aboutsummaryrefslogtreecommitdiffstats
path: root/doc/guides/sample_app_ug/ipsec_secgw.rst
diff options
context:
space:
mode:
Diffstat (limited to 'doc/guides/sample_app_ug/ipsec_secgw.rst')
-rw-r--r--doc/guides/sample_app_ug/ipsec_secgw.rst852
1 files changed, 360 insertions, 492 deletions
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
index fcb33c26..885c77e3 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -79,7 +79,7 @@ Constraints
* No IPv6 options headers.
* No AH mode.
-* Currently only EAS-CBC, HMAC-SHA1 and NULL.
+* Supported algorithms: AES-CBC, AES-CTR, AES-GCM, HMAC-SHA1 and NULL.
* Each SA must be handle by a unique lcore (*1 RX queue per port*).
* No chained mbufs.
@@ -122,7 +122,7 @@ The application has a number of command line options::
-p PORTMASK -P -u PORTMASK
--config (port,queue,lcore)[,(port,queue,lcore]
--single-sa SAIDX
- --ep0|--ep1
+ -f CONFIG_FILE_PATH
Where:
@@ -142,14 +142,11 @@ Where:
on both Inbound and Outbound. This option is meant for debugging/performance
purposes.
-* ``--ep0``: configure the app as Endpoint 0.
+* ``-f CONFIG_FILE_PATH``: the full path of text-based file containing all
+ configuration items for running the application (See Configuration file
+ syntax section below). ``-f CONFIG_FILE_PATH`` **must** be specified.
+ **ONLY** the UNIX format configuration file is accepted.
-* ``--ep1``: configure the app as Endpoint 1.
-
-Either one of ``--ep0`` or ``--ep1`` **must** be specified.
-The main purpose of these options is to easily configure two systems
-back-to-back that would forward traffic through an IPsec tunnel (see
-:ref:`figure_ipsec_endpoints`).
The mapping of lcores to port/queues is similar to other l3fwd applications.
@@ -157,7 +154,8 @@ For example, given the following command line::
./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 \
--vdev "cryptodev_null_pmd" -- -p 0xf -P -u 0x3 \
- --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" --ep0 \
+ --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" \
+ -f /path/to/config_file \
where each options means:
@@ -194,8 +192,12 @@ where each options means:
| | | | |
+----------+-----------+-----------+---------------------------------------+
-* The ``--ep0`` options configures the app with a given set of SP, SA and Routing
- entries as explained below in more detail.
+* The ``-f /path/to/config_file`` option enables the application read and
+ parse the configuration file specified, and configures the application
+ with a given set of SP, SA and Routing entries accordingly. The syntax of
+ the configuration file will be explained below in more detail. Please
+ **note** the parser only accepts UNIX format text file. Other formats
+ such as DOS/MAC format will cause a parse error.
Refer to the *DPDK Getting Started Guide* for general information on running
applications and the Environment Abstraction Layer (EAL) options.
@@ -219,496 +221,362 @@ For example, something like the following command line:
--vdev "cryptodev_aesni_mb_pmd" --vdev "cryptodev_null_pmd" \
-- \
-p 0xf -P -u 0x3 --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" \
- --ep0
+ -f sample.cfg
Configurations
--------------
-The following sections provide some details on the default values used to
-initialize the SP, SA and Routing tables.
-Currently all configuration information is hard coded into the application.
+The following sections provide the syntax of configurations to initialize
+your SP, SA and Routing tables.
+Configurations shall be specified in the configuration file to be passed to
+the application. The file is then parsed by the application. The successful
+parsing will result in the appropriate rules being applied to the tables
+accordingly.
-The following image illustrate a few of the concepts regarding IPSec, such
-as protected/unprotected and inbound/outbound traffic, from the point of
-view of two back-to-back endpoints:
-.. _figure_ipsec_endpoints:
+Configuration File Syntax
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.. figure:: img/ipsec_endpoints.*
+As mention in the overview, the Security Policies are ACL rules.
+The application parsers the rules specified in the configuration file and
+passes them to the ACL table, and replicates them per socket in use.
- IPSec Inbound/Outbound traffic
+Following are the configuration file syntax.
