Manual Pages

Table of Contents


ipsec - manipulates the ipsec SP/SA/certificate Databases and displays ipsec statistics


ipsec policy add [-s src_ip/prefixlen[port]] [-t dst_ip/prefixlen[port]] -p {esp|ah|none}
[-e {des|3des|null} | -a {sha1|md5|null}] -d {in|out}
[-f ip_protocol]
[-l {restrict|permit}]

ipsec policy delete all | -i index
[[-s src_ip|-t dst_ip] -d {in|out} [-m]]

ipsec policy show [-s src_ip] [-t dst_ip] [-f ip_protocol] [-d {in|out}] [-p {esp|ah}]

ipsec cert set [-c <file_name> -k <file_name>]

ipsec cert set [-r <file_name1> <file_name2> ..]

ipsec cert show

ipsec sa show [spi
[-s src_ip -t dst_ip -p {esp|ah}]] [-v]

ipsec stats [-z]


ipsec (Internet Protocol Security) is a security protocol in Internet Protocol layer. ipsec is provided by two subprotocols, ESP (encapsulated security payload) and AH (authentication header). ESP protects IP payload from wire-tapping by encrypting it by secret key cryptography algorithms. AH guarantees integrity of IP packet and protects it from intermediate alteration or impersonation, by attaching cryptographic checksum computed by one-way hash functions. ipsec is controlled by key management engine and a policy engine.

Policy engine is controlled by the ipsec policy command, which adds, deletes and displays the Security Policy Database (SPD) entries.

Key management engine is controlled by key exchange protocol module IKE (Internet Key Exchange). Through key management, a Security Association (SA) is negotiated between two end stations. This SA is used for secure data exchanges between these two statons. The ipsec sa command displays the Security Association Database (SAD) entries.

IKE negotiation involves authentication. The supported IKE authentication algorithms are pre-shared keys, Kerberos authentication and certificate authentication. Currently Kerberos authentication works for the Windows environment only. When IKE negotiation takes place, the filer obeys the authentication policy configured on the partner. Thus if the partner is setup for pre-shared keys, the filer expects to find the preshared key in /etc/psk.txt file. For more information on the psk.txt, refer to na_psk.txt(5). CIFS is a important dependency for kerberos Authentication and should be configured. The certificate authentication supports IKE Main mode with RSA signature authentication and supports X.509v3 (RFC 3280) certificates in PEM format.

The ipsec stats command displays a set of ipsec statistics.


-s source The source of the secure communication specified as IP Address or IP Address range, and it may accompany TCP/UDP port specification. This takes the following form:


prefixlen and port must be a decimal number. The square bracket around the port is really necessary. They are not man page meta-characters.See Example

-t destination
The destination of the secure communication. This also takes the above form.

For ipsec sa commands, the source and destination cannot be an IP address range. It must be a valid IP Address.

-p protocol
Specify a protocol. Either esp (ESP based on rfc2405) or ah (AH based on rfc2402) are used.

-e ealgo
Specify an encryption algorithm if the protocol specified is esp. Choose 3des to enable the triple Data Encryption Standard(DES) algorithm, des to use the DES algorithm or null to have no encryption. If this option is not specified, best algorithm will be selected based on the peer capabilities.

-a aalgo
Specify an authentication algorithm. sha1 to use a 128-bit key or md5 to use a 160 bit key. To choose the best negotiated algorithm choose null.

-d direction
Specify a direction. Either in or out are used.

Disable Mirror Policy creation.By default a mirror policy, a policy in the opposite direction with source and destination addresses reversed, will be created.

-f IP protocol
Specify an Upper Layer Protocol, as a numeric protocol number. For e.g. 6 for tcp or 17 for udp.

-l level
Specify a level. restrict, or permit are used. restrict means data traffic is enabled only if a valid Security Association (SA) is obtained. permit means if an attempt to obtain an SA fails, then the data traffic is without any security processing.

-i index
Specify an index in the Security Policy Database. The index is obtained by the ipsec policy show command.

Clears the statistics counters.

For ipsec cert commands, it sets a user certificate and private key pair, or it sets root certificates. All these are used during IKE negotiation between the Filer and its partner.

-c user certificate
Specify the file name of a user certificate. The certificate has been signed by a certification authority (CA).

-k key
Specify the file name of a private key. The private key was required and generated by an administrator in order to obtain a certificate.

-r root certificate(s)
Specify 1 to maximum 15 file names of trusted root certificates. A root certificate is obtained from a certification authority (CA).


The output format for ipsec policy show is as follows:
  Index  IPAddress/prefix/port/protocol    Dir/Policy  Proto/SecLevel  ealg/aalg
  -----  --------------------------------  ----------  --------------  ---------
      2     /16/[139  ]/any ->  in /IPSEC  esp/restrict    3des/sha1     /[any  ]/any

      1     /[any  ]/any ->  out/IPSEC  esp/restrict    3des/sha1     /16/[139  ]/any

The output format for ipsec sa show is as follows:

  Alg/State/Spi Current Bytes/CreatedTime SrcIPAddr->DstIPAddr
  ------------- ------------------------- --------------------
  esp/M/0001388 0/20 Aug 2002 17:28:19>

The different values for state are:
         M Mature and active.
         D Dead.
         d Dying.
         L Larval.


Each filer in a cluster maintains its own SPD and SAD. If the filer is in the partner mode, the ipsec command manipulates the SPD/SAD of the partner. When taking over all the existing Security Policies of the failed filer will be taken-over by the live filer. The SAs however need to be re-negotiated.


  ipsec policy add -s[139] -p esp -e des -a ah -d in

  ipsec cert set -c my_cert -k my_key


na_psk.txt(5), na_keymgr(1)


The databases entries are persistent across reboots. All the existing Security Policies at the time of reboot will be retained. If ipsec is to be used for a snapmirror application, then pre-shared keys is the only supported authentication mechanism.

Table of Contents