Content-type: text/html
Man page of IPSEC_SPI
IPSEC_SPI
Section: File Formats (5)
Updated: 26 Jun 2000
Index
Return to Main Contents
NAME
ipsec_spi - list IPSEC Security Associations
SYNOPSIS
ipsec
spi
cat
/proc/net/ipsec_spi
DESCRIPTION
/proc/net/ipsec_spi
is a read-only file that lists the current IPSEC Security Associations.
A Security Association (SA) is a transform through which packet contents
are to be processed before being forwarded. A transform can be an
IPv4-in-IPv4 or IPv6-in-IPv6 encapsulation, an IPSEC Authentication Header (authentication
with no encryption), or an IPSEC Encapsulation Security Payload
(encryption, possibly including authentication).
When a packet is passed from a higher networking layer through an IPSEC
virtual interface, a search in the extended routing table (see
ipsec_eroute(5))
yields
a IP protocol number
,
a Security Parameters Index (SPI)
and
an effective destination address
When an IPSEC packet arrives from the network,
its ostensible destination, an SPI and an IP protocol
specified by its outermost IPSEC header are used.
The destination/SPI/protocol combination is used to select a relevant SA.
(See
ipsec_spigrp(5)
for discussion of how multiple transforms are combined.)
An
spi ,
proto,
daddr
and
address_family
arguments specify an SAID.
Proto
is an ASCII string, "ah", "esp", "comp" or "tun", specifying the IP protocol.
Spi
is a number, preceded by '.' indicating hexadecimal and IPv4 or by ':' indicating hexadecimal and IPv6,
where each hexadecimal digit represents 4 bits,
between
0x100
and
0xffffffff;
values from
0x0
to
0xff
are reserved.
Daddr
is a dotted-decimal IPv4 destination address or a coloned hex IPv6 destination address.
An
SAID
combines the three parameters above, such as: "tun.101@1.2.3.4" for IPv4 or "tun:101@3049:1::1" for IPv6
A table entry consists of:
- +
-
SAID
- +
-
<transform name (proto,encalg,authm n
-
generates a 2192-bit signature key and puts it in the file
mykey,
with running commentary on standard error.
The file contents can be inserted verbatim into a suitable entry in the
ipsec.secrets
file (see
ipsec.secrets(5)),
and the public key can then be extracted and edited into the
ipsec.conf
file (see
ipsec.conf(5)).
- ipsec rsasigkey --verbose --oldkey oldie >latest
-
takes the old signature key from file
oldie
and puts a version in the current format into the file
latest,
with running commentary on standard error.
FILES
/dev/random
SEE ALSO
random(4), ipsec_showhostkey(8)
Applied Cryptography, 2nd. ed., by Bruce Schneier, Wiley 1996.
RFCs 2537, 2313.
GNU MP, the GNU multiple precision arithmetic library, edition 2.0.2,
by Torbj Granlund.
HISTORY
Written for the Linux FreeS/WAN project
<http://www.freeswan.org>
by Henry Spencer.
BUGS
There is an internal limit on
nbits,
currently 20000.
Rsasigkey's
run time is difficult to predict,
since
/dev/random
output can be arbitrarily delayed if
the system's entropy pool is low on randomness,
and the time taken by the search for primes is also somewhat unpredictable.
A reasonably typical time for a 1024-bit key on a quiet 200MHz Pentium MMX
with plenty of randomness available is 20 seconds,
almost all of it in the prime searches.
Generating a 2192-bit key on the same system usually takes several minutes.
A 4096-bit key took an hour and a half of CPU time.
The
--oldkey
option does not check its input format as rigorously as it might.
Corrupted
rsasigkey
output may confuse it.
Index
- NAME
-
- SYNOPSIS
-
- DESCRIPTION
-
- EXAMPLES
-
- FILES
-
- SEE ALSO
-
- HISTORY
-
- BUGS
-
This document was created by
man2html,
using the manual pages.
Time: 19:16:32 GMT, October 01, 2009
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������./usr/share/doc/openswan/ipsec__updown.8.html�������������������������������������������������������0000644�0000000�0000000�00000002654�11261200020�020104� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������Content-type: text/html
Man page of _UPDOWN
_UPDOWN
Section: Maintenance Commands (8)
Updated: 25 Apr 2002
Index
Return to Main Contents
NAME
ipsec _updown - klips manipulation script
SYNOPSIS
_updown
is invoked by pluto when it has brought up a new connection. This script
is used to insert the appropriate routing entries for IPsec operation.
The interface to the script is documented in the pluto man page.
SEE ALSO
ipsec(8), ipsec_pluto(8).
HISTORY
Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
by Michael Richardson. Original program written by Henry Spencer.
Index
- NAME
-
- SYNOPSIS
-
- SEE ALSO
-
- HISTORY
-
This document was created by
man2html,
using the manual pages.
Time: 19:16:32 GMT, October 01, 2009
������������������������������������������������������������������������������������./usr/share/doc/openswan/ipsec_spi.5.html�����������������������������������������������������������0000644�0000000�0000000�00000017337�11261200027�017234� 0�����������������������������������������������������������������