-Note that the above image only displays unidirectional traffic per port
-for illustration purposes.
-The application supports bidirectional traffic on all ports,
+General rule syntax
+^^^^^^^^^^^^^^^^^^^
+The parse treats one line in the configuration file as one configuration
+item (unless the line concatenation symbol exists). Every configuration
+item shall follow the syntax of either SP, SA, or Routing rules specified
+below.
-Security Policy Initialization
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The configuration parser supports the following special symbols:
-As mention in the overview, the Security Policies are ACL rules.
-The application defines two ACLs, one each of Inbound and Outbound, and
-it replicates them per socket in use.
-
-Following are the default rules which show only the relevant information,
-assuming ANY value is valid for the fields not mentioned (src ip, proto,
-src/dst ports).
-
-.. _table_ipsec_endpoint_outbound_sp:
-
-.. table:: Endpoint 0 Outbound Security Policies
-
- +-----------------------------------+------------+
- | **Dst** | **SA idx** |
- | | |
- +-----------------------------------+------------+
- | 192.168.105.0/24 | 5 |
- | | |
- +-----------------------------------+------------+
- | 192.168.106.0/24 | 6 |
- | | |
- +-----------------------------------+------------+
- | 192.168.175.0/24 | 10 |
- | | |
- +-----------------------------------+------------+
- | 192.168.176.0/24 | 11 |
- | | |
- +-----------------------------------+------------+
- | 192.168.200.0/24 | 15 |
- | | |
- +-----------------------------------+------------+
- | 192.168.201.0/24 | 16 |
- | | |
- +-----------------------------------+------------+
- | 192.168.55.0/24 | 25 |
- | | |
- +-----------------------------------+------------+
- | 192.168.56.0/24 | 26 |
- | | |
- +-----------------------------------+------------+
- | 192.168.240.0/24 | BYPASS |
- | | |
- +-----------------------------------+------------+
- | 192.168.241.0/24 | BYPASS |
- | | |
- +-----------------------------------+------------+
- | 0:0:0:0:5555:5555:0:0/96 | 5 |
- | | |
- +-----------------------------------+------------+
- | 0:0:0:0:6666:6666:0:0/96 | 6 |
- | | |
- +-----------------------------------+------------+
- | 0:0:1111:1111:0:0:0:0/96 | 10 |
- | | |
- +-----------------------------------+------------+
- | 0:0:1111:1111:1111:1111:0:0/96 | 11 |
- | | |
- +-----------------------------------+------------+
- | 0:0:0:0:aaaa:aaaa:0:0/96 | 25 |
- | | |
- +-----------------------------------+------------+
- | 0:0:0:0:bbbb:bbbb:0:0/96 | 26 |
- | | |
- +-----------------------------------+------------+
-
-.. _table_ipsec_endpoint_inbound_sp:
-
-.. table:: Endpoint 0 Inbound Security Policies
-
- +-----------------------------------+------------+
- | **Dst** | **SA idx** |
- | | |
- +-----------------------------------+------------+
- | 192.168.115.0/24 | 105 |
- | | |
- +-----------------------------------+------------+
- | 192.168.116.0/24 | 106 |
- | | |
- +-----------------------------------+------------+
- | 192.168.185.0/24 | 110 |
- | | |
- +-----------------------------------+------------+
- | 192.168.186.0/24 | 111 |
- | | |
- +-----------------------------------+------------+
- | 192.168.210.0/24 | 115 |
- | | |
- +-----------------------------------+------------+
- | 192.168.211.0/24 | 116 |
- | | |
- +-----------------------------------+------------+
- | 192.168.65.0/24 | 125 |
- | | |
- +-----------------------------------+------------+
- | 192.168.66.0/24 | 126 |
- | | |
- +-----------------------------------+------------+
- | 192.168.245.0/24 | BYPASS |
- | | |
- +-----------------------------------+------------+
- | 192.168.246.0/24 | BYPASS |
- | | |
- +-----------------------------------+------------+
- | ffff:0:0:0:5555:5555:0:0/96 | 105 |
- | | |
- +-----------------------------------+------------+
- | ffff:0:0:0:6666:6666:0:0/96 | 106 |
- | | |
- +-----------------------------------+------------+
- | ffff:0:1111:1111:0:0:0:0/96 | 110 |
- | | |
- +-----------------------------------+------------+
- | ffff:0:1111:1111:1111:1111:0:0/96 | 111 |
- | | |
- +-----------------------------------+------------+
- | ffff:0:0:0:aaaa:aaaa:0:0/96 | 125 |
- | | |
- +-----------------------------------+------------+
- | ffff:0:0:0:bbbb:bbbb:0:0/96 | 126 |
- | | |
- +-----------------------------------+------------+
-
-For Endpoint 1, we use the same policies in reverse, meaning the Inbound SP
-entries are set as Outbound and vice versa.
