel ","
462 and (for IPsec ESP only) Bound End-to-End Tunnel
464 Mobile IPv6 modes are route optimization
467 .RB "(" in_trigger ")."
471 contains one or more of the following optional flags:
472 .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
473 .BR af-unspec ", or " align4 "."
477 selects the traffic that will be controlled by the policy, based on the source
478 address, the destination address, the network device, and/or
483 selects traffic by protocol. For the
484 .BR tcp ", " udp ", " sctp ", or " dccp
485 protocols, the source and destination port can optionally be specified.
487 .BR icmp ", " ipv6-icmp ", or " mobility-header
488 protocols, the type and code numbers can optionally be specified.
491 protocol, the key can optionally be specified as a dotted-quad or number.
492 Other protocols can be selected by name or number
497 sets limits in seconds, bytes, or numbers of packets.
501 encapsulates packets with protocol
502 .BR espinudp " or " espinudp-nonike ","
503 .RI "using source port " SPORT ", destination port " DPORT
504 .RI ", and original address " OADDR "."
508 ip xfrm policy add add a new policy
509 ip xfrm policy update update an existing policy
510 ip xfrm policy delete delete an existing policy
511 ip xfrm policy get get an existing policy
512 ip xfrm policy deleteall delete all existing xfrm policies
513 ip xfrm policy list print out the list of xfrm policies
514 ip xfrm policy flush flush policies
515 ip xfrm policy count count existing policies
520 selects the traffic that will be controlled by the policy, based on the source
521 address, the destination address, the network device, and/or
526 selects traffic by protocol. For the
527 .BR tcp ", " udp ", " sctp ", or " dccp
528 protocols, the source and destination port can optionally be specified.
530 .BR icmp ", " ipv6-icmp ", or " mobility-header
531 protocols, the type and code numbers can optionally be specified.
534 protocol, the key can optionally be specified as a dotted-quad or number.
535 Other protocols can be selected by name or number
540 selects the policy direction as
541 .BR in ", " out ", or " fwd "."
545 sets the security context.
550 .BR main " (default) or " sub "."
555 .BR allow " (default) or " block "."
559 is a number that defaults to zero.
563 contains one or both of the following optional flags:
564 .BR local " or " icmp "."
568 sets limits in seconds, bytes, or numbers of packets.
572 is a template list specified using
573 .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
577 is specified by a source address, destination address,
578 .RI "transform protocol " XFRM-PROTO ","
579 and/or Security Parameter Index
581 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
586 specifies a transform protocol:
587 .RB "IPsec Encapsulating Security Payload (" esp "),"
588 .RB "IPsec Authentication Header (" ah "),"
589 .RB "IP Payload Compression (" comp "),"
590 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
591 .RB "Mobile IPv6 Home Address Option (" hao ")."
595 specifies a mode of operation for the transform protocol. IPsec and IP Payload
596 Compression modes are
597 .BR transport ", " tunnel ","
598 and (for IPsec ESP only) Bound End-to-End Tunnel
600 Mobile IPv6 modes are route optimization
603 .RB "(" in_trigger ")."
608 .BR required " (default) or " use "."
610 The xfrm objects to monitor can be optionally specified.
613 Manpage revised by David Ward <david.ward@ll.mit.edu>