eroute.5

This a good VPN source

.TH IPSEC_EROUTE 5 "20 Sep 2001"
.\"
.\" RCSID $Id: eroute.5,v 1.10 2003/10/31 02:32:27 mcr Exp $
.\"
.SH NAME
ipsec_eroute \- list of existing eroutes
.SH SYNOPSIS
.B ipsec
.B eroute
.PP
.B cat
.B /proc/net/ipsec_eroute
.SH DESCRIPTION
.I /proc/net/ipsec_eroute
lists the IPSEC extended routing tables,
which control what (if any) processing is applied
to non-encrypted packets arriving for IPSEC processing and forwarding.
At this point it is a read-only file.
.PP
A table entry consists of:
.IP + 3
packet count,
.IP +
source address with mask and source port (0 if all ports or not applicable)
.IP +
a '->' separator for visual and automated parsing between src and dst
.IP +
destination address with mask and destination port (0 if all ports or
not applicable)
.IP +
a '=>' separator for visual and automated parsing between selection
criteria and SAID to use
.IP +
SAID (Security Association IDentifier), comprised of:
.IP + 6
protocol
(\fIproto\fR),
.IP +
address family
(\fIaf\fR),
where '.' stands for IPv4 and ':' for IPv6
.IP +
Security Parameters Index
(\fISPI\fR),
.IP +
effective destination
(\fIedst\fR),
where the packet should be forwarded after processing
(normally the other security gateway)
together indicate which Security Association should be used to process
the packet,
.IP + 3
a ':' separating the SAID from the transport protocol (0 if all protocols)
.IP +
source identity text string with no whitespace, in parens,
.IP +
destination identity text string with no whitespace, in parens
.PP
Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
protocol is one of "ah", "esp", "comp" or "tun"
and
SPIs are prefixed hexadecimal numbers where the prefix '.' is for IPv4 and the prefix ':' is for IPv6
.
.PP
SAIDs are written as "protoafSPI@edst".  There are also 5
"magic" SAIDs which have special meaning:
.IP + 3
.B %drop
means that matches are to be dropped
.IP +
.B %reject
means that matches are to be dropped and an ICMP returned, if
possible to inform
.IP +
.B %trap
means that matches are to trigger an ACQUIRE message to the Key
Management daemon(s) and a hold eroute will be put in place to
prevent subsequent packets also triggering ACQUIRE messages.
.IP +
.B %hold
means that matches are to stored until the eroute is replaced or
until that eroute gets reaped
.IP +
.B %pass
means that matches are to allowed to pass without IPSEC processing
.br
.ne 5
.SH EXAMPLES
.LP
.B "1867     172.31.252.0/24:0  -> 0.0.0.0/0:0        => tun0x130@192.168.43.1:0 "
.br
.B "        ()	()"
.LP
means that 1,867 packets have been sent to an
.BR eroute
that has been set up to protect traffic between the subnet
.BR 172.31.252.0
with a subnet mask of
.BR 24
bits and the default address/mask represented by an address of
.BR 0.0.0.0
with a subnet mask of
.BR 0
bits using the local machine as a security gateway on this end of the
tunnel and the machine
.BR 192.168.43.1
on the other end of the tunnel with a Security Association IDentifier of
.BR tun0x130@192.168.43.1
which means that it is a tunnel mode connection (4, IPPROTO_IPIP) with a
Security Parameters Index of
.BR 130
in hexadecimal with no identies defined for either end.
.LP
.B "746     192.168.2.110/32:0  -> 192.168.2.120/32:25   => esp0x130@192.168.2.120:6 "
.br
.B "        ()	()"
.LP
means that 746 packets have been sent to an
.BR eroute
that has been set up to protect traffic sent from any port on the host
.BR 192.168.2.110
to the SMTP (TCP, port 25) port on the host
.BR 192.168.2.120
with a Security Association IDentifier of
.BR tun0x130@192.168.2.120
which means that it is a transport mode connection with a
Security Parameters Index of
.BR 130
in hexadecimal with no identies defined for either end.
.LP
.B 125      3049:1::/64    -> 0:0/0          => tun:130@3058:4::5	()	()
.LP
means that 125 packets have been sent to an
.BR eroute
that has been set up to protect traffic between the subnet
.BR 3049:1::
with a subnet mask of
.BR 64
bits and the default address/mask represented by an address of
.BR 0:0
with a subnet mask of
.BR 0
bits using the local machine as a security gateway on this end of the
tunnel and the machine
.BR 3058:4::5
on the other end of the tunnel with a Security Association IDentifier of
.BR tun:130@3058:4::5
which means that it is a tunnel mode connection with a
Security Parameters Index of
.BR 130
in hexadecimal with no identies defined for either end.