-
-
-Security Association Initialization
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The SAs are kept in a array table.
-
-For Inbound, the SPI is used as index modulo the table size.
-This means that on a table for 100 SA, SPI 5 and 105 would use the same index
-and that is not currently supported.
-
-Notice that it is not an issue for Outbound traffic as we store the index and
-not the SPI in the Security Policy.
-
-All SAs configured with AES-CBC and HMAC-SHA1 share the same values for cipher
-block size and key, and authentication digest size and key.
-
-The following are the default values:
-
-.. _table_ipsec_endpoint_outbound_sa:
-
-.. table:: Endpoint 0 Outbound Security Associations
-
- +---------+----------+------------+-----------+----------------+----------------+
- | **SPI** | **Mode** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** |
- | | | | | | |
- +---------+----------+------------+-----------+----------------+----------------+
- | 5 | Tunnel | AES-CBC | HMAC-SHA1 | 172.16.1.5 | 172.16.2.5 |
- | | | | | | |
- +---------+----------+------------+-----------+----------------+----------------+
- | 6 | Tunnel | AES-CBC | HMAC-SHA1 | 172.16.1.6 | 172.16.2.6 |
- | | | | | | |
- +---------+----------+------------+-----------+----------------+----------------+
- | 10 | Trans | AES-CBC | HMAC-SHA1 | N/A | N/A |
- | | | | | | |
- +---------+----------+------------+-----------+----------------+----------------+
- | 11 | Trans | AES-CBC | HMAC-SHA1 | N/A | N/A |
- | | | | | | |
- +---------+----------+------------+-----------+----------------+----------------+
- | 15 | Tunnel | NULL | NULL | 172.16.1.5 | 172.16.2.5 |
- | | | | | | |
- +---------+----------+------------+-----------+----------------+----------------+
- | 16 | Tunnel | NULL | NULL | 172.16.1.6 | 172.16.2.6 |
- | | | | | | |
- +---------+----------+------------+-----------+----------------+----------------+
- | 25 | Tunnel | AES-CBC | HMAC-SHA1 | 1111:1111: | 2222:2222: |
- | | | | | 1111:1111: | 2222:2222: |
- | | | | | 1111:1111: | 2222:2222: |
- | | | | | 1111:5555 | 2222:5555 |
- | | | | | | |
- +---------+----------+------------+-----------+----------------+----------------+
- | 26 | Tunnel | AES-CBC | HMAC-SHA1 | 1111:1111: | 2222:2222: |
- | | | | | 1111:1111: | 2222:2222: |
- | | | | | 1111:1111: | 2222:2222: |
- | | | | | 1111:6666 | 2222:6666 |
- | | | | | | |
- +---------+----------+------------+-----------+----------------+----------------+
-
-.. _table_ipsec_endpoint_inbound_sa:
-
-.. table:: Endpoint 0 Inbound Security Associations
-
- +---------+----------+------------+-----------+----------------+----------------+
- | **SPI** | **Mode** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** |
- | | | | | | |
- +---------+----------+------------+-----------+----------------+----------------+
- | 105 | Tunnel | AES-CBC | HMAC-SHA1 | 172.16.2.5 | 172.16.1.5 |
- | | | | | | |
- +---------+----------+------------+-----------+----------------+----------------+
- | 106 | Tunnel | AES-CBC | HMAC-SHA1 | 172.16.2.6 | 172.16.1.6 |
- | | | | | | |
- +---------+----------+------------+-----------+----------------+----------------+
- | 110 | Trans | AES-CBC | HMAC-SHA1 | N/A | N/A |
- | | | | | | |
