]>
Commit | Line | Data |
---|---|---|
2a9721f1 SH |
1 | .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux" |
2 | .SH "NAME" | |
aab2702d | 3 | ip-xfrm \- transform configuration |
2a9721f1 SH |
4 | .SH "SYNOPSIS" |
5 | .sp | |
6 | .ad l | |
7 | .in +8 | |
8 | .ti -8 | |
9 | .B ip | |
10 | .RI "[ " OPTIONS " ]" | |
11 | .B xfrm | |
12 | .RI " { " COMMAND " | " | |
13 | .BR help " }" | |
14 | .sp | |
15 | ||
16 | .ti -8 | |
17 | .B "ip xfrm" | |
18 | .IR XFRM-OBJECT " { " COMMAND " | " | |
19 | .BR help " }" | |
20 | .sp | |
21 | ||
22 | .ti -8 | |
23 | .IR XFRM-OBJECT " :=" | |
24 | .BR state " | " policy " | " monitor | |
25 | .sp | |
26 | ||
27 | .ti -8 | |
28 | .BR "ip xfrm state" " { " add " | " update " } " | |
29 | .IR ID " [ " ALGO-LIST " ]" | |
30 | .RB "[ " mode | |
31 | .IR MODE " ]" | |
32 | .RB "[ " mark | |
33 | .I MARK | |
34 | .RB "[ " mask | |
35 | .IR MASK " ] ]" | |
36 | .RB "[ " reqid | |
37 | .IR REQID " ]" | |
38 | .RB "[ " seq | |
39 | .IR SEQ " ]" | |
40 | .RB "[ " replay-window | |
41 | .IR SIZE " ]" | |
42 | .RB "[ " replay-seq | |
43 | .IR SEQ " ]" | |
44 | .RB "[ " replay-oseq | |
45 | .IR SEQ " ]" | |
46 | .RB "[ " flag | |
47 | .IR FLAG-LIST " ]" | |
48 | .RB "[ " sel | |
49 | .IR SELECTOR " ] [ " LIMIT-LIST " ]" | |
50 | .RB "[ " encap | |
51 | .IR ENCAP " ]" | |
52 | .RB "[ " coa | |
53 | .IR ADDR "[/" PLEN "] ]" | |
54 | .RB "[ " ctx | |
55 | .IR CTX " ]" | |
56 | ||
57 | .ti -8 | |
58 | .B "ip xfrm state allocspi" | |
59 | .I ID | |
60 | .RB "[ " mode | |
61 | .IR MODE " ]" | |
62 | .RB "[ " mark | |
63 | .I MARK | |
64 | .RB "[ " mask | |
65 | .IR MASK " ] ]" | |
66 | .RB "[ " reqid | |
67 | .IR REQID " ]" | |
68 | .RB "[ " seq | |
69 | .IR SEQ " ]" | |
70 | .RB "[ " min | |
71 | .I SPI | |
72 | .B max | |
73 | .IR SPI " ]" | |
74 | ||
75 | .ti -8 | |
76 | .BR "ip xfrm state" " { " delete " | " get " } " | |
77 | .I ID | |
78 | .RB "[ " mark | |
79 | .I MARK | |
80 | .RB "[ " mask | |
81 | .IR MASK " ] ]" | |
82 | ||
83 | .ti -8 | |
84 | .BR "ip xfrm state" " { " deleteall " | " list " } [" | |
85 | .IR ID " ]" | |
86 | .RB "[ " mode | |
87 | .IR MODE " ]" | |
88 | .RB "[ " reqid | |
89 | .IR REQID " ]" | |
90 | .RB "[ " flag | |
91 | .IR FLAG-LIST " ]" | |
92 | ||
93 | .ti -8 | |
94 | .BR "ip xfrm state flush" " [ " proto | |
95 | .IR XFRM-PROTO " ]" | |
96 | ||
97 | .ti -8 | |
98 | .BR "ip xfrm state count" | |
99 | ||
100 | .ti -8 | |
101 | .IR ID " :=" | |
102 | .RB "[ " src | |
103 | .IR ADDR " ]" | |
104 | .RB "[ " dst | |
105 | .IR ADDR " ]" | |
106 | .RB "[ " proto | |
107 | .IR XFRM-PROTO " ]" | |
108 | .RB "[ " spi | |
109 | .IR SPI " ]" | |
110 | ||
111 | .ti -8 | |
112 | .IR XFRM-PROTO " :=" | |
113 | .BR esp " | " ah " | " comp " | " route2 " | " hao | |
114 | ||
115 | .ti -8 | |
116 | .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO | |
117 | ||
118 | .ti -8 | |
119 | .IR ALGO " :=" | |
120 | .RB "{ " enc " | " auth " | " comp " } " | |
121 | .IR ALGO-NAME " " ALGO-KEY " |" | |
122 | .br | |
123 | .B aead | |
124 | .IR ALGO-NAME " " ALGO-KEY " " ALGO-ICV-LEN " |" | |
125 | .br | |
126 | .B auth-trunc | |
127 | .IR ALGO-NAME " " ALGO-KEY " " ALGO-TRUNC-LEN | |
128 | ||
129 | .ti -8 | |
130 | .IR MODE " := " | |
131 | .BR transport " | " tunnel " | " ro " | " in_trigger " | " beet | |
132 | ||
133 | .ti -8 | |
134 | .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG | |
135 | ||
136 | .ti -8 | |
137 | .IR FLAG " :=" | |
138 | .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | " af-unspec " | " align4 | |
139 | ||
140 | .ti -8 | |
141 | .IR SELECTOR " :=" | |
142 | .RB "[ " src | |
143 | .IR ADDR "[/" PLEN "] ]" | |
144 | .RB "[ " dst | |
145 | .IR ADDR "[/" PLEN "] ]" | |
146 | .RB "[ " dev | |
147 | .IR DEV " ]" | |
148 | .br | |
149 | .RI "[ " UPSPEC " ]" | |
150 | ||
151 | .ti -8 | |
152 | .IR UPSPEC " := " | |
153 | .BR proto " {" | |
154 | .IR PROTO " |" | |
155 | .br | |
156 | .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport | |
157 | .IR PORT " ]" | |
158 | .RB "[ " dport | |
159 | .IR PORT " ] |" | |
160 | .br | |
161 | .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type | |
162 | .IR NUMBER " ]" | |
163 | .RB "[ " code | |
164 | .IR NUMBER " ] |" | |
165 | .br | |
166 | .BR gre " [ " key | |
167 | .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }" | |
168 | ||
169 | .ti -8 | |
170 | .IR LIMIT-LIST " := [ " LIMIT-LIST " ]" | |
171 | .B limit | |
172 | .I LIMIT | |
173 | ||
174 | .ti -8 | |
175 | .IR LIMIT " :=" | |
176 | .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }" | |
177 | .IR "SECONDS" " |" | |
178 | .br | |
179 | .RB "{ " byte-soft " | " byte-hard " }" | |
180 | .IR SIZE " |" | |
181 | .br | |
182 | .RB "{ " packet-soft " | " packet-hard " }" | |
183 | .I COUNT | |
184 | ||
185 | .ti -8 | |
186 | .IR ENCAP " :=" | |
187 | .RB "{ " espinudp " | " espinudp-nonike " }" | |
188 | .IR SPORT " " DPORT " " OADDR | |
189 | ||
190 | .ti -8 | |
191 | .BR "ip xfrm policy" " { " add " | " update " }" | |
192 | .I SELECTOR | |
193 | .B dir | |
194 | .I DIR | |
195 | .RB "[ " ctx | |
196 | .IR CTX " ]" | |
197 | .RB "[ " mark | |
198 | .I MARK | |
199 | .RB "[ " mask | |
200 | .IR MASK " ] ]" | |
201 | .RB "[ " index | |
202 | .IR INDEX " ]" | |
203 | .RB "[ " ptype | |
204 | .IR PTYPE " ]" | |
205 | .RB "[ " action | |
206 | .IR ACTION " ]" | |
207 | .RB "[ " priority | |
208 | .IR PRIORITY " ]" | |
209 | .RB "[ " flag | |
210 | .IR FLAG-LIST " ]" | |
211 | .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]" | |
212 | ||
213 | .ti -8 | |
214 | .BR "ip xfrm policy" " { " delete " | " get " }" | |
215 | .RI "{ " SELECTOR " | " | |
216 | .B index | |
217 | .IR INDEX " }" | |
218 | .B dir | |
219 | .I DIR | |
220 | .RB "[ " ctx | |
221 | .IR CTX " ]" | |
222 | .RB "[ " mark | |
223 | .I MARK | |
224 | .RB "[ " mask | |
225 | .IR MASK " ] ]" | |
226 | .RB "[ " ptype | |
227 | .IR PTYPE " ]" | |
228 | ||
229 | .ti -8 | |
230 | .BR "ip xfrm policy" " { " deleteall " | " list " }" | |
231 | .RI "[ " SELECTOR " ]" | |
232 | .RB "[ " dir | |
233 | .IR DIR " ]" | |
234 | .RB "[ " index | |
235 | .IR INDEX " ]" | |
236 | .RB "[ " ptype | |
237 | .IR PTYPE " ]" | |
238 | .RB "[ " action | |
239 | .IR ACTION " ]" | |
240 | .RB "[ " priority | |
241 | .IR PRIORITY " ]" | |
242 | ||
243 | .ti -8 | |
244 | .B "ip xfrm policy flush" | |
245 | .RB "[ " ptype | |
246 | .IR PTYPE " ]" | |
247 | ||
248 | .ti -8 | |
249 | .B "ip xfrm policy count" | |
250 | ||
251 | .ti -8 | |
252 | .IR SELECTOR " :=" | |
253 | .RB "[ " src | |
254 | .IR ADDR "[/" PLEN "] ]" | |
255 | .RB "[ " dst | |
256 | .IR ADDR "[/" PLEN "] ]" | |
257 | .RB "[ " dev | |
258 | .IR DEV " ]" | |
259 | .RI "[ " UPSPEC " ]" | |
260 | ||
261 | .ti -8 | |
262 | .IR UPSPEC " := " | |
263 | .BR proto " {" | |
264 | .IR PROTO " |" | |
265 | .br | |
266 | .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport | |
267 | .IR PORT " ]" | |
268 | .RB "[ " dport | |
269 | .IR PORT " ] |" | |
270 | .br | |
271 | .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type | |
272 | .IR NUMBER " ]" | |
273 | .RB "[ " code | |
274 | .IR NUMBER " ] |" | |
275 | .br | |
276 | .BR gre " [ " key | |
277 | .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }" | |
278 | ||
279 | .ti -8 | |
280 | .IR DIR " := " | |
281 | .BR in " | " out " | " fwd | |
282 | ||
283 | .ti -8 | |
284 | .IR PTYPE " := " | |
285 | .BR main " | " sub | |
286 | ||
287 | .ti -8 | |
288 | .IR ACTION " := " | |
289 | .BR allow " | " block | |
290 | ||
291 | .ti -8 | |
292 | .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG | |
293 | ||
294 | .ti -8 | |
295 | .IR FLAG " :=" | |
296 | .BR localok " | " icmp | |
297 | ||
298 | .ti -8 | |
299 | .IR LIMIT-LIST " := [ " LIMIT-LIST " ]" | |
300 | .B limit | |
301 | .I LIMIT | |
302 | ||
303 | .ti -8 | |
304 | .IR LIMIT " :=" | |
305 | .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }" | |
306 | .IR "SECONDS" " |" | |
307 | .br | |
308 | .RB "{ " byte-soft " | " byte-hard " }" | |
309 | .IR SIZE " |" | |
310 | .br | |
311 | .RB "{ " packet-soft " | " packet-hard " }" | |
312 | .I COUNT | |
313 | ||
314 | .ti -8 | |
315 | .IR TMPL-LIST " := [ " TMPL-LIST " ]" | |
316 | .B tmpl | |
317 | .I TMPL | |
318 | ||
319 | .ti -8 | |
320 | .IR TMPL " := " ID | |
321 | .RB "[ " mode | |
322 | .IR MODE " ]" | |
323 | .RB "[ " reqid | |
324 | .IR REQID " ]" | |
325 | .RB "[ " level | |
326 | .IR LEVEL " ]" | |
327 | ||
328 | .ti -8 | |
329 | .IR ID " :=" | |
330 | .RB "[ " src | |
331 | .IR ADDR " ]" | |
332 | .RB "[ " dst | |
333 | .IR ADDR " ]" | |
334 | .RB "[ " proto | |
335 | .IR XFRM-PROTO " ]" | |
336 | .RB "[ " spi | |
337 | .IR SPI " ]" | |
338 | ||
339 | .ti -8 | |
340 | .IR XFRM-PROTO " :=" | |
341 | .BR esp " | " ah " | " comp " | " route2 " | " hao | |
342 | ||
343 | .ti -8 | |
344 | .IR MODE " := " | |
345 | .BR transport " | " tunnel " | " ro " | " in_trigger " | " beet | |
346 | ||
347 | .ti -8 | |
348 | .IR LEVEL " :=" | |
349 | .BR required " | " use | |
350 | ||
351 | .ti -8 | |
352 | .BR "ip xfrm monitor" " [ " all " |" | |
353 | .IR LISTofXFRM-OBJECTS " ]" | |
354 | ||
355 | .in -8 | |
356 | .ad b | |
357 | ||
358 | .SH DESCRIPTION | |
359 | ||
360 | xfrm is an IP framework for transforming packets (such as encrypting | |
361 | their payloads). This framework is used to implement the IPsec protocol | |
362 | suite (with the | |
363 | .B state | |
364 | object operating on the Security Association Database, and the | |
365 | .B policy | |
366 | object operating on the Security Policy Database). It is also used for | |
367 | the IP Payload Compression Protocol and features of Mobile IPv6. | |
368 | ||
369 | .SS ip xfrm state add - add new state into xfrm | |
370 | ||
371 | .SS ip xfrm state update - update existing state in xfrm | |
372 | ||
373 | .SS ip xfrm state allocspi - allocate an SPI value | |
374 | ||
375 | .SS ip xfrm state delete - delete existing state in xfrm | |
376 | ||
377 | .SS ip xfrm state get - get existing state in xfrm | |
378 | ||
379 | .SS ip xfrm state deleteall - delete all existing state in xfrm | |
380 | ||
381 | .SS ip xfrm state list - print out the list of existing state in xfrm | |
382 | ||
383 | .SS ip xfrm state flush - flush all state in xfrm | |
384 | ||
385 | .SS ip xfrm state count - count all existing state in xfrm | |
