Each command must be <SPACE>;<CRLF>
terminated. Everything
resembles native setkey
command and must be more or less
compatible with it.
Angle brackets are placeholders required to be filled.
flush
Delete all SA entries.
spdflush
Delete all SP entries.
dump
Print all SA entries.
spddump
Print all SP entries.
spddelete
Ignored, does nothing.
delete SRC DST esp 0x<SPI>
SRC
and DST
are ignored and should be IP-addresses.
SPI
is hexadecimal encoded. That command deletes SA and all
corresponding SPs.
add <SRC> <DST> esp 0x<SPI> -u <UniqueID> -E <ALGO> 0x<KEY> <OPTS>
SRC
and DST
are IPv4/IPv6 addresses. SPI
is
hexadecimal encoded. UniqueID
is decimal number uniquely
identifying that SA.
ALGO
is the AEAD algorithm to use:
aes-gcm-16
, aes-gcm-16-esn
,
gost
, gost-esn
,
gost-mac
, gost-mac-esn
.
-esn
enabled ESN.
KEY
is hexadecimal encoded keymat (key itself with the salt):
OPTS
are optional and may be omitted. They are space
separated KEY:VALUE
pairs. Currently there are:
tfc:LEN
,
where LEN
is decimal size to pad ESP packet payload up
to. Can be used only in tunnel mode.
seq:SEQ
,
where SEQ
is initial 4 or 8 (ESN) bytes ESP sequence
number in hexadecimal format.
spdadd <SRC> <DST> <PROTO> -P <DIR> ipsec esp/<MODE>/<TUNNEL>/unique:<UniqueID>
SRC
and DST
can have the following formats:
IP/PREFIXLEN
IPv4/IPv6 address CIDR notation
IP/PREFIXLEN[PORT]
Source/destination (depending on SRC
/DST
) port,
if TCP/UDP protocol is specified further
PROTO
is one of: any
(any IP packet matched),
tcp
, udp
, icmp
, icmp6
.
DIR
is either in
or out
. Pay attention that
NO security policy processing is done on incoming ESP
packets: if packet is successfully decrypted, then it will be
silently sent further. You can safely omit all -P in
policies.
MODE
is either transport
or tunnel
.
TUNNEL
must be empty string for transport mode. Otherwise it
has <SRC>-<DST>
format, where SRC
and DST
are
IPv4/IPv6 tunnel endpoint addresses.
UniqueID
must be equal to corresponding SA’s value.