- +---------+----------+------------+-----------+----------------+----------------+
- | 111 | Trans | AES-CBC | HMAC-SHA1 | N/A | N/A |
- | | | | | | |
- +---------+----------+------------+-----------+----------------+----------------+
- | 115 | Tunnel | NULL | NULL | 172.16.2.5 | 172.16.1.5 |
- | | | | | | |
- +---------+----------+------------+-----------+----------------+----------------+
- | 116 | Tunnel | NULL | NULL | 172.16.2.6 | 172.16.1.6 |
- | | | | | | |
- +---------+----------+------------+-----------+----------------+----------------+
- | 125 | Tunnel | AES-CBC | HMAC-SHA1 | 2222:2222: | 1111:1111: |
- | | | | | 2222:2222: | 1111:1111: |
- | | | | | 2222:2222: | 1111:1111: |
- | | | | | 2222:5555 | 1111:5555 |
- | | | | | | |
- +---------+----------+------------+-----------+----------------+----------------+
- | 126 | Tunnel | AES-CBC | HMAC-SHA1 | 2222:2222: | 1111:1111: |
- | | | | | 2222:2222: | 1111:1111: |
- | | | | | 2222:2222: | 1111:1111: |
- | | | | | 2222:6666 | 1111:6666 |
- | | | | | | |
- +---------+----------+------------+-----------+----------------+----------------+
-
-For Endpoint 1, we use the same policies in reverse, meaning the Inbound SP
-entries are set as Outbound and vice versa.
-
-
-Routing Initialization
-~~~~~~~~~~~~~~~~~~~~~~
-
-The Routing is implemented using an LPM table.
-
-Following default values:
-
-.. _table_ipsec_endpoint_outbound_routing:
-
-.. table:: Endpoint 0 Routing Table
-
- +------------------+----------+
- | **Dst addr** | **Port** |
- | | |
- +------------------+----------+
- | 172.16.2.5/32 | 0 |
- | | |
- +------------------+----------+
- | 172.16.2.6/32 | 1 |
- | | |
- +------------------+----------+
- | 192.168.175.0/24 | 0 |
- | | |
- +------------------+----------+
- | 192.168.176.0/24 | 1 |
- | | |
- +------------------+----------+
- | 192.168.240.0/24 | 0 |
- | | |
- +------------------+----------+
- | 192.168.241.0/24 | 1 |
- | | |
- +------------------+----------+
- | 192.168.115.0/24 | 2 |
- | | |
- +------------------+----------+
- | 192.168.116.0/24 | 3 |
- | | |
- +------------------+----------+
- | 192.168.65.0/24 | 2 |
- | | |
- +------------------+----------+
- | 192.168.66.0/24 | 3 |
- | | |
- +------------------+----------+
- | 192.168.185.0/24 | 2 |
- | | |
- +------------------+----------+
- | 192.168.186.0/24 | 3 |
- | | |
- +------------------+----------+
- | 192.168.210.0/24 | 2 |
- | | |
- +------------------+----------+
- | 192.168.211.0/24 | 3 |
- | | |
- +------------------+----------+
- | 192.168.245.0/24 | 2 |
- | | |
- +------------------+----------+
- | 192.168.246.0/24 | 3 |
- | | |
- +------------------+----------+
- | 2222:2222: | 0 |
- | 2222:2222: | |
- | 2222:2222: | |
- | 2222:5555/116 | |
- | | |
- +------------------+----------+
- | 2222:2222: | 1 |
- | 2222:2222: | |
- | 2222:2222: | |
- | 2222:6666/116 | |
- | | |
- +------------------+----------+
- | 0000:0000: | 0 |
- | 1111:1111: | |
- | 0000:0000: | |
- | 0000:0000/116 | |
- | | |
- +------------------+----------+
- | 0000:0000: | 1 |
- | 1111:1111: | |
- | 1111:1111: | |
- | 0000:0000/116 | |
- | | |
- +------------------+----------+
- | ffff:0000: | 2 |
- | 0000:0000: | |
- | aaaa:aaaa: | |
- | 0000:0/116 | |
- | | |
- +------------------+----------+