.LP
.B 42         192.168.6.0/24:0   -> 192.168.7.0/24:0   => %passthrough
.LP
means that 42 packets have been sent to an
.BR eroute
that has been set up to pass the traffic from the subnet
.BR 192.168.6.0
with a subnet mask of
.BR 24
bits and to subnet
.BR 192.168.7.0
with a subnet mask of
.BR 24
bits without any IPSEC processing with no identies defined for either end.
.LP
.B 2112     192.168.8.55/32:0  -> 192.168.9.47/24:0  => %hold	(east)	()
.LP
means that 2112 packets have been sent to an
.BR eroute
that has been set up to hold the traffic from the host
.BR 192.168.8.55
and to host
.BR 192.168.9.47
until a key exchange from a Key Management daemon
succeeds and puts in an SA or fails and puts in a pass
or drop eroute depending on the default configuration with the local client
defined as "east" and no identy defined for the remote end.
.LP
.B "2001     192.168.2.110/32:0  -> 192.168.2.120/32:0 => "
.br
.B "        esp0xe6de@192.168.2.120:0	()	()"
.LP
means that 2001 packets have been sent to an
.BR eroute
that has been set up to protect traffic between the host
.BR 192.168.2.110
and the host
.BR 192.168.2.120
using
.BR 192.168.2.110
as a security gateway on this end of the
connection and the machine
.BR 192.168.2.120
on the other end of the connection with a Security Association IDentifier of
.BR esp0xe6de@192.168.2.120
which means that it is a transport mode connection with a Security
Parameters Index of
.BR e6de
in hexadecimal using Encapsuation Security Payload protocol (50,
IPPROTO_ESP) with no identies defined for either end.
.LP
.B "1984     3049:1::110/128   -> 3049:1::120/128   => "
.br
.B "        ah:f5ed@3049:1::120	()	()"
.LP
means that 1984 packets have been sent to an
.BR eroute
that has been set up to authenticate traffic between the host
.BR 3049:1::110
and the host
.BR 3049:1::120
using
.BR 3049:1::110
as a security gateway on this end of the
connection and the machine
.BR 3049:1::120
on the other end of the connection with a Security Association IDentifier of
.BR ah:f5ed@3049:1::120
which means that it is a transport mode connection with a Security
Parameters Index of
.BR f5ed
in hexadecimal using Authentication Header protocol (51,
IPPROTO_AH) with no identies defined for either end.
.SH FILES
/proc/net/ipsec_eroute, /usr/local/bin/ipsec
.SH "SEE ALSO"
ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_spi(5),
ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_eroute(8), ipsec_version(5),
ipsec_pf_key(5)
.SH HISTORY
Written for the Linux FreeS/WAN project
<http://www.freeswan.org/>
by Richard Guy Briggs.
.\"
.\" $Log: eroute.5,v $
.\" Revision 1.10  2003/10/31 02:32:27  mcr
.\" 	pulled up port-selector patches
.\"
.\" Revision 1.9.28.1  2003/09/21 14:00:26  mcr
.\" 	pre-liminary X.509 patch - does not yet pass tests.
.\"
.\" Revision 1.9  2002/04/24 07:35:38  mcr
.\" Moved from ./klips/utils/eroute.5,v
.\"
.\" Revision 1.8  2001/09/20 15:33:13  rgb
.\" PF_KEYv2 ident extension output documentation.
.\"
.\" Revision 1.7  2001/05/29 05:15:31  rgb
.\" Added packet count field at beginning of line.
.\"
.\" Revision 1.6  2001/02/26 19:58:32  rgb
.\" Put SAID elements in order they appear in SAID.
.\" Implement magic SAs %drop, %reject, %trap, %hold, %pass as part
.\" of the new SPD and to support opportunistic.
.\"
.\" Revision 1.5  2000/09/17 18:56:48  rgb
.\" Added IPCOMP support.
.\"
.\" Revision 1.4  2000/09/13 15:54:31  rgb
.\" Added Gerhard's ipv6 updates.
.\"
.\" Revision 1.3  2000/06/30 18:21:55  rgb
.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
.\" and correct FILES sections to no longer refer to /dev/ipsec which has
.\" been removed since PF_KEY does not use it.
.\"
.\" Revision 1.2  2000/06/28 12:44:11  henry
.\" format touchup
.\"
.\" Revision 1.1  2000/06/28 05:43:00  rgb
.\" Added manpages for all 5 klips utils.
.\"
.\"
.\"