ip-xfrm

ip xfrm { list|ls | dump | monitor | state | policy | SA-query } [ selector ] [ options ]

state
    add|update|delete|flush|list|get security associations (SAs)

policy
    add|update|delete|flush|list|get security policies

monitor
    Watch for XFRM state/policy changes via Netlink

dump
    Dump raw XFRM table data

SA-query
    Query peer for security association status

match
    Filter by src/dst ADDR, dev DEV, proto PROTO, spi SPI, mark MARK

ip xfrm is a versatile command from the iproute2 suite for configuring the Linux kernel's XFRM framework, which implements IPsec protocol support. XFRM, short for 'transform', handles security associations (SAs) and policies for encrypting, authenticating, and protecting IP traffic integrity.

It enables setup of VPNs, site-to-site tunnels, and secure communications by managing inbound/outbound states (actual crypto keys, algorithms, SPI) and policies (traffic selectors matching flows for protection). Key operations include adding/deleting states with algorithms like AES, SHA, modes (transport/tunnel), replay protection, and offloading to hardware.

Policies specify direction (input/output), priority, and template SAs. Monitoring tracks dynamic changes from kernel via Netlink. Dump and list provide visibility into current configuration. Essential for advanced networking, it requires kernel CONFIG_XFRM_* options and CAP_NET_ADMIN capability.

Usage integrates with tools like strongSwan or Libreswan for full IPsec deployments.

Requires root or CAP_NET_ADMIN. Complex nested options; kernel IPsec modules (xfrm_user.ko, etc.) must be loaded. Errors common with mismatched selectors or algorithms.

EALG: aes, EALG: aes_gcm; AALG: hmac(sha1), poly1305; CALG: deflate

ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp spi 0x1000 reqid 1 mode tunnel enc aes aead ike