Next: , Previous: , Up: ESPER  

ESPER commands

Each command must be <SPACE>;<CRLF> terminated. Everything resembles native setkey command and must be more or less compatible with it.

Angle brackets are placeholders required to be filled.


Delete all SA entries.


Delete all SP entries.


Print all SA entries.


Print all SP entries.


Ignored, does nothing.

delete SRC DST esp 0x<SPI>

SRC and DST are ignored and should be IP-addresses. SPI is hexadecimal encoded. That command deletes SA and all corresponding SPs.

add <SRC> <DST> esp 0x<SPI> -u <UniqueID> -E <ALGO> 0x<KEY> <OPTS>

SRC and DST are IPv4/IPv6 addresses. SPI is hexadecimal encoded. UniqueID is decimal number uniquely identifying that SA.

ALGO is the AEAD algorithm to use: aes-gcm-16, aes-gcm-16-esn, gost, gost-esn, gost-mac, gost-mac-esn. -esn enabled ESN.

KEY is hexadecimal encoded keymat (key itself with the salt):

OPTS are optional and may be omitted. They are space separated KEY:VALUE pairs. Currently there are:

spdadd <SRC> <DST> <PROTO> -P <DIR> ipsec esp/<MODE>/<TUNNEL>/unique:<UniqueID>

SRC and DST can have the following formats:


IPv4/IPv6 address CIDR notation


Source/destination (depending on SRC/DST) port, if TCP/UDP protocol is specified further

PROTO is one of: any (any IP packet matched), tcp, udp, icmp, icmp6.

DIR is either in or out. Pay attention that NO security policy processing is done on incoming ESP packets: if packet is successfully decrypted, then it will be silently sent further. You can safely omit all -P in policies.

MODE is either transport or tunnel. TUNNEL must be empty string for transport mode. Otherwise it has <SRC>-<DST> format, where SRC and DST are IPv4/IPv6 tunnel endpoint addresses.

UniqueID must be equal to corresponding SA’s value.

Next: , Previous: , Up: ESPER