Each command must be <SPACE>;<CRLF> terminated. Everything
resembles native setkey command and must be more or less
compatible with it.
Angle brackets are placeholders required to be filled.
flushDelete all SA entries.
spdflushDelete all SP entries.
dumpPrint all SA entries.
spddumpPrint all SP entries.
spddeleteIgnored, does nothing.
delete SRC DST esp 0x<SPI>SRC and DST are ignored and should be IP-addresses.
SPI is hexadecimal encoded. That command deletes SA and all
corresponding SPs.
add <SRC> <DST> esp 0x<SPI> -u <UniqueID> -E <ALGO> 0x<KEY> <OPTS>SRC and DST are IPv4/IPv6 addresses. SPI is
hexadecimal encoded. UniqueID is decimal number uniquely
identifying that SA.
ALGO is the AEAD algorithm to use:
aes-gcm-16, aes-gcm-16-esn,
gost, gost-esn,
gost-mac, gost-mac-esn.
-esn enabled ESN.
KEY is hexadecimal encoded keymat (key itself with the salt):
OPTS are optional and may be omitted. They are space
separated KEY:VALUE pairs. Currently there are:
tfc:LEN,
where LEN is decimal size to pad ESP packet payload up
to. Can be used only in tunnel mode.
seq:SEQ,
where SEQ is initial 4 or 8 (ESN) bytes ESP sequence
number in hexadecimal format.
spdadd <SRC> <DST> <PROTO> -P <DIR> ipsec esp/<MODE>/<TUNNEL>/unique:<UniqueID>SRC and DST can have the following formats:
IP/PREFIXLENIPv4/IPv6 address CIDR notation
IP/PREFIXLEN[PORT]Source/destination (depending on SRC/DST) port,
if TCP/UDP protocol is specified further
PROTO is one of: any (any IP packet matched),
tcp, udp, icmp, icmp6.
DIR is either in or out. Pay attention that
NO security policy processing is done on incoming ESP
packets: if packet is successfully decrypted, then it will be
silently sent further. You can safely omit all -P in
policies.
MODE is either transport or tunnel.
TUNNEL must be empty string for transport mode. Otherwise it
has <SRC>-<DST> format, where SRC and DST are
IPv4/IPv6 tunnel endpoint addresses.
UniqueID must be equal to corresponding SA’s value.