Klips Manual Key Protected Connection Examples

Introduction
Macros
Setup
Unload
Transport mode
Tunnel mode
Transform examples
IPSEC Status

Introduction

This document is intended to provide some background on what is most easily accomplished with the existing tools. See 'man ipsec_auto' and 'man ipsec_manual' first.

It intended for practical use only beyond the capabilities of 'ipsec auto' and 'ipsec manual'. For now, (981127) that includes extruded subnets.

Note: Be warned that once a route(8) is set via an ipsec? device, packets without an eroute(8) that are sent to that device will be dropped on the floor.

Macros

These definitions of macros make the commands more readable and the scripts easier to use by centralising the information. Obviously, the keys are for example purposes only and cryptographically strong keys should be substituted.

	hmask=255.255.255.255
	nmask0=0.0.0.0
	nmask16=255.255.0.0
	nmask24=255.255.255.0
	nmask28=255.255.255.240
	nmask29=255.255.255.248

	local_public_ip=207.236.55.216
	local_public_nexthop=207.236.55.1
	local_public_bcast=207.236.55.255
	local_public_nmask=$nmask24
	local_private_net=192.168.2.0
	local_private_nmask=$nmask24

	remote_public_ip=209.157.90.146
	remote_private_net=209.157.90.160
	remote_private_nmask=$nmask29

	ext_private_ip=209.157.90.198
	ext_private_net=209.157.90.192
	ext_private_bcast=209.157.90.199
	ext_private_nmask=$nmask29

	default_net=0.0.0.0
	default_bcast=255.255.255.255
	default_nmask=$nmask0

	ipsecdev=ipsec1
	aliasdev=eth0:1
	physdev=eth2

	enckey8=0x0123456789abcdef
	enckey24=0x0123456789abcdef0123456789abcdef0123456789abcdef
	authkey16=0x0123456789abcdef0123456789abcdef
	authkey20=0x0123456789abcdef0123456789abcdef01234567

Setup

These commands must be run before any of the connection-specific commands will work.

	depmod -a	# only if klips is compiled as a module
	modprobