[strongSwan-dev] XFRM netlink protocol explained?

[Philip Prindeville]

Hi.

I'm working on some tools that watch IPsec activity in the kernel 
out-of-band by opening an Netlink socket and watching for XFRM messages.

I'm trying to understand which messages (XFRM_MSG_NEWSA, XFRM_MSG_UPDSA, 
XFRM_MSG_EXPIRE, XFRM_MSG_DELSA) occur when, and how to deconstruct the 
messages and grovel out the interesting fields.

Is there a useful writeup on the messages and when/how they are generated?

I tried running "ip xfrm monitor" while bringing up/taking down some 
tunnels, but it wasn't as straight-forward as I had hoped.

Any useful pointers appreciated.

Thanks,

-Philip