IP-XFRM(8) (20 Dec 2011) IP-XFRM(8)
NAME
ip-xfrm - transform configuration
SYNOPSIS
ip [ OPTIONS ] xfrm { COMMAND | help }
ip xfrm XFRM-OBJECT { COMMAND | help }
XFRM-OBJECT := state | policy | monitor
ip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE
] [ mark MARK [ mask MASK ] ] [ reqid REQID ] [ seq
SEQ ] [ replay-window SIZE ] [ replay-seq SEQ ] [
replay-oseq SEQ ] [ replay-seq-hi SEQ ] [ replay-
oseq-hi SEQ ] [ flag FLAG-LIST ] [ sel SELECTOR ] [
LIMIT-LIST ] [ encap ENCAP ] [ coa ADDR[/PLEN] ] [
ctx CTX ] [ extra-flag EXTRA-FLAG-LIST ] [ output-
mark OUTPUT-MARK [ mask MASK ] ] [ if_id IF-ID ] [
tfcpad LENGTH ]
ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask
MASK ] ] [ reqid REQID ] [ seq SEQ ] [ min SPI max
SPI ]
ip xfrm state { delete | get } ID [ mark MARK [ mask MASK ]
]
ip [ -4 | -6 ] ID ] [ mode MODE ] [ reqid REQID ] [ flag
FLAG-LIST ]
ip [ -4 | -6 ] ID ] [ nokeys ] [ mode MODE ] [ reqid REQID ]
[ flag FLAG-LIST ]
ip xfrm state flush [ proto XFRM-PROTO ]
ip xfrm state count
ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi
SPI ]
XFRM-PROTO := esp | ah | comp |
ALGO-LIST := [ ALGO-LIST ] ALGO
ALGO := { enc | auth } ALGO-NAME ALGO-KEYMAT |
auth-trunc ALGO-NAME ALGO-KEYMAT ALGO-TRUNC-LEN |
aead ALGO-NAME ALGO-KEYMAT ALGO-ICV-LEN |
Page 1 iproute2 (printed 5/23/22)
IP-XFRM(8) (20 Dec 2011) IP-XFRM(8)
comp ALGO-NAME
MODE := transport | tunnel | beet |
FLAG-LIST := [ FLAG-LIST ] FLAG
FLAG := noecn | decap-dscp | nopmtudisc | af-unspec | align4
| esn
SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev
DEV ]
[ UPSPEC ]
UPSPEC := proto { PROTO |
{ tcp | udp | sctp PORT ] [ dport PORT ] |
{ icmp | ipv6-icmp | mobility-header NUMBER ] [ code
NUMBER ] |
gre [ key { DOTTED-QUAD | NUMBER } ] }
LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
LIMIT := { time-soft | time-hard | time-use-soft SECONDS |
{ byte-soft | byte-hard } SIZE |
{ packet-soft | packet-hard } COUNT
ENCAP := { espinudp | espinudp-nonike | espintcp SPORT DPORT
OADDR
EXTRA-FLAG-LIST := [ EXTRA-FLAG-LIST ] EXTRA-FLAG
EXTRA-FLAG := dont-encap-dscp | oseq-may-wrap
ip xfrm policy { add | update } SELECTOR dir DIR [ ctx CTX ]
[ mark MARK [ mask MASK ] ] [ index INDEX ] [ ptype
PTYPE ] [ action ACTION ] [ priority PRIORITY ] [
flag FLAG-LIST ] [ if_id IF-ID ] [ LIMIT-LIST ] [
TMPL-LIST ]
ip xfrm policy { delete | get } { SELECTOR | index INDEX }
dir DIR [ ctx CTX ] [ mark MARK [ mask MASK ] ] [
ptype PTYPE ] [ if_id IF-ID ]
ip [ -4 | -6 ] [ nosock ] [ SELECTOR ] [ dir DIR ] [ index
INDEX ] [ ptype PTYPE ] [ action ACTION ] [ priority
PRIORITY ] [ flag FLAG-LIST]
ip xfrm policy flush [ ptype PTYPE ]
ip xfrm policy count
ip xfrm policy set [ hthresh4 LBITS RBITS ] [ hthresh6 LBITS
RBITS ]
Page 2 iproute2 (printed 5/23/22)
IP-XFRM(8) (20 Dec 2011) IP-XFRM(8)
SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev
DEV ] [ UPSPEC ]
UPSPEC := proto { PROTO |
{ tcp | udp | sctp PORT ] [ dport PORT ] |
{ icmp | ipv6-icmp | mobility-header NUMBER ] [ code
NUMBER ] |
gre [ key { DOTTED-QUAD | NUMBER } ] }
DIR := in | out | fwd
PTYPE := main | sub
ACTION := allow | block
FLAG-LIST := [ FLAG-LIST ] FLAG
FLAG := localok | icmp
LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
LIMIT := { time-soft | time-hard | time-use-soft SECONDS |