386 | ||
387 | .TP | |
388 | .IR ID | |
389 | is specified by a source address, destination address, | |
390 | .RI "transform protocol " XFRM-PROTO "," | |
391 | and/or Security Parameter Index | |
392 | .IR SPI "." | |
393 | ||
394 | .TP | |
395 | .I XFRM-PROTO | |
396 | specifies a transform protocol: | |
397 | .RB "IPsec Encapsulating Security Payload (" esp ")," | |
398 | .RB "IPsec Authentication Header (" ah ")," | |
399 | .RB "IP Payload Compression (" comp ")," | |
400 | .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or" | |
401 | .RB "Mobile IPv6 Home Address Option (" hao ")." | |
402 | ||
403 | .TP | |
404 | .I ALGO-LIST | |
405 | specifies one or more algorithms | |
406 | .IR ALGO | |
407 | to use. Algorithm types include | |
408 | .RB "encryption (" enc ")," | |
409 | .RB "authentication (" auth ")," | |
410 | .RB "authentication with a specified truncation length (" auth-trunc ")," | |
411 | .RB "authenticated encryption with associated data (" aead "), and" | |
412 | .RB "compression (" comp ")." | |
413 | For each algorithm used, the algorithm type, the algorithm name | |
414 | .IR ALGO-NAME "," | |
415 | and the key | |
416 | .I ALGO-KEY | |
417 | must be specified. For | |
418 | .BR aead "," | |
419 | the Integrity Check Value length | |
420 | .I ALGO-ICV-LEN | |
421 | must additionally be specified. | |
422 | For | |
423 | .BR auth-trunc "," | |
424 | the signature truncation length | |
425 | .I ALGO-TRUNC-LEN | |
426 | must additionally be specified. | |
427 | ||
428 | .TP | |
429 | .I MODE | |
430 | specifies a mode of operation: | |
431 | .RB "IPsec transport mode (" transport "), " | |
432 | .RB "IPsec tunnel mode (" tunnel "), " | |
433 | .RB "Mobile IPv6 route optimization mode (" ro "), " | |
434 | .RB "Mobile IPv6 inbound trigger mode (" in_trigger "), or " | |
435 | .RB "IPsec ESP Bound End-to-End Tunnel Mode (" beet ")." | |
436 | ||
437 | .TP | |
438 | .I FLAG-LIST | |
439 | contains one or more of the following optional flags: | |
440 | .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", " | |
441 | .BR af-unspec ", or " align4 "." | |
442 | ||
443 | .TP | |
444 | .IR SELECTOR | |
445 | selects the traffic that will be controlled by the policy, based on the source | |
446 | address, the destination address, the network device, and/or | |
447 | .IR UPSPEC "." | |
448 | ||
449 | .TP | |
450 | .IR UPSPEC | |
451 | selects traffic by protocol. For the | |
452 | .BR tcp ", " udp ", " sctp ", or " dccp | |
453 | protocols, the source and destination port can optionally be specified. | |
454 | For the | |
455 | .BR icmp ", " ipv6-icmp ", or " mobility-header | |
456 | protocols, the type and code numbers can optionally be specified. | |
457 | For the | |
458 | .B gre | |
459 | protocol, the key can optionally be specified as a dotted-quad or number. | |
460 | Other protocols can be selected by name or number | |
461 | .IR PROTO "." | |
462 | ||
463 | .TP | |
464 | .I LIMIT-LIST | |
465 | sets limits in seconds, bytes, or numbers of packets. | |
466 | ||
467 | .TP | |
468 | .I ENCAP | |
469 | encapsulates packets with protocol | |
470 | .BR espinudp " or " espinudp-nonike "," | |
471 | .RI "using source port " SPORT ", destination port " DPORT | |
472 | .RI ", and original address " OADDR "." | |
473 | ||
474 | .SS ip xfrm policy add - add a new policy | |
475 | ||
476 | .SS ip xfrm policy update - update an existing policy | |
477 | ||
