NAME
sadb - manual management interface for the SADB and IPsec
policy databases
SADB SYNOPSIS
sadb [-niosv] get d[est] [destination local-spi(hex)
protocol-number]
sadb [-niosv] delete d[est] [destination local-spi(hex)
protocol-number]
(ESP add)
sadb [-v] add d[est] destination prefix-length local-
spi(hex) IPsec-peer peer-spi(hex) tunnel-flag
check-replay-flag initial-sequence-number protocol-
number(50) linked-protocol-number(0,50,51) linked-
spi crypto-alg-id crypto-iv-length crypto-key-
length crypto-key auth-alg-id [auth-iv-length auth-
key-length auth-key auth-data-length]
(AH add)
sadb [-v] add d[est] destination prefix-length local-
spi(hex) IPsec-peer peer-spi(hex) tunnel-flag
check-replay-flag initial-sequence-number protocol-
number(51) linked-protocol-number(0,50,51) linked-
spi auth-alg-id auth-iv-length auth-key-length
auth-key auth-data-length
(NULL add)
sadb [-v] add d[est] destination prefix-length local-
spi(hex) destination local-spi(hex) 0 0 0 2 0 0
sadb flush
IPSEC POLICY SYNOPSIS
sadb [-v] get p[rot]
sadb [-v] set p[rot] inbound protection level
outbound protection level
DESCRIPTION
sadb manipulates the kernel's Security Association
Database (SADB). Its primary use is to set up static SAs
between a system and its IPsec peer.
OPTIONS and PARAMETERS
-v is a flag for verbose.
-i the SA is applied to inbound traffic only
-o the SA is applied to outbound traffic only
-s print SA information in key value pairs (one per
line). Useful when using the sadb program in PERL
scripts.
add d[est]
adds a SADB entry.
delete d[est]
deletes a SADB entry.
flush deletes all SADB entries.
get d[est]
gets either a single SADB entry if additional argu-
ments are present or gets a dump of the entire SADB
if no additional arguments are present.
set p[rot]
sets IPsec system security policy.
get p[rot]
gets IPsec system security policy.
destination
The destination network or host. You can provide IP
addresses in dotted decimal or host names. To
specify a network address (or address prefix) use
this field in conjuction with the prefix length
field to denote the relevant address bits.
prefix-length
The number of relevant left-most bits in the desti-
nation address.
local-spi
protocol-number
ESP=50
AH=51
linked-protocol-number for bundled SAs
NoLink=0
ESP=50
AH=51
linked-spi
A hexidecimal number representing an index into the
local systems SADB identifying the linked SA (aka
SA bundle). Use 0 when no link(bundle).
IPsec-peer
The IPsec peer host that encapsulates and decapsu-
lates the packets protected by this SA. This may
or may not be the same as the destination.
peer-spi
A hexidecimal number representing an index into the
IPsec peer systems SADB.
tunnel-flag
Whether or not to use tunnel mode (0=off, 1=on).
check-replay-flag
Whether or not to use the sequence number field to
check for replay (0=off, 1=on).
initial-sequence number
The starting value of the first sequence number.
This is typically defined by each individual trans-
form specifications. Older transforms that didn't
include a sequence number must have this field set
to 0.
crypto-alg-id
Identifier specified in ipsec.h that corresponds to
a particular cryptographic algorithm transform.
Those currently supported include:
DES/CBC = 2
3DES/CBC = 3
RC5/CBC = 4
Blowfish/CBC = 5
IDEA/CBC = 6
NULL = 7
MARS/CBC(AES) = 8
RC6/CBC(AES) = 9
RIJNDAEL/CBC(AES) = 10
SERPENT/CBC(AES) = 11
TWOFISH/CBC(AES) = 12
Testing/Debugging = 252
crypto-iv-length
The length in bytes of the cryptographic algorithm
initialization vector that is generated and
included in the IPsec packet.
crypto-key-length
The length in bytes of the key used to encrypt and
decrypt IPsec packets.
crypto-key
Ascii representation of the hexadecimal key used to
encrypt and decrypt IPsec packets.
auth-alg-id
Identifier specified in ipsec.h that corresponds to
a particular authentication algorithm transform.