{ byte-soft | byte-hard } SIZE |
{ packet-soft | packet-hard } COUNT
TMPL-LIST := [ TMPL-LIST ] tmpl TMPL
TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]
ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi
SPI ]
XFRM-PROTO := esp | ah | comp |
MODE := transport | tunnel | beet |
LEVEL := required | use
ip xfrm monitor [ all-nsid ] [ nokeys ] [ all
| LISTofXFRM-OBJECTS ]
LISTofXFRM-OBJECTS := [ LISTofXFRM-OBJECTS ] XFRM-OBJECT
XFRM-OBJECT := acquire | expire | SA |
DESCRIPTION
xfrm is an IP framework for transforming packets (such as
encrypting their payloads). This framework is used to imple-
ment the IPsec protocol suite (with the state object operat-
ing on the Security Association Database, and the policy
Page 3 iproute2 (printed 5/23/22)
IP-XFRM(8) (20 Dec 2011) IP-XFRM(8)
object operating on the Security Policy Database). It is
also used for the IP Payload Compression Protocol and fea-
tures of Mobile IPv6.
l l. ip xfrm state add add new state into xfrm ip xfrm
state update update existing state in xfrm ip xfrm state
allocspi allocate an SPI value ip xfrm state
delete delete existing state in xfrm ip xfrm state
get get existing state in xfrm ip xfrm state
deleteall delete all existing state in xfrm ip xfrm state
list print out the list of existing state in xfrm ip xfrm
state flush flush all state in xfrm ip xfrm state
count count all existing state in xfrm
is specified by a source address, destination address,
transform protocol XFRM-PROTO, and/or Security Parame-
ter Index SPI. (For IP Payload Compression, the Com-
pression Parameter Index or CPI is used for SPI.)
XFRM-PROTO
specifies a transform protocol: IPsec Encapsulating
Security Payload (esp), IPsec Authentication Header
(ah), IP Payload Compression (comp), Mobile IPv6 Type 2
Routing Header (route2), or Mobile IPv6 Home Address
Option (hao).
ALGO-LIST
contains one or more algorithms to use. Each algorithm
ALGO is specified by:
[bu] the algorithm type: encryption (enc),
authentication (auth or auth-trunc), authenticated
encryption with associated data (aead), or
compression (comp)
[bu] the algorithm name ALGO-NAME (see below)
[bu] (for all except comp) the keying material ALGO-
KEYMAT, which may include both a key and a salt or
nonce value; refer to the corresponding RFC
[bu] (for auth-trunc only) the truncation length ALGO-
TRUNC-LEN in bits
[bu] (for aead only) the Integrity Check Value length
ALGO-ICV-LEN in bits
Encryption algorithms include ecb(cipher_null),
cbc(des), cbc(des3_ede), cbc(blowfish), cbc(aes),
Page 4 iproute2 (printed 5/23/22)
IP-XFRM(8) (20 Dec 2011) IP-XFRM(8)
cbc(serpent), cbc(twofish), and rfc3686(ctr(aes)).
Authentication algorithms include digest_null,
hmac(md5), hmac(sha1), hmac(sha384), hmac(sha512),
hmac(rmd160), and
Authenticated encryption with associated data (AEAD)
algorithms include rfc4106(gcm(aes)),
rfc4309(ccm(aes)), and rfc4543(gcm(aes)).
Compression algorithms include deflate, lzs, and lzjh.
MODE specifies a mode of operation for the transform proto-
col. IPsec and IP Payload Compression modes are
transport, tunnel, and (for IPsec ESP only) Bound End-
to-End Tunnel (beet). Mobile IPv6 modes are route
optimization (ro) and inbound trigger (in_trigger).