- | ffff:0000: | 3 |
- | 0000:0000: | |
- | bbbb:bbbb: | |
- | 0000:0/116 | |
- | | |
- +------------------+----------+
- | ffff:0000: | 2 |
- | 0000:0000: | |
- | 5555:5555: | |
- | 0000:0/116 | |
- | | |
- +------------------+----------+
- | ffff:0000: | 3 |
- | 0000:0000: | |
- | 6666:6666: | |
- | 0000:0/116 | |
- | | |
- +------------------+----------+
- | ffff:0000: | 2 |
- | 1111:1111: | |
- | 0000:0000: | |
- | 0000:0000/116 | |
- | | |
- +------------------+----------+
- | ffff:0000: | 3 |
- | 1111:1111: | |
- | 1111:1111: | |
- | 0000:0000/116 | |
- | | |
- +------------------+----------+
-
-.. _table_ipsec_endpoint_inbound_routing:
-
-.. table:: Endpoint 1 Routing Table
-
- +------------------+----------+
- | **Dst addr** | **Port** |
- | | |
- +------------------+----------+
- | 172.16.1.5/32 | 0 |
- | | |
- +------------------+----------+
- | 172.16.1.6/32 | 1 |
- | | |
- +------------------+----------+
- | 192.168.185.0/24 | 0 |
- | | |
- +------------------+----------+
- | 192.168.186.0/24 | 1 |
- | | |
- +------------------+----------+
- | 192.168.245.0/24 | 0 |
- | | |
- +------------------+----------+
- | 192.168.246.0/24 | 1 |
- | | |
- +------------------+----------+
- | 192.168.105.0/24 | 2 |
- | | |
- +------------------+----------+
- | 192.168.106.0/24 | 3 |
- | | |
- +------------------+----------+
- | 192.168.55.0/24 | 2 |
- | | |
- +------------------+----------+
- | 192.168.56.0/24 | 3 |
- | | |
- +------------------+----------+
- | 192.168.175.0/24 | 2 |
- | | |
- +------------------+----------+
- | 192.168.176.0/24 | 3 |
- | | |
- +------------------+----------+
- | 192.168.200.0/24 | 2 |
- | | |
- +------------------+----------+
- | 192.168.201.0/24 | 3 |
- | | |
- +------------------+----------+
- | 192.168.240.0/24 | 2 |
- | | |
- +------------------+----------+
- | 192.168.241.0/24 | 3 |
- | | |
- +------------------+----------+
- | 1111:1111: | 0 |
- | 1111:1111: | |
- | 1111:1111: | |
- | 1111:5555/116 | |
- | | |
- +------------------+----------+
- | 1111:1111: | 1 |
- | 1111:1111: | |
- | 1111:1111: | |
- | 1111:6666/116 | |
- | | |
- +------------------+----------+
- | ffff:0000: | 0 |
- | 1111:1111: | |
- | 0000:0000: | |
- | 0000:0000/116 | |
- | | |
- +------------------+----------+
- | ffff:0000: | 1 |
- | 1111:1111: | |
- | 1111:1111: | |
- | 0000:0000/116 | |
- | | |
- +------------------+----------+
- | 0000:0000: | 2 |
- | 0000:0000: | |
- | aaaa:aaaa: | |
- | 0000:0/116 | |
- | | |
- +------------------+----------+
- | 0000:0000: | 3 |
- | 0000:0000: | |
- | bbbb:bbbb: | |
- | 0000:0/116 | |
- | | |
- +------------------+----------+
- | 0000:0000: | 2 |
- | 0000:0000: | |
- | 5555:5555: | |
- | 0000:0/116 | |
- | | |
- +------------------+----------+
- | 0000:0000: | 3 |
- | 0000:0000: | |
- | 6666:6666: | |
- | 0000:0/116 | |
- | | |
- +------------------+----------+
- | 0000:0000: | 2 |
- | 1111:1111: | |
- | 0000:0000: | |
- | 0000:0000/116 | |
- | | |
- +------------------+----------+
- | 0000:0000: | 3 |
- | 1111:1111: | |
- | 1111:1111: | |
- | 0000:0000/116 | |
- | | |
- +------------------+----------+
+ * Comment symbol **#**. Any character from this symbol to the end of
+ line is treated as comment and will not be parsed.