Those currently supported include:
none = 0
HMAC-MD5-96 = 132
HMAC-SHA-1-96 = 133
Testing/Debugging = 253
auth-iv-length
The length in bytes of the authentication algorithm
initialization vector that is generated and
included in the IPsec packet.
auth-key-length
The length in bytes of the key used to generate and
verify authentication data for IPsec packets.
auth-key
Ascii representation of the hexadecimal key used to
generate and verify authentication data for IPsec
Length in 32-bit words of the authentication data
inbound protection level
A bit mask representing the security policy for
incoming IP packets
protected traffic only = 0
Allow all unprotected traffic = 1
Allow associations with NULL_SAs = 2
3 (default) sets everything
outbound protection level
A bit mask representing the security policy for
outgoing IP packets
protected traffic only = 0
Allow all unprotected traffic = 1
Allow associations with NULL_SAs = 2
3 (default) sets everything
OUTPUT
fields reported by sadb get d[est] not found above:
sequence number
Next sequence number to be used in outgoing IPsec
packet.
flags
M - SA established through manual key management
C - Check for replay on IPsec packets
T - Tunnel mode
P - Partial SA place holder for PlutoPlus
N - SA established through PlutoPlus
K - SA about to expire and PlutoPlus is kicked
L - SA is permanent
I - SA is used for inbound processing
O - SA is used for outbound processing
lifetime-B
Number of bytes that can be processed before SA
expires. Not present in static(permanent) SAs.
lifetime-T
Time at which the SA expires. Not present in
static(permanent) SAs.
Example 1
sadb add d 129.6.224.152 32 1984 129.6.224.152 1984 1 \\
1 1 50 0 0 4 8 \\
16 0123456789abcdef0123456789abcdef \\
132 0 16 0123456789abcdef0123456789abcdef 3
adds a single-entry, two-way ESP SA between 129.6.224.152
and this system with tunnel mode on, replay checking on,
an initial sequence number of 1, using RC5-CBC for
encryption, and HMAC-MD5-96 for authentication.
Example 2
sadb add d 129.6.224.152 32 1984 129.6.224.152 1985 1 \\
1 1 50 0 0 4 8 \\
16 0123456789abcdef0123456789abcdef \\
132 0 16 0123456789abcdef0123456789abcdef 3
sadb add d 129.6.224.152 32 1985 129.6.224.152 1984 1 \\
1 1 50 0 0 5 8 \\
16 0123456789abcdef0123456789abcdef \\
133 0 20 0123456789abcdef0123456789abcdef01234567 3
adds a dual-entry, two-way ESP SA between 129.6.224.152
and this system with tunnel mode on, replay checking on,
an initial sequence number of 1, using RC5-CBC for
encryption, and HMAC-MD5-96 for authentication for outgo-
ing packets and Blowfish-CBC for encryption, and HMAC-
SHA-1-96 for authentication for incoming packets (outgo-
ing packets use the first relevant SA found in the SADB).
Example 3
sadb add d 129.6.51.112 32 1984 129.6.224.152 1984 1 \\
1 1 50 0 0 4 8 \\
16 0123456789abcdef0123456789abcdef \\
132 0 16 0123456789abcdef0123456789abcdef 3
Same as first example, except the SA is between
129.6.224.152 and this system but is providing protection
for 129.6.51.112 which has no IPsec.
Example 4
sadb add d 129.6.51.0 24 1984 129.6.224.152 1984 1 \\
1 1 50 0 0 4 8 \\
16 0123456789abcdef0123456789abcdef \\
129.6.224.152 and this system but is providing protection
for the entire 129.6.51.0 subnet or network.
Example 5
sadb add d 129.6.224.152 32 1984 129.6.224.152 1985 1 \\
1 1 51 0 0 133 0 20 \\
0123456789abcdef0123456789abcdef01234567 3
sadb add d 129.6.224.152 32 1985 129.6.224.152 1984 1 \\
1 1 50 0 0 5 8 \\
16 0123456789abcdef0123456789abcdef \\
133 0 20 0123456789abcdef0123456789abcdef01234567 3
adds a dual-entry, two-way SA between 129.6.224.152 and
this system with tunnel mode on, replay checking on, an
initial sequence number of 1, using the AH protocol with
HMAC-SHA-1-96 for authentication for outgoing packets and
using the ESP protocol with Blowfish-CBC for encryption,
and HMAC-SHA-1-96 for authentication for incoming pack-
ets.
