Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
_UPDOWN(8)		      Executable programs		    _UPDOWN(8)

NAME
       ipsec__updown - kernel and routing manipulation script

SYNOPSIS
       _updown is invoked by pluto when	it has brought up a new	connection.
       This script is used to insert the appropriate routing entries for IPsec
       operation on some kernel	IPsec stacks, and may do other necessary work
       that is kernel or user specific,	such as	defining custom	firewall
       rules. The interface to the script is documented	in the pluto man page.

VARIABLES
       The _updown is passed along a number of variables which can be used to
       act differently based on	the information:

       PLUTO_VERB
	   specifies the name of the operation to be performed,	which can be
	   one of prepare-host,	prepare-client,	up-host, up-client, down-host
	   or down-client. If the address family for security gateway to
	   security gateway communications is IPv6, then a suffix of -v6 is
	   added to this verb.

       PLUTO_CONNECTION
	   is the name of the connection for which we are routing.

       PLUTO_NEXT_HOP
	   is the next hop to which packets bound for the peer must be sent.

       PLUTO_INTERFACE
	   is the name of the real interface used by encrypted traffic and IKE
	   traffic.

       PLUTO_ME
	   is the IP address of	our host.

       PLUTO_MY_CLIENT
	   is the IP address / count of	our client subnet. If the client is
	   just	the host, this will be the host's own IP address / max (where
	   max is 32 for IPv4 and 128 for IPv6).

       PLUTO_MY_CLIENT_NET
	   is the IP address of	our client net.	If the client is just the
	   host, this will be the host's own IP	address.

       PLUTO_MY_CLIENT_MASK
	   is the mask for our client net. If the client is just the host,
	   this	will be	255.255.255.255.

       PLUTO_PEER
	   is the IP address of	our peer.

       PLUTO_PEER_CLIENT
	   is the IP address / count of	the peer's client subnet. If the
	   client is just the peer, this will be the peer's own	IP address /
	   max (where max is 32	for IPv4 and 128 for IPv6).

       PLUTO_PEER_CLIENT_NET
	   is the IP address of	the peer's client net. If the client is	just
	   the peer, this will be the peer's own IP address.

       PLUTO_PEER_CLIENT_MASK
	   is the mask for the peer's client net. If the client	is just	the
	   peer, this will be 255.255.255.255.

       PLUTO_MY_PROTOCOL
	   lists the protocols allowed over this IPsec SA.

       PLUTO_PEER_PROTOCOL
	   lists the protocols the peer	allows over this IPsec SA.

       PLUTO_MY_PORT
	   lists the ports allowed over	this IPsec SA.

       PLUTO_PEER_PORT
	   lists the ports the peer allows over	this IPsec SA.

       PLUTO_MY_ID
	   lists our id.

       PLUTO_PEER_ID
	   lists our peer's id.

       PLUTO_PEER_CA
	   lists the peer's CA.

SEE ALSO
       ipsec(8), ipsec_pluto(8).

HISTORY
       Man page	written	for the	Linux FreeS/WAN	project
       <https://www.freeswan.org/> by Michael Richardson. Original program
       written by Henry	Spencer.

AUTHOR
       Paul Wouters
	   placeholder to suppress warning

libreswan			  05/13/2025			    _UPDOWN(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=ipsec__updown&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>

home | help