+
+ * Line concatenation symbol **\\**. This symbol shall be placed in the end
+ of the line to be concatenated to the line below. Multiple lines'
+ concatenation is supported.
+
+
+SP rule syntax
+^^^^^^^^^^^^^^
+
+The SP rule syntax is shown as follows:
+
+.. code-block:: console
+
+ sp <ip_ver> <dir> esp <action> <priority> <src_ip> <dst_ip>
+ <proto> <sport> <dport>
+
+
+where each options means:
+
+``<ip_ver>``
+
+ * IP protocol version
+
+ * Optional: No
+
+ * Available options:
+
+ * *ipv4*: IP protocol version 4
+ * *ipv6*: IP protocol version 6
+
+``<dir>``
+
+ * The traffic direction
+
+ * Optional: No
+
+ * Available options:
+
+ * *in*: inbound traffic
+ * *out*: outbound traffic
+
+``<action>``
+
+ * IPsec action
+
+ * Optional: No
+
+ * Available options:
+
+ * *protect <SA_idx>*: the specified traffic is protected by SA rule
+ with id SA_idx
+ * *bypass*: the specified traffic traffic is bypassed
+ * *discard*: the specified traffic is discarded
+
+``<priority>``
+
+ * Rule priority
+
+ * Optional: Yes, default priority 0 will be used
+
+ * Syntax: *pri <id>*
+
+``<src_ip>``
+
+ * The source IP address and mask
+
+ * Optional: Yes, default address 0.0.0.0 and mask of 0 will be used
+
+ * Syntax:
+
+ * *src X.X.X.X/Y* for IPv4
+ * *src XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/Y* for IPv6
+
+``<dst_ip>``
+
+ * The destination IP address and mask
+
+ * Optional: Yes, default address 0.0.0.0 and mask of 0 will be used
+
+ * Syntax:
+
+ * *dst X.X.X.X/Y* for IPv4
+ * *dst XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/Y* for IPv6
+
+``<proto>``
+
+ * The protocol start and end range
+
+ * Optional: yes, default range of 0 to 0 will be used
+
+ * Syntax: *proto X:Y*
+
+``<sport>``
+
+ * The source port start and end range
+
+ * Optional: yes, default range of 0 to 0 will be used
+
+ * Syntax: *sport X:Y*
+
+``<dport>``
+
+ * The destination port start and end range
+
+ * Optional: yes, default range of 0 to 0 will be used
+
+ * Syntax: *dport X:Y*
+
+Example SP rules:
+
+.. code-block:: console
+
+ sp ipv4 out esp protect 105 pri 1 dst 192.168.115.0/24 sport 0:65535 \
+ dport 0:65535
+
+ sp ipv6 in esp bypass pri 1 dst 0000:0000:0000:0000:5555:5555:\
+ 0000:0000/96 sport 0:65535 dport 0:65535
+
+
+SA rule syntax
+^^^^^^^^^^^^^^
+
+The successfully parsed SA rules will be stored in an array table.
+
+The SA rule syntax is shown as follows:
+
+.. code-block:: console
+
+ sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>
+ <mode> <src_ip> <dst_ip>
+
+where each options means:
+
+``<dir>``
+
+ * The traffic direction
+
+ * Optional: No
+
+ * Available options:
+
+ * *in*: inbound traffic
+ * *out*: outbound traffic
+
+``<spi>``
+
+ * The SPI number
+
+ * Optional: No
+
+ * Syntax: unsigned integer number
+
+``<cipher_algo>``
+
+ * Cipher algorithm
+
+ * Optional: No
+
+ * Available options:
+
+ * *null*: NULL algorithm
+ * *aes-128-cbc*: AES-CBC 128-bit algorithm
+ * *aes-128-ctr*: AES-CTR 128-bit algorithm
+ * *aes-128-gcm*: AES-GCM 128-bit algorithm
+
+ * Syntax: *cipher_algo <your algorithm>*
+
+``<cipher_key>``
+
+ * Cipher key, NOT available when 'null' algorithm is used
+
+ * Optional: No, must followed by <cipher_algo> option
+
+ * Syntax: Hexadecimal bytes (0x0-0xFF) concatenate by colon symbol ':'.
