1 .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
3 ip-xfrm \- transform configuration
12 .RI " { " COMMAND " | "
18 .IR XFRM-OBJECT " { " COMMAND " | "
24 .BR state " | " policy " | " monitor
28 .BR "ip xfrm state" " { " add " | " update " } "
29 .IR ID " [ " ALGO-LIST " ]"
40 .RB "[ " replay-window
46 .RB "[ " replay-seq-hi
48 .RB "[ " replay-oseq-hi
53 .IR SELECTOR " ] [ " LIMIT-LIST " ]"
57 .IR ADDR "[/" PLEN "] ]"
62 .B "ip xfrm state allocspi"
80 .BR "ip xfrm state" " { " delete " | " get " } "
88 .BR "ip xfrm state" " { " deleteall " | " list " } ["
98 .BR "ip xfrm state flush" " [ " proto
102 .BR "ip xfrm state count"
117 .BR esp " | " ah " | " comp " | " route2 " | " hao
120 .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
124 .RB "{ " enc " | " auth " } "
125 .IR ALGO-NAME " " ALGO-KEYMAT " |"
128 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |"
131 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |"
138 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
141 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
145 .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | "
146 .BR af-unspec " | " align4 " | " esn
151 .IR ADDR "[/" PLEN "] ]"
153 .IR ADDR "[/" PLEN "] ]"
164 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
169 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
175 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
178 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
184 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
187 .RB "{ " byte-soft " | " byte-hard " }"
190 .RB "{ " packet-soft " | " packet-hard " }"
195 .RB "{ " espinudp " | " espinudp-nonike " }"
196 .IR SPORT " " DPORT " " OADDR
199 .BR "ip xfrm policy" " { " add " | " update " }"
219 .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
222 .BR "ip xfrm policy" " { " delete " | " get " }"
223 .RI "{ " SELECTOR " | "
238 .BR "ip xfrm policy" " { " deleteall " | " list " }"
239 .RI "[ " SELECTOR " ]"
252 .B "ip xfrm policy flush"
257 .B "ip xfrm policy count"
260 .B "ip xfrm policy set"
262 .IR LBITS " " RBITS " ]"
264 .IR LBITS " " RBITS " ]"
269 .IR ADDR "[/" PLEN "] ]"
271 .IR ADDR "[/" PLEN "] ]"
281 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
286 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
292 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
296 .BR in " | " out " | " fwd
304 .BR allow " | " block
307 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
311 .BR localok " | " icmp
314 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
320 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
323 .RB "{ " byte-soft " | " byte-hard " }"
326 .RB "{ " packet-soft " | " packet-hard " }"
330 .IR TMPL-LIST " := [ " TMPL-LIST " ]"
356 .BR esp " | " ah " | " comp " | " route2 " | " hao
360 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
364 .BR required " | " use
367 .BR "ip xfrm monitor" " ["
372 .IR LISTofXFRM-OBJECTS " ]"
375 .IR LISTofXFRM-OBJECTS " := [ " LISTofXFRM-OBJECTS " ] " XFRM-OBJECT
378 .IR XFRM-OBJECT " := "
379 .BR acquire " | " expire " | " SA " | " policy " | " aevent " | " report
386 xfrm is an IP framework for transforming packets (such as encrypting
387 their payloads). This framework is used to implement the IPsec protocol
390 object operating on the Security Association Database, and the
392 object operating on the Security Policy Database). It is also used for
393 the IP Payload Compression Protocol and features of Mobile IPv6.
397 ip xfrm state add add new state into xfrm
398 ip xfrm state update update existing state in xfrm
399 ip xfrm state allocspi allocate an SPI value
400 ip xfrm state delete delete existing state in xfrm
401 ip xfrm state get get existing state in xfrm
402 ip xfrm state deleteall delete all existing state in xfrm
403 ip xfrm state list print out the list of existing state in xfrm
404 ip xfrm state flush flush all state in xfrm
405 ip xfrm state count count all existing state in xfrm
410 is specified by a source address, destination address,
411 .RI "transform protocol " XFRM-PROTO ","
412 and/or Security Parameter Index
414 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
419 specifies a transform protocol:
420 .RB "IPsec Encapsulating Security Payload (" esp "),"
421 .RB "IPsec Authentication Header (" ah "),"
422 .RB "IP Payload Compression (" comp "),"
423 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
424 .RB "Mobile IPv6 Home Address Option (" hao ")."
