Skip to content

Instantly share code, notes, and snippets.

@cleverfox

cleverfox/ipsec.md

Created July 17, 2025 17:59
Show Gist options
  • Save cleverfox/5db01eab3b7d0353dfef8e735b34289b to your computer and use it in GitHub Desktop.
Save cleverfox/5db01eab3b7d0353dfef8e735b34289b to your computer and use it in GitHub Desktop.
Download ZIP
Static IPSec between Linux & FreeBSD
Raw
ipsec.md

static ipsec between FreeBSD & Linux

  • Linux has IP address 9.9.223.245

  • FreeBSD has IP address 5.3.25.69

Linux shell script

ip xfrm policy del src 9.9.223.245 dst 5.3.25.69 dir out
ip xfrm policy del src 5.3.25.69 dst 9.9.223.245 dir in
ip xfrm state del src 9.9.223.245 dst 5.3.25.69 proto esp spi 0x1000
ip xfrm state del src 5.3.25.69 dst 9.9.223.245 proto esp spi 0x2000

ip xfrm state add src 9.9.223.245 dst 5.3.25.69 proto esp spi 0x1000 \
    mode transport \
    enc 'cbc(aes)' 0xfedcba0987654321fedcba0987654321fedcba0987654321fedcba0987654321
ip xfrm state add src 5.3.25.69 dst 9.9.223.245 proto esp spi 0x2000 \
    mode transport \
    enc 'cbc(aes)' 0xfedcba0987654321fedcba0987654321fedcba0987654321fedcba0987654321

ip xfrm policy add src 9.9.223.245 dst 5.3.25.69 dir out tmpl src 9.9.223.245 dst 5.3.25.69 proto esp mode transport
ip xfrm policy add src 5.3.25.69 dst 9.9.223.245 dir in tmpl src 5.3.25.69 dst 9.9.223.245 proto esp mode transport

FreeBSD setkey script

#!/usr/sbin/setkey -f

flush;
spdflush;
add 5.3.25.69 9.9.223.245 esp 0x2000 -m transport
-E aes-cbc 0xfedcba0987654321fedcba0987654321fedcba0987654321fedcba0987654321;

# Inbound SA (Linux -> FreeBSD)
add 9.9.223.245 5.3.25.69 esp 0x1000 -m transport
-E aes-cbc 0xfedcba0987654321fedcba0987654321fedcba0987654321fedcba0987654321;

spdadd 5.3.25.69 9.9.223.245 any -P out ipsec esp/transport//require;
spdadd 9.9.223.245 5.3.25.69 any -P in ipsec esp/transport//require;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment