policy is in one of the following three formats:
-P direction [priority specification] discard
-P direction [priority specification] none
-P direction [priority specification] ipsec protocol/mode/src-dst/level [...]
You must specify the direction of its policy as
direction. Either
out,
in, or
fwd can be used.
priority specification is used to control the placement of the policy within the SPD. Policy position is determined by a signed integer where higher priorities indicate the policy is placed closer to the beginning of the list and lower priorities indicate the policy is placed closer to the end of the list. Policies with equal priorities are added at the end of groups of such policies.
Priority can only be specified when setkey has been compiled against kernel headers that support policy priorities (Linux >= 2.6.6). If the kernel does not support priorities, a warning message will be printed the first time a priority specification is used. Policy priority takes one of the following formats:
{priority,prio} offset
offset is an integer in the range from -2147483647 to 214783648.
{priority,prio} base {+,-} offset
base is either
low (-1073741824),
def (0), or
high (1073741824)
offset is an unsigned integer. It can be up to 1073741824 for positive offsets, and up to 1073741823 for negative offsets.
discard means the packet matching indexes will be discarded.
none means that IPsec operation will not take place onto the packet.
ipsec means that IPsec operation will take place onto the packet.
The
protocol/mode/src-dst/level part specifies the rule how to process the packet. Either
ah,
esp, or
ipcomp must be used as
protocol.
mode is either
transport or
tunnel. If
mode is
tunnel, you must specify the end-point addresses of the SA as
src and
dst with ‘-' between these addresses, which is used to specify the SA to use. If
mode is
transport, both
src and
dst can be omitted.
level is to be one of the following:
default,
use,
require, or
unique. If the SA is not available in every level, the kernel will ask the key exchange daemon to establish a suitable SA.
default means the kernel consults the system wide default for the protocol you specified, e.g. the
esp_trans_deflev sysctl variable, when the kernel processes the packet.
use means that the kernel uses an SA if it's available, otherwise the kernel keeps normal operation.
require means SA is required whenever the kernel sends a packet matched with the policy.
unique is the same as
require; in addition, it allows the policy to match the unique out-bound SA. You just specify the policy level
unique,
racoon(8) will configure the SA for the policy. If you configure the SA by manual keying for that policy, you can put a decimal number as the policy identifier after
unique separated by a colon ‘:' like:
unique:number in order to bind this policy to the SA.
number must be between 1 and 32767. It corresponds to
extensions -u of the manual SA configuration. When you want to use SA bundle, you can define multiple rules. For example, if an IP header was followed by an AH header followed by an ESP header followed by an upper layer protocol header, the rule would be:
esp/transport//require ah/transport//require;
The rule order is very important.
When NAT-T is enabled in the kernel, policy matching for ESP over UDP packets may be done on endpoint addresses and port (this depends on the system. System that do not perform the port check cannot support multiple endpoints behind the same NAT). When using ESP over UDP, you can specify port numbers in the endpoint addresses to get the correct matching. Here is an example:
spdadd 10.0.11.0/24[any] 10.0.11.33/32[any] any -P out ipsec
esp/tunnel/192.168.0.1[4500]-192.168.1.2[30000]/require ;
These ports must be left unspecified (which defaults to 0) for anything other than ESP over UDP. They can be displayed in SPD dump using
setkey -DPp.
Note that “
discard” and “
none” are not in the syntax described in
ipsec_set_policy(3). There are a few differences in the syntax. See
ipsec_set_policy(3) for detail.