+ The number of bytes should be as same as the specified cipher algorithm
+ key size.
+
+ For example: *cipher_key A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4:
+ A1:B2:C3:D4*
+
+``<auth_algo>``
+
+ * Authentication algorithm
+
+ * Optional: No
+
+ * Available options:
+
+ * *null*: NULL algorithm
+ * *sha1-hmac*: HMAC SHA1 algorithm
+ * *aes-128-gcm*: AES-GCM 128-bit algorithm
+
+``<auth_key>``
+
+ * Authentication key, NOT available when 'null' or 'aes-128-gcm' algorithm
+ is used.
+
+ * Optional: No, must followed by <auth_algo> option
+
+ * Syntax: Hexadecimal bytes (0x0-0xFF) concatenate by colon symbol ':'.
+ The number of bytes should be as same as the specified authentication
+ algorithm key size.
+
+ For example: *auth_key A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4:
+ A1:B2:C3:D4*
+
+``<mode>``
+
+ * The operation mode
+
+ * Optional: No
+
+ * Available options:
+
+ * *ipv4-tunnel*: Tunnel mode for IPv4 packets
+ * *ipv6-tunnel*: Tunnel mode for IPv6 packets
+ * *transport*: transport mode
+
+ * Syntax: mode XXX
+
+``<src_ip>``
+
+ * The source IP address. This option is not available when
+ transport mode is used
+
+ * Optional: Yes, default address 0.0.0.0 will be used
+
+ * Syntax:
+
+ * *src X.X.X.X* for IPv4
+ * *src XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX* for IPv6
+
+``<dst_ip>``
+
+ * The destination IP address. This option is not available when
+ transport mode is used
+
+ * Optional: Yes, default address 0.0.0.0 will be used
+
+ * Syntax:
+
+ * *dst X.X.X.X* for IPv4
+ * *dst XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX* for IPv6
+
+Example SA rules:
+
+.. code-block:: console
+
+ sa out 5 cipher_algo null auth_algo null mode ipv4-tunnel \
+ src 172.16.1.5 dst 172.16.2.5
+
+ sa out 25 cipher_algo aes-128-cbc \
+ cipher_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3 \
+ auth_algo sha1-hmac \
+ auth_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3 \
+ mode ipv6-tunnel \
+ src 1111:1111:1111:1111:1111:1111:1111:5555 \
+ dst 2222:2222:2222:2222:2222:2222:2222:5555
+
+ sa in 105 cipher_algo aes-128-gcm \
+ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+ auth_algo aes-128-gcm \
+ mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5
+
+Routing rule syntax
+^^^^^^^^^^^^^^^^^^^
+
+The Routing rule syntax is shown as follows:
+
+.. code-block:: console
+
+ rt <ip_ver> <src_ip> <dst_ip> <port>
+
+
+where each options means:
+
+``<ip_ver>``
+
+ * IP protocol version
+
+ * Optional: No
+
+ * Available options:
+
+ * *ipv4*: IP protocol version 4
+ * *ipv6*: IP protocol version 6
+
+``<src_ip>``
+
+ * The source IP address and mask
+
+ * Optional: Yes, default address 0.0.0.0 and mask of 0 will be used
+
+ * Syntax:
+
+ * *src X.X.X.X/Y* for IPv4
+ * *src XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/Y* for IPv6
+
+``<dst_ip>``
+
+ * The destination IP address and mask
+
+ * Optional: Yes, default address 0.0.0.0 and mask of 0 will be used
+
+ * Syntax:
+
+ * *dst X.X.X.X/Y* for IPv4
+ * *dst XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/Y* for IPv6
+
+``<port>``
+
+ * The traffic output port id
+
+ * Optional: yes, default output port 0 will be used
+
+ * Syntax: *port X*
+
+Example SP rules:
+
+.. code-block:: console
+
+ rt ipv4 dst 172.16.1.5/32 port 0
+
+ rt ipv6 dst 1111:1111:1111:1111:1111:1111:1111:5555/116 port 0