1 .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
3 ip-xfrm \- transform configuration
12 .RI " { " COMMAND " | "
18 .IR XFRM-OBJECT " { " COMMAND " | "
24 .BR state " | " policy " | " monitor
28 .BR "ip xfrm state" " { " add " | " update " } "
29 .IR ID " [ " ALGO-LIST " ]"
40 .RB "[ " replay-window
49 .IR SELECTOR " ] [ " LIMIT-LIST " ]"
53 .IR ADDR "[/" PLEN "] ]"
58 .B "ip xfrm state allocspi"
76 .BR "ip xfrm state" " { " delete " | " get " } "
84 .BR "ip xfrm state" " { " deleteall " | " list " } ["
94 .BR "ip xfrm state flush" " [ " proto
98 .BR "ip xfrm state count"
113 .BR esp " | " ah " | " comp " | " route2 " | " hao
116 .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
120 .RB "{ " enc " | " auth " | " comp " } "
121 .IR ALGO-NAME " " ALGO-KEY " |"
124 .IR ALGO-NAME " " ALGO-KEY " " ALGO-ICV-LEN " |"
127 .IR ALGO-NAME " " ALGO-KEY " " ALGO-TRUNC-LEN
131 .BR transport " | " tunnel " | " ro " | " in_trigger " | " beet
134 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
138 .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | " af-unspec " | " align4
143 .IR ADDR "[/" PLEN "] ]"
145 .IR ADDR "[/" PLEN "] ]"
156 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
161 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
167 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
170 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
176 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
179 .RB "{ " byte-soft " | " byte-hard " }"
182 .RB "{ " packet-soft " | " packet-hard " }"
187 .RB "{ " espinudp " | " espinudp-nonike " }"
188 .IR SPORT " " DPORT " " OADDR
191 .BR "ip xfrm policy" " { " add " | " update " }"
211 .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
214 .BR "ip xfrm policy" " { " delete " | " get " }"
215 .RI "{ " SELECTOR " | "
230 .BR "ip xfrm policy" " { " deleteall " | " list " }"
231 .RI "[ " SELECTOR " ]"
244 .B "ip xfrm policy flush"
249 .B "ip xfrm policy count"
254 .IR ADDR "[/" PLEN "] ]"
256 .IR ADDR "[/" PLEN "] ]"
266 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
271 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
277 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
281 .BR in " | " out " | " fwd
289 .BR allow " | " block
292 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
296 .BR localok " | " icmp
299 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
305 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
308 .RB "{ " byte-soft " | " byte-hard " }"
311 .RB "{ " packet-soft " | " packet-hard " }"
315 .IR TMPL-LIST " := [ " TMPL-LIST " ]"
341 .BR esp " | " ah " | " comp " | " route2 " | " hao
345 .BR transport " | " tunnel " | " ro " | " in_trigger " | " beet
349 .BR required " | " use
352 .BR "ip xfrm monitor" " [ " all " |"
353 .IR LISTofXFRM-OBJECTS " ]"
360 xfrm is an IP framework for transforming packets (such as encrypting
361 their payloads). This framework is used to implement the IPsec protocol
364 object operating on the Security Association Database, and the
366 object operating on the Security Policy Database). It is also used for
367 the IP Payload Compression Protocol and features of Mobile IPv6.
369 .SS ip xfrm state add - add new state into xfrm
371 .SS ip xfrm state update - update existing state in xfrm
373 .SS ip xfrm state allocspi - allocate an SPI value
375 .SS ip xfrm state delete - delete existing state in xfrm
377 .SS ip xfrm state get - get existing state in xfrm
379 .SS ip xfrm state deleteall - delete all existing state in xfrm
381 .SS ip xfrm state list - print out the list of existing state in xfrm
383 .SS ip xfrm state flush - flush all state in xfrm
385 .SS ip xfrm state count - count all existing state in xfrm
389 is specified by a source address, destination address,
390 .RI "transform protocol " XFRM-PROTO ","
391 and/or Security Parameter Index
396 specifies a transform protocol:
397 .RB "IPsec Encapsulating Security Payload (" esp "),"
398 .RB "IPsec Authentication Header (" ah "),"
399 .RB "IP Payload Compression (" comp "),"
400 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
401 .RB "Mobile IPv6 Home Address Option (" hao ")."