Example 6
sadb add d 129.6.224.152 32 1984 129.6.224.152 1984 1 \\
1 1 50 51 1985 4 8 \\
16 0123456789abcdef0123456789abcdef 0
sadb add d 129.6.224.152 32 1985 129.6.224.152 1985 1 \\
1 1 51 0 0 132 0 \\
16 0123456789abcdef0123456789abcdef 3
adds a single-entry, two-way AH+ESP SA Bundle (a.k.a.
Linked SA) between 129.6.224.152 and this system with
tunnel mode on, replay checking on, an initial sequence
number of 1, using RC5-CBC for ESP encryption, and HMAC-
MD5-96 for AH authentication.
Example 7
sadb add d 129.6.224.152 32 1984 129.6.224.152 1985 1 \\
1 1 50 0 0 4 8 \\
16 0123456789abcdef0123456789abcdef \\
132 0 16 0123456789abcdef0123456789abcdef 3
sadb add d 129.6.224.152 32 1985 129.6.224.152 1984 1 \\
1 1 50 0 0 5 8 \\
16 0123456789abcdef0123456789abcdef \\
133 0 20 0123456789abcdef0123456789abcdef01234567 3
and this system with tunnel mode on, replay checking on,
an initial sequence number of 1, using RC5-CBC for
encryption, and HMAC-MD5-96 for authentication for outgo-
ing packets and Blowfish-CBC for encryption, and HMAC-
SHA-1-96 for authentication for incoming packets (outgo-
ing packets use the first relevant SA found in the SADB).
Example 8
sadb add d 129.6.224.152 32 1984 129.6.224.152 1987 1 \\
1 1 50 51 1986 4 8 \\
16 0123456789abcdef0123456789abcdef 0
sadb add d 129.6.224.152 32 1986 129.6.224.152 1988 1 \\
1 1 51 0 0 132 0 \\
16 0123456789abcdef0123456789abcdef 3
sadb add d 129.6.224.152 32 1987 129.6.224.152 1984 1 \\
1 1 50 51 1988 5 8 \\
16 0123456789abcdef0123456789abcdef 0
sadb add d 129.6.224.152 32 1988 129.6.224.152 1986 1 \\
1 1 51 0 0 133 0 \\
20 0123456789abcdef0123456789abcdef01234567 3
adds a dual-entry, two-way AH+ESP SA Bundle between
129.6.224.152 and this system with tunnel mode on, replay
checking on, an initial sequence number of 1, using
RC5-CBC for ESP encryption, and AH HMAC-MD5-96 for
authentication for outgoing packets and Blowfish-CBC for
ESP encryption, and HMAC-SHA-1-96 for AH authentication
for incoming packets (outgoing packets use the first rel-
evant SA found in the SADB).
Example 9
sadb add d 129.6.224.152 32 1984 129.6.224.152 1984 0 \\
0 0 2 0 0
adds a single-entry, NULL SA between 129.6.224.152 and
this system. This allows this system to accept non-
secured packets from 129.6.224.152.
Example 10
sadb add d 129.6.224.152 32 1984 129.6.224.152 1984 1 \\
1 1 50 0 0 7 0 0\\
132 0 16 0123456789abcdef0123456789abcdef 3
an initial sequence number of 1, using NULL (no) encryp-
tion, and HMAC-MD5-96 for authentication.
Example 11
sadb get d
prints out the entire SADB
Example 12
sadb get d 129.6.51.112 1984 50
prints out the information in the SADB identified by the
destination,spi,protocol tuple.
Example 13
sadb delete d 129.6.51.112 1984 50
deletes the SA identified by the destination, spi, proto-
col tuple.
Example 14
sadb set prot 0 0
sets the system policy so only IPsec protected packets
can enter or leave this system. (WARNING: this mode can
cause system lockup if the system depends on network ser-
vices from non-IPsec systems).
Example 15
sadb set prot 2 2
sets the system policy so only systems specified in the
SADB can send or receive packets from you. NULL_SAs are
allowed and can be used to provide access to network ser-
vices from non-IPsec systems.
FILES
/dev/ipsec
sadb for Linux, was originally written by Rob Glenn (NIST)
PlutoPlus additions added by Sheila Frankel (NIST)
BUGS
A few ants, a couple of flies...
Man(1) output converted with
man2html