ip-token

ip token { add | del | show | flush } [arguments]

add
    Adds a new IPsec token to the kernel's XFRM subsystem. Requires name and value.

del
    Deletes an existing IPsec token by its specified name.

show
    Displays information about configured IPsec tokens. If a name is provided, only that token's details are shown; otherwise, all tokens are listed.

flush
    Removes all currently configured IPsec tokens from the kernel's XFRM subsystem.

name NAME
    Specifies the unique identifier for the IPsec token. Required for add and del, optional for show.

value VALUE
    Specifies the hexadecimal string value of the token. This is the shared secret or key material. Required for add.

lifetime SECONDS
    Optional. Defines the duration in seconds after which the token expires. Applicable only to add. If omitted, the token's lifetime is infinite.

The `ip token` command is a sub-command of the `ip` utility, part of the `iproute2` suite. It is used to manage IPsec tokens within the Linux kernel's XFRM (Transform) framework. These tokens are credentials, typically shared secrets or keys, used for authentication and negotiation in IPsec security policies. `ip token` allows administrators to add new tokens, delete existing ones, display token information, and flush all configured tokens. This capability is crucial for dynamically managing cryptographic keys or authentication credentials used by IPsec SAs (Security Associations) and SPs (Security Policies) without requiring service restarts.

The `ip-token` (accessed as `ip token`) command requires root privileges to execute. It is exclusively designed for managing IPsec tokens within the Linux kernel's XFRM subsystem and is not for general cryptographic key management. Direct manipulation of IPsec tokens via this command is typically performed in advanced IPsec configurations or by automated scripts, rather than by typical end-users.

IPsec tokens primarily serve as shared secrets or pre-shared keys (PSKs) that the kernel's XFRM framework can directly utilize for authentication purposes or to derive session keys during IPsec security association establishment. They offer a mechanism to provision these cryptographic secrets directly into the kernel, reducing reliance solely on user-space key management daemons for certain IPsec deployments or scenarios where dynamic, kernel-managed secrets are beneficial.

1. Add a token named 'mytoken' with a specific value and a 1-hour lifetime:
`sudo ip token add name mytoken value 0102030405060708090a0b0c0d0e0f10 lifetime 3600`

2. Display information about all currently configured IPsec tokens:
`sudo ip token show`

3. Delete the token named 'mytoken':
`sudo ip token del name mytoken`

4. Flush (delete) all IPsec tokens from the system:
`sudo ip token flush`

The `iproute2` suite, which includes `ip token`, has been a fundamental part of Linux networking since the late 1990s, serving as the modern replacement for older `net-tools`. The IPsec and XFRM functionalities, including the management of tokens, were integrated as Linux's native IPsec capabilities matured, providing a robust command-line interface for kernel-level IPsec configuration.

ip(8), ip-xfrm(8), ipsec(8)