[strongSwan-dev] kernel SPD/SAD tool

Goshen, Ido (Ido) igoshen at avaya.com
Mon May 30 14:00:03 CEST 2011

Hi Andreas,

Thanx for the quick response, and for exposing me to the "ip xfrm"
option. I like it a lot better than mixing ipsec-tools setkey with

As you suggested I would rather not having to manually touch the
SPD/SAD. But I'm having a problem when pluto crashes it leaves behind
entries in the kernel that may break further negotiation after pluto is
More details were posted in:
1. http://www.mail-archive.com/users@lists.strongswan.org/msg02447.html
2. https://lists.strongswan.org/pipermail/users/2011-May/006236.html

Is it known issue?

Any ideas how to fix/recover?

- Ido

-----Original Message-----
From: dev-bounces+igoshen=avaya.com at lists.strongswan.org
[mailto:dev-bounces+igoshen=avaya.com at lists.strongswan.org] On Behalf Of
dev-request at lists.strongswan.org
Sent: Monday, May 30, 2011 1:00 PM
To: dev at lists.strongswan.org
Subject: Dev Digest, Vol 16, Issue 5

Send Dev mailing list submissions to
	dev at lists.strongswan.org

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
	dev-request at lists.strongswan.org

You can reach the person managing the list at
	dev-owner at lists.strongswan.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dev digest..."

Today's Topics:

   1. kernel SPD/SAD tool (Goshen, Ido (Ido))
   2. Re: kernel SPD/SAD tool (Andreas Steffen)


Message: 1
Date: Mon, 30 May 2011 10:07:43 +0200
From: "Goshen, Ido (Ido)" <igoshen at avaya.com>
Subject: [strongSwan-dev] kernel SPD/SAD tool
To: <dev at lists.strongswan.org>
<EDC652A26FB23C4EB6384A4584434A04032BC954 at 307622ANEX5.global.avaya.com>
Content-Type: text/plain; charset="us-ascii"



Does StrongSWAN supply a shell tool like "setkey" from ipsec-tools to
monitor and/or manipulate the kernel's SPD/SAD or it's all done
programmatically via hydra (netlink plugin in my case)?



-        Ido


-------------- next part --------------
An HTML attachment was scrubbed...


Message: 2
Date: Mon, 30 May 2011 11:50:21 +0200
From: Andreas Steffen <andreas.steffen at strongswan.org>
Subject: Re: [strongSwan-dev] kernel SPD/SAD tool
To: "Goshen, Ido (Ido)" <igoshen at avaya.com>
Cc: dev at lists.strongswan.org
Message-ID: <4DE3685D.9050003 at strongswan.org>
Content-Type: text/plain; charset=windows-1252; format=flowed

Hi Ido,

strongSwan manages the kernel SPD/SAD via the XFRM Netlink kernel
interface. The built-in "ipsec statusall" command can be used to
monitor the established IPsec SAs but if you want to see all the
details you can also use "setkey" or "ip xfrm state|policy".

If you manipulate SPD/SAD entries via "setkey" or "ip xfrm" then you
are on your own since strongSwan will not be aware of any such changes.



On 05/30/2011 10:07 AM, Goshen, Ido (Ido) wrote:
> Hi,
> Does StrongSWAN supply a shell tool like ?setkey? from ipsec-tools to
> monitor and/or manipulate the kernel?s SPD/SAD or it?s all done
> programmatically via hydra (netlink plugin in my case)?
> Thanx,
> -Ido

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)


Dev mailing list
Dev at lists.strongswan.org

End of Dev Digest, Vol 16, Issue 5

More information about the Dev mailing list