FLAG-LIST
contains one or more of the following optional flags:
noecn, decap-dscp, nopmtudisc, af-unspec, align4, or
esn.
selects the traffic that will be controlled by the pol-
icy, based on the source address, the destination
address, the network device, and/or UPSPEC.
selects traffic by protocol. For the tcp, udp, sctp, or
protocols, the source and destination port can option-
ally be specified. For the icmp, ipv6-icmp, or
mobility-header protocols, the type and code numbers
can optionally be specified. For the gre protocol, the
key can optionally be specified as a dotted-quad or
number. Other protocols can be selected by name or
number PROTO.
LIMIT-LIST
sets limits in seconds, bytes, or numbers of packets.
ENCAP
encapsulates packets with protocol espinudp, espinudp-
nonike, or espintcp, using source port SPORT,
destination port DPORT , and original address OADDR.
Page 5 iproute2 (printed 5/23/22)
IP-XFRM(8) (20 Dec 2011) IP-XFRM(8)
MARK used to match xfrm policies and states
OUTPUT-MARK
used to set the output mark to influence the routing of
the packets emitted by the state
IF-ID
xfrm interface identifier used to in both xfrm policies
and states
l l. ip xfrm policy add add a new policy ip xfrm policy
update update an existing policy ip xfrm policy
delete delete an existing policy ip xfrm policy get get
an existing policy ip xfrm policy deleteall delete all
existing xfrm policies ip xfrm policy list print out the
list of xfrm policies ip xfrm policy flush flush poli-
cies
nosock
filter (remove) all socket policies from the output.
selects the traffic that will be controlled by the pol-
icy, based on the source address, the destination
address, the network device, and/or UPSPEC.
selects traffic by protocol. For the tcp, udp, sctp, or
protocols, the source and destination port can option-
ally be specified. For the icmp, ipv6-icmp, or
mobility-header protocols, the type and code numbers
can optionally be specified. For the gre protocol, the
key can optionally be specified as a dotted-quad or
number. Other protocols can be selected by name or
number PROTO.
DIR selects the policy direction as in, out, or fwd.
CTX sets the security context.
PTYPE
can be main (default) or sub.
Page 6 iproute2 (printed 5/23/22)
IP-XFRM(8) (20 Dec 2011) IP-XFRM(8)
ACTION
can be allow (default) or block.
PRIORITY
is a number that defaults to zero.
FLAG-LIST
contains one or both of the following optional flags:
local or icmp.
LIMIT-LIST
sets limits in seconds, bytes, or numbers of packets.
TMPL-LIST
is a template list specified using ID, MODE, REQID,
and/or
is specified by a source address, destination address,
transform protocol XFRM-PROTO, and/or Security Parame-
ter Index SPI. (For IP Payload Compression, the Com-
pression Parameter Index or CPI is used for SPI.)
XFRM-PROTO
specifies a transform protocol: IPsec Encapsulating
Security Payload (esp), IPsec Authentication Header
(ah), IP Payload Compression (comp), Mobile IPv6 Type 2
Routing Header (route2), or Mobile IPv6 Home Address
Option (hao).
MODE specifies a mode of operation for the transform proto-
col. IPsec and IP Payload Compression modes are
transport, tunnel, and (for IPsec ESP only) Bound End-
to-End Tunnel (beet). Mobile IPv6 modes are route
optimization (ro) and inbound trigger (in_trigger).
LEVEL
can be required (default) or use.
l l. ip xfrm policy count count existing policies
Use one or more -s options to display more details,
Page 7 iproute2 (printed 5/23/22)
IP-XFRM(8) (20 Dec 2011) IP-XFRM(8)
including policy hash table information.
l l. ip xfrm policy set configure the policy hash table
Security policies whose address prefix lengths are greater
than or equal policy hash table thresholds are hashed. Oth-
ers are stored in the policy_inexact chained list.
LBITS
specifies the minimum local address prefix length of
policies that are stored in the Security Policy Data-
base hash table.
RBITS
specifies the minimum remote address prefix length of
policies that are stored in the Security Policy Data-
base hash table.
l l. ip xfrm monitor state monitoring for xfrm objects
The xfrm objects to monitor can be optionally specified.
If the all-nsid option is set, the program listens to all
network namespaces that have a nsid assigned into the net-
work namespace were the program is running. A prefix is
displayed to show the network namespace where the message
originates. Example:
[nsid 1]Flushed state proto 0
AUTHOR
Manpage revised by David Ward <david.ward@ll.mit.edu>
Manpage revised by Christophe Gouault
<christophe.gouault@6wind.com>
Manpage revised by Nicolas Dichtel
<nicolas.dichtel@6wind.com>
Page 8 iproute2 (printed 5/23/22)