espdiff

espdiff OLD_SPD_FILE NEW_SPD_FILE

OLD_SPD_FILE
    The path to the file containing the existing or old IPsec Security Policy Database (SPD) rules.

NEW_SPD_FILE
    The path to the file containing the desired or new IPsec Security Policy Database (SPD) rules.

espdiff is a utility designed to compare two IPsec Security Policy Database (SPD) files. These files typically contain setkey(8) policy specifications. The primary function of espdiff is to output a sequence of setkey(8) commands (specifically spdadd and spddelete rules) that, when executed, will transform the state of the first policy file (OLD_SPD_FILE) into the state described by the second policy file (NEW_SPD_FILE).

It intelligently identifies additions, deletions, and modifications between the two policy sets. Policies present in the OLD_SPD_FILE but missing in the NEW_SPD_FILE result in spddelete commands. Conversely, policies found only in the NEW_SPD_FILE generate spdadd commands. For policies that have been altered, espdiff outputs a spddelete for the old version followed by an spdadd for the new version. This makes espdiff an invaluable tool for managing and updating IPsec policies in a live system, ensuring smooth transitions without requiring a full policy flush and reload. It helps in maintaining precise control over IPsec policy deployment.

espdiff only compares SPD entries (spdadd, spddelete). It does not handle SAD (Security Association Database) entries or other setkey commands.
The output must be piped to setkey -f - or redirected to a file and then executed.
Requires setkey(8) to be available on the system to apply the generated policy changes.

To apply the changes generated by espdiff, you typically pipe its output directly to the setkey command. For instance:

espdiff old_policies.conf new_policies.conf | sudo setkey -f -

This command will read the old and new policy definitions from the respective files, compute the differences, and then apply those differences to the live IPsec Security Policy Database via setkey.

espdiff is typically distributed as part of the ipsec-tools suite or bundled with IPsec implementations like Openswan and Libreswan. Its development arose from the need for a precise and non-disruptive way to update IPsec security policies on live systems. Instead of flushing all existing policies and reloading them (which can cause momentary service interruption), espdiff provides an incremental update mechanism by generating only the necessary setkey commands to transition between two policy states. This significantly improved the manageability of IPsec deployments, especially in environments requiring high availability.

setkey(8), ipsec(8), spdadd(8), spddelete(8)