428 contains one or more algorithms to use. Each algorithm
434 .RB "encryption (" enc "),"
435 .RB "authentication (" auth " or " auth-trunc "),"
436 .RB "authenticated encryption with associated data (" aead "), or"
437 .RB "compression (" comp ")"
443 .RB "(for all except " comp ")"
446 which may include both a key and a salt or nonce value; refer to the
449 .RB "(for " auth-trunc " only)"
450 the truncation length
454 .RB "(for " aead " only)"
455 the Integrity Check Value length
462 Encryption algorithms include
463 .BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
464 .BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
465 .BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."
467 Authentication algorithms include
468 .BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
469 .BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd610) ", and " xcbc(aes) "."
471 Authenticated encryption with associated data (AEAD) algorithms include
472 .BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
474 Compression algorithms include
475 .BR deflate ", " lzs ", and " lzjh "."
481 specifies a mode of operation for the transform protocol. IPsec and IP Payload
482 Compression modes are
483 .BR transport ", " tunnel ","
484 and (for IPsec ESP only) Bound End-to-End Tunnel
486 Mobile IPv6 modes are route optimization
489 .RB "(" in_trigger ")."
493 contains one or more of the following optional flags:
494 .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
495 .BR af-unspec ", " align4 ", or " esn "."
499 selects the traffic that will be controlled by the policy, based on the source
500 address, the destination address, the network device, and/or
505 selects traffic by protocol. For the
506 .BR tcp ", " udp ", " sctp ", or " dccp
507 protocols, the source and destination port can optionally be specified.
509 .BR icmp ", " ipv6-icmp ", or " mobility-header
510 protocols, the type and code numbers can optionally be specified.
513 protocol, the key can optionally be specified as a dotted-quad or number.
514 Other protocols can be selected by name or number
519 sets limits in seconds, bytes, or numbers of packets.
523 encapsulates packets with protocol
524 .BR espinudp " or " espinudp-nonike ","
525 .RI "using source port " SPORT ", destination port " DPORT
526 .RI ", and original address " OADDR "."
532 ip xfrm policy add add a new policy
533 ip xfrm policy update update an existing policy
534 ip xfrm policy delete delete an existing policy
535 ip xfrm policy get get an existing policy
536 ip xfrm policy deleteall delete all existing xfrm policies
537 ip xfrm policy list print out the list of xfrm policies
538 ip xfrm policy flush flush policies
543 selects the traffic that will be controlled by the policy, based on the source
544 address, the destination address, the network device, and/or
549 selects traffic by protocol. For the
550 .BR tcp ", " udp ", " sctp ", or " dccp
551 protocols, the source and destination port can optionally be specified.
553 .BR icmp ", " ipv6-icmp ", or " mobility-header
554 protocols, the type and code numbers can optionally be specified.
557 protocol, the key can optionally be specified as a dotted-quad or number.
558 Other protocols can be selected by name or number
563 selects the policy direction as
564 .BR in ", " out ", or " fwd "."
568 sets the security context.
573 .BR main " (default) or " sub "."
578 .BR allow " (default) or " block "."
582 is a number that defaults to zero.
586 contains one or both of the following optional flags:
587 .BR local " or " icmp "."
591 sets limits in seconds, bytes, or numbers of packets.
595 is a template list specified using
596 .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
600 is specified by a source address, destination address,
601 .RI "transform protocol " XFRM-PROTO ","
602 and/or Security Parameter Index
604 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
609 specifies a transform protocol:
610 .RB "IPsec Encapsulating Security Payload (" esp "),"
611 .RB "IPsec Authentication Header (" ah "),"
612 .RB "IP Payload Compression (" comp "),"
613 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
614 .RB "Mobile IPv6 Home Address Option (" hao ")."
618 specifies a mode of operation for the transform protocol. IPsec and IP Payload
619 Compression modes are
620 .BR transport ", " tunnel ","
621 and (for IPsec ESP only) Bound End-to-End Tunnel
623 Mobile IPv6 modes are route optimization
626 .RB "(" in_trigger ")."
631 .BR required " (default) or " use "."
637 ip xfrm policy count count existing policies
641 Use one or more -s options to display more details, including policy hash table
648 ip xfrm policy set configure the policy hash table
652 Security policies whose address prefix lengths are greater than or equal
653 policy hash table thresholds are hashed. Others are stored in the
654 policy_inexact chained list.
658 specifies the minimum local address prefix length of policies that are
659 stored in the Security Policy Database hash table.
663 specifies the minimum remote address prefix length of policies that are
664 stored in the Security Policy Database hash table.
670 ip xfrm monitor state monitoring for xfrm objects
674 The xfrm objects to monitor can be optionally specified.
679 option is set, the program listens to all network namespaces that have a
680 nsid assigned into the network namespace were the program is running.
681 A prefix is displayed to show the network namespace where the message
685 [nsid 1]Flushed state proto 0
690 Manpage revised by David Ward <david.ward@ll.mit.edu>
692 Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
694 Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>