405 specifies one or more algorithms
407 to use. Algorithm types include
408 .RB "encryption (" enc "),"
409 .RB "authentication (" auth "),"
410 .RB "authentication with a specified truncation length (" auth-trunc "),"
411 .RB "authenticated encryption with associated data (" aead "), and"
412 .RB "compression (" comp ")."
413 For each algorithm used, the algorithm type, the algorithm name
417 must be specified. For
419 the Integrity Check Value length
421 must additionally be specified.
424 the signature truncation length
426 must additionally be specified.
430 specifies a mode of operation:
431 .RB "IPsec transport mode (" transport "), "
432 .RB "IPsec tunnel mode (" tunnel "), "
433 .RB "Mobile IPv6 route optimization mode (" ro "), "
434 .RB "Mobile IPv6 inbound trigger mode (" in_trigger "), or "
435 .RB "IPsec ESP Bound End-to-End Tunnel Mode (" beet ")."
439 contains one or more of the following optional flags:
440 .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
441 .BR af-unspec ", or " align4 "."
445 selects the traffic that will be controlled by the policy, based on the source
446 address, the destination address, the network device, and/or
451 selects traffic by protocol. For the
452 .BR tcp ", " udp ", " sctp ", or " dccp
453 protocols, the source and destination port can optionally be specified.
455 .BR icmp ", " ipv6-icmp ", or " mobility-header
456 protocols, the type and code numbers can optionally be specified.
459 protocol, the key can optionally be specified as a dotted-quad or number.
460 Other protocols can be selected by name or number
465 sets limits in seconds, bytes, or numbers of packets.
469 encapsulates packets with protocol
470 .BR espinudp " or " espinudp-nonike ","
471 .RI "using source port " SPORT ", destination port " DPORT
472 .RI ", and original address " OADDR "."
474 .SS ip xfrm policy add - add a new policy
476 .SS ip xfrm policy update - update an existing policy
478 .SS ip xfrm policy delete - delete an existing policy
480 .SS ip xfrm policy get - get an existing policy
482 .SS ip xfrm policy deleteall - delete all existing xfrm policies
484 .SS ip xfrm policy list - print out the list of xfrm policies
486 .SS ip xfrm policy flush - flush policies
488 .SS ip xfrm policy count - count existing policies
492 selects the traffic that will be controlled by the policy, based on the source
493 address, the destination address, the network device, and/or
498 selects traffic by protocol. For the
499 .BR tcp ", " udp ", " sctp ", or " dccp
500 protocols, the source and destination port can optionally be specified.
502 .BR icmp ", " ipv6-icmp ", or " mobility-header
503 protocols, the type and code numbers can optionally be specified.
506 protocol, the key can optionally be specified as a dotted-quad or number.
507 Other protocols can be selected by name or number
512 selects the policy direction as
513 .BR in ", " out ", or " fwd "."
517 sets the security context.
522 .BR main " (default) or " sub "."
527 .BR allow " (default) or " block "."
531 is a number that defaults to zero.
535 contains one or both of the following optional flags:
536 .BR local " or " icmp "."
540 sets limits in seconds, bytes, or numbers of packets.
544 is a template list specified using
545 .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
549 is specified by a source address, destination address,
550 .RI "transform protocol " XFRM-PROTO ","
551 and/or Security Parameter Index
556 specifies a transform protocol:
557 .RB "IPsec Encapsulating Security Payload (" esp "),"
558 .RB "IPsec Authentication Header (" ah "),"
559 .RB "IP Payload Compression (" comp "),"
560 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
561 .RB "Mobile IPv6 Home Address Option (" hao ")."
565 specifies a mode of operation:
566 .RB "IPsec transport mode (" transport "), "
567 .RB "IPsec tunnel mode (" tunnel "), "
568 .RB "Mobile IPv6 route optimization mode (" ro "), "
569 .RB "Mobile IPv6 inbound trigger mode (" in_trigger "), or "
570 .RB "IPsec ESP Bound End-to-End Tunnel Mode (" beet ")."
575 .BR required " (default) or " use "."
577 .SS ip xfrm monitor - state monitoring for xfrm objects
578 The xfrm objects to monitor can be optionally specified.
581 Manpage by David Ward