478 | .SS ip xfrm policy delete - delete an existing policy | |
479 | ||
480 | .SS ip xfrm policy get - get an existing policy | |
481 | ||
482 | .SS ip xfrm policy deleteall - delete all existing xfrm policies | |
483 | ||
484 | .SS ip xfrm policy list - print out the list of xfrm policies | |
485 | ||
486 | .SS ip xfrm policy flush - flush policies | |
487 | ||
488 | .SS ip xfrm policy count - count existing policies | |
489 | ||
490 | .TP | |
491 | .IR SELECTOR | |
492 | selects the traffic that will be controlled by the policy, based on the source | |
493 | address, the destination address, the network device, and/or | |
494 | .IR UPSPEC "." | |
495 | ||
496 | .TP | |
497 | .IR UPSPEC | |
498 | selects traffic by protocol. For the | |
499 | .BR tcp ", " udp ", " sctp ", or " dccp | |
500 | protocols, the source and destination port can optionally be specified. | |
501 | For the | |
502 | .BR icmp ", " ipv6-icmp ", or " mobility-header | |
503 | protocols, the type and code numbers can optionally be specified. | |
504 | For the | |
505 | .B gre | |
506 | protocol, the key can optionally be specified as a dotted-quad or number. | |
507 | Other protocols can be selected by name or number | |
508 | .IR PROTO "." | |
509 | ||
510 | .TP | |
511 | .I DIR | |
512 | selects the policy direction as | |
513 | .BR in ", " out ", or " fwd "." | |
514 | ||
515 | .TP | |
516 | .I CTX | |
517 | sets the security context. | |
518 | ||
519 | .TP | |
520 | .I PTYPE | |
521 | can be | |
522 | .BR main " (default) or " sub "." | |
523 | ||
524 | .TP | |
525 | .I ACTION | |
526 | can be | |
527 | .BR allow " (default) or " block "." | |
528 | ||
529 | .TP | |
530 | .I PRIORITY | |
531 | is a number that defaults to zero. | |
532 | ||
533 | .TP | |
534 | .I FLAG-LIST | |
535 | contains one or both of the following optional flags: | |
536 | .BR local " or " icmp "." | |
537 | ||
538 | .TP | |
539 | .I LIMIT-LIST | |
540 | sets limits in seconds, bytes, or numbers of packets. | |
541 | ||
542 | .TP | |
543 | .I TMPL-LIST | |
544 | is a template list specified using | |
545 | .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". " | |
546 | ||
547 | .TP | |
548 | .IR ID | |
549 | is specified by a source address, destination address, | |
550 | .RI "transform protocol " XFRM-PROTO "," | |
551 | and/or Security Parameter Index | |
552 | .IR SPI "." | |
553 | ||
554 | .TP | |
555 | .I XFRM-PROTO | |
556 | specifies a transform protocol: | |
557 | .RB "IPsec Encapsulating Security Payload (" esp ")," | |
558 | .RB "IPsec Authentication Header (" ah ")," | |
559 | .RB "IP Payload Compression (" comp ")," | |
560 | .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or" | |
561 | .RB "Mobile IPv6 Home Address Option (" hao ")." | |
562 | ||
563 | .TP | |
564 | .I MODE | |
565 | specifies a mode of operation: | |
566 | .RB "IPsec transport mode (" transport "), " | |
567 | .RB "IPsec tunnel mode (" tunnel "), " | |
568 | .RB "Mobile IPv6 route optimization mode (" ro "), " | |
569 | .RB "Mobile IPv6 inbound trigger mode (" in_trigger "), or " | |
570 | .RB "IPsec ESP Bound End-to-End Tunnel Mode (" beet ")." | |
571 | ||
572 | .TP | |
573 | .I LEVEL | |
574 | can be | |
575 | .BR required " (default) or " use "." | |
576 | ||
577 | .SS ip xfrm monitor - state monitoring for xfrm objects | |
578 | The xfrm objects to monitor can be optionally specified. | |
579 | ||
580 | .SH AUTHOR | |
581 | Manpage by David Ward |