IPSEC_SPIGRP - Online Linux Manual PageSection : 8
Updated : 10/04/2017
Source : libreswan
Note : Executable programs

NAMEipsec_spigrp − group/ungroup IPSEC Security Associations

SYNOPSISipsec spigrp
ipsecspigrp [−−label label] af1dst1spi1proto1 [af2dst2spi2proto2 [af3dst3spi3proto3 [af4dst4spi4proto4]]]
ipsecspigrp [−−label label] −−said SA1 [SA2 [SA3 [SA4]]]
ipsecspigrp −−help
ipsecspigrp −−version

OBSOLETENote that spi is only supported on the classic KLIPS stack​. It is not supported on any other stack and will be completely removed in future versions​. A replacement command still needs to be designed

DESCRIPTIONSpigrp groups IPSEC Security Associations (SAs) together or ungroups previously grouped SAs​. An entry in the IPSEC extended routing table can only point (via a destination address, a Security Parameters Index (SPI) and a protocol identifier) to one SA​. If more than one transform must be applied to a given type of packet, this can be accomplished by setting up several SAs with the same destination address but potentially different SPIs and protocols, and grouping them with spigrp​. The SAs to be grouped, specified by destination address (DNS name lookup, IPv4 dotted quad or IPv6 coloned hex), SPI (´0x´−prefixed hexadecimal number) and protocol ("ah", "esp", "comp" or "tun"), are listed from the inside transform to the outside; in other words, the transforms are applied in the order of the command line and removed in the reverse order​. The resulting SA group is referred to by its first SA (by af1, dst1, spi1 and proto1)​. The −−said option indicates that the SA IDs are to be specified as one argument each, in the format <proto><af><spi>@<dest>​. The SA IDs must all be specified as separate parameters without the −−said option or all as monolithic parameters after the −−said option​. The SAs must already exist and must not already be part of a group​. If spigrp is invoked with only one SA specification, it ungroups the previously−grouped set of SAs containing the SA specified​. The −−label option identifies all responses from that command invocation with a user−supplied label, provided as an argument to the label option​. This can be helpful for debugging one invocation of the command out of a large number​. The command form with no additional arguments lists the contents of /proc/net/ipsec_spigrp​. The format of /proc/net/ipsec_spigrp is discussed in ipsec_spigrp(5)​.

EXAMPLESipsec spigrp inet gw2 0x113 tun inet gw2 0x115 esp inet gw2 0x116 ah groups 3 SAs together, all destined for gw2, but with an IPv4−in−IPv4 tunnel SA applied first with SPI 0x113, then an ESP header to encrypt the packet with SPI 0x115, and finally an AH header to authenticate the packet with SPI 0x116​. ipsec spigrp −−said tun​.113@gw2 esp​.115@gw2 ah​.116@gw2 groups 3 SAs together, all destined for gw2, but with an IPv4−in−IPv4 tunnel SA applied first with SPI 0x113, then an ESP header to encrypt the packet with SPI 0x115, and finally an AH header to authenticate the packet with SPI 0x116​. ipsec spigrp −−said tun:233@3049:1::1 esp:235@3049:1::1 ah:236@3049:1::1 groups 3 SAs together, all destined for 3049:1::1, but with an IPv6−in−IPv6 tunnel SA applied first with SPI 0x233, then an ESP header to encrypt the packet with SPI 0x235, and finally an AH header to authenticate the packet with SPI 0x236​. ipsec spigrp inet6 3049:1::1 0x233 tun inet6 3049:1::1 0x235 esp inet6 3049:1::1 0x236 ah groups 3 SAs together, all destined for 3049:1::1, but with an IPv6−in−IPv6 tunnel SA applied first with SPI 0x233, then an ESP header to encrypt the packet with SPI 0x235, and finally an AH header to authenticate the packet with SPI 0x236​.

FILES/proc/net/ipsec_spigrp, /usr/local/bin/ipsec

SEE ALSOipsec(8), ipsec_tncfg(8), ipsec_eroute(8), ipsec_spi(8), ipsec_klipsdebug(8), ipsec_spigrp(5)

HISTORYWritten for the Linux FreeS/WAN project <http://www​.freeswan​.org/> by Richard Guy Briggs​.

BUGSYes, it really is limited to a maximum of four SAs, although admittedly it´s hard to see why you would need more​.

AUTHORPaul Wouters placeholder to suppress warning
0
Johanes Gumabo
Data Size   :   15,589 byte
man-ipsec_spigrp.8Build   :   2024-12-05, 20:55   :  
Visitor Screen   :   x
Visitor Counter ( page / site )   :   3 / 183,427
Visitor ID   :     :  
Visitor IP   :   3.145.115.45   :  
Visitor Provider   :   AMAZON-02   :  
Provider Position ( lat x lon )   :   39.962500 x -83.006100   :   x
Provider Accuracy Radius ( km )   :   1000   :  
Provider City   :   Columbus   :  
Provider Province   :   Ohio ,   :   ,
Provider Country   :   United States   :  
Provider Continent   :   North America   :  
Visitor Recorder   :   Version   :  
Visitor Recorder   :   Library   :  
Online Linux Manual Page   :   Version   :   Online Linux Manual Page - Fedora.40 - march=x86-64 - mtune=generic - 24.12.05
Online Linux Manual Page   :   Library   :   lib_c - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Online Linux Manual Page   :   Library   :   lib_m - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Data Base   :   Version   :   Online Linux Manual Page Database - 24.04.13 - march=x86-64 - mtune=generic - fedora-38
Data Base   :   Library   :   lib_c - 23.02.07 - march=x86-64 - mtune=generic - fedora.36

Very long time ago, I have the best tutor, Wenzel Svojanovsky . If someone knows the email address of Wenzel Svojanovsky , please send an email to johanes_gumabo@yahoo.co.id .
If error, please print screen and send to johanes_gumabo@yahoo.co.id
Under development. Support me via PayPal.