Setting xfrm. xfrm is an IP framework, which can transform format of the datagrams, i.e. encrypt the packets with some algorithm. xfrm policy and xfrm state are associated through templates TMPL_LIST.
This framework is used as a part of IPsec protocol.
ip xfrm state add - add new state into xfrm
ip xfrm state update - update existing xfrm state
ip xfrm state allocspi - allocate SPI value
ip xfrm policy add - add a new policy
ip xfrm policy update - update an existing policy
ip xfrm policy delete - delete existing policy
ip xfrm policy get - get existing policy
ip xfrm policy deleteall - delete all existing xfrm policy
ip xfrm policy list - print out the list of xfrm policy
ip xfrm policy flush - flush policies
ip xfrm monitor - list all objects or a defined group of them.
Syntax
ip xfrm XFRM_OBJECT { COMMAND }
XFRM_OBJECT := { state | policy | monitor }
ip xfrm state { add | update } ID [ XFRM_OPT ] [ mode MODE ] [ reqid REQID ] [ seq SEQ ] [ replay-window SIZE ]
[ flag FLAG-LIST ] [ encap ENCAP ] [ sel SELECTOR ] [ LIMIT-LIST ]
ip xfrm state allocspi ID [ mode MODE ] [ reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]
ip xfrm state { delete | get } ID
ip xfrm state { deleteall | list } [ ID ] [ mode MODE ] [ reqid REQID ] [ flag FLAG_LIST ]
ip xfrm state flush [ proto XFRM_PROTO ]
ip xfrm state count
ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM_PROTO ] [ spi SPI ]
XFRM_PROTO := [ esp | ah | comp | route2 | hao ]
MODE := [ transport | tunnel | ro | beet ] (default=transport)
FLAG-LIST := [ FLAG-LIST ] FLAG
FLAG := [ noecn | decap-dscp | wildrecv ]
ENCAP := ENCAP-TYPE SPORT DPORT OADDR
ENCAP-TYPE := espinudp | espinudp-nonike
ALGO-LIST := [ ALGO-LIST ] | [ ALGO ]
ALGO := ALGO_TYPE ALGO_NAME ALGO_KEY
ALGO_TYPE := [ enc | auth | comp ]
SELECTOR := src ADDR[/PLEN] dst ADDR[/PLEN] [ UPSPEC ] [ dev DEV ]
UPSPEC := proto PROTO [[ sport PORT ] [ dport PORT ] | [ type NUMBER ] [ code NUMBER ]]
LIMIT-LIST := [ LIMIT-LIST ] | [ limit LIMIT ]
LIMIT := [ [time-soft|time-hard|time-use-soft|time-use-hard] SECONDS ] |
[ [byte-soft|byte-hard] SIZE ] | [ [packet-soft|packet-hard] COUNT ]
ip xfrm policy { add | update } dir DIR SELECTOR [ index INDEX ]
[ ptype PTYPE ] [ action ACTION ] [ priority PRIORITY ]
[ LIMIT-LIST ] [ TMPL-LIST ]
ip xfrm policy { delete | get } dir DIR [ SELECTOR | index INDEX ] [ ptype PTYPE ]
ip xfrm policy { deleteall | list } [ dir DIR ] [ SELECTOR ] [ index INDEX ]
[ action ACTION ] [ priority PRIORITY ]
ip xfrm policy flush [ ptype PTYPE ]
ip xfrm count
PTYPE := [ main | sub ] (default=main)
>DIR := [ in | out | fwd ]
SELECTOR := src ADDR[/PLEN] dst ADDR[/PLEN] [ UPSPEC ] [ dev DEV ]
UPSPEC := proto PROTO [ [ sport PORT ] [ dport PORT ] |
[ type NUMBER ] [ code NUMBER ] ]
ACTION := [ allow | block ] (default=allow)
>LIMIT-LIST := [ LIMIT-LIST ] | [ limit LIMIT ]
LIMIT := [ [time-soft|time-hard|time-use-soft|time-use-hard] SECONDS ] |
[ [byte-soft|byte-hard] SIZE ] | [packet-soft|packet-hard] NUMBER ]
TMPL-LIST := [ TMPL-LIST ] | [ tmpl TMPL ]
TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]
ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM_PROTO ] [ spi SPI ]
XFRM_PROTO := [ esp | ah | comp | route2 | hao ]
MODE := [ transport | tunnel | beet ] (default=transport)
LEVEL := [ required | use ] (default=required)
ip xfrm monitor [ all | LISTofOBJECTS ]
Key
ip xfrm state add - Add new state into xfrm
ip xfrm state update - Update existing xfrm state
ip xfrm state allocspi - Allocate SPI value
MODE is set as default to transport, but it could be set to tunnel,ro or beet.
FLAG-LIST contains one or more flags.
FLAG Can be set to noecn, decap-dscp or wildrecv.
ENCAP Encapsulation is set to encapsulation type ENCAP-TYPE, source port SPORT,
destination port DPORT and OADDR.
ENCAP-TYPE Can be set to espinudp or espinudp-nonike.
ALGO-LIST contains one or more algorithms ALGO which depend on the type of algorithm set by ALGO_TYPE.
It can be used these algoritms enc, auth or comp.
ip xfrm policy add - Add a new policy
ip xfrm policy update - Update an existing policy
ip xfrm policy delete - Delete existing policy
ip xfrm policy get - Get existing policy
ip xfrm policy deleteall - Delete all existing xfrm policy
ip xfrm policy list - Print out the list of xfrm policy
ip xfrm policy flush - Flush policies,
It can be flush all policies or only those specified with ptype.
dir DIR Directory could be one of these: inp, out or fwd.
SELECTOR Selects for which addresses will be set up the policy.
The selector is defined by source and destination address.
UPSPEC Is defined by source port sport, destination port dport, type as number and code also number.
dev DEV Specify network device.
index INDEX The number of indexed policy.
ptype PTYPE Type is set as default on main, could be switch on sub.
action ACTION is set as default on allow. It could be switch on block.
priority PRIORITY
priority is a number. Default priority is set on zero.
LIMIT-LIST limits are set in seconds, bytes or numbers of packets.
TMPL-LIST template list is based on ID, mode, reqid and level.
ID is specified by source address, destination address, proto and value of spi.
XFRM_PROTO values: esp, ah, comp, route2 or hao.
MODE is set as default on transport, but it could be set on tunnel or beet.
LEVEL is set as default on required and the other choice is use.
UPSPEC is specified by sport, dport, type and code (NUMBER).
“Some painters transform the sun into a yellow spot; others transform a yellow spot into the sun” ~ Pablo Picasso
ip - Routing, devices and tunnels.
Equivalent Windows command: ROUTE - Manipulate network routing tables.