ip-xfrm

ip xfrm { state | policy } { add | update | delete | get | flush | list | monitor } [ ARGUMENTS... ]

state
    Manages IPsec Security Associations (SAs). SAs define the cryptographic parameters (e.g., encryption algorithms, authentication keys, modes) for securing data traffic. This subcommand is used to add, modify, delete, list, or monitor SAs.

policy
    Manages IPsec Security Policies (SPs). SPs define rules for selecting traffic that should be protected by IPsec, specifying source/destination addresses, protocols, ports, and the required IPsec action (e.g., encrypt, authenticate, bypass, discard). This subcommand is used to add, modify, delete, list, or monitor SPs.

The ip xfrm command is a powerful subcommand of the iproute2 suite, used for managing IPsec (IP Security) components directly within the Linux kernel’s XFRM (Transform) subsystem.

It allows administrators to configure IPsec Security Associations (SAs) and Security Policies (SPs), which are fundamental for setting up secure, encrypted communication channels at the IP layer. SAs define the cryptographic algorithms, keys, and modes for securing traffic, while SPs dictate which traffic should be processed by IPsec, its direction (inbound/outbound), and the action to take (e.g., protect, bypass, discard).

While complex for manual configuration, ip xfrm is the underlying mechanism used by higher-level IPsec daemon implementations like StrongSwan or Libreswan.

Manual configuration of IPsec using ip xfrm can be highly complex and error-prone due to the numerous parameters required for SAs and SPs. Most IPsec deployments rely on higher-level daemons (e.g., StrongSwan, Libreswan) which automate the ip xfrm calls. Requires root privileges to execute. Incorrect configurations can lead to network connectivity issues or security vulnerabilities.

Both state and policy subcommands support a set of common actions:
add: Add a new entry.
update: Modify an existing entry.
delete: Remove an entry.
get: Retrieve details of a specific entry.
list: Display all configured entries.
flush: Remove all entries of a specific type.
monitor: Continuously monitor for events related to SAs or SPs.

It's crucial to understand the distinction between Security Associations (SAs) and Security Policies (SPs) in IPsec:
Security Association (SA): Defines how IPsec secures traffic. It specifies the cryptographic algorithms (e.g., AES, SHA256), keys, modes (e.g., tunnel, transport), and SPI (Security Parameter Index). SAs are typically negotiated by IKE (Internet Key Exchange) daemons.
Security Policy (SP): Defines what traffic IPsec should secure. It specifies traffic selectors (source/destination IPs, protocols, ports), the direction (in/out/fwd), and the action to take (e.g., protect, bypass, discard). SPs dictate which SA should be used for specific traffic.

The ip xfrm command is an integral part of the iproute2 utilities, which emerged as the modern networking toolkit for Linux, largely replacing older net-tools commands like ifconfig and route. Its development aligned with the Linux kernel's adoption of the Netlink interface for robust communication between user space and kernel modules, including the XFRM (Transform) subsystem for IPsec. It has been the standard way to interact with the kernel's IPsec implementation for many years, offering more flexibility and features than its predecessors.

ip(8), ip-netns(8), strongswan(8), libreswan(8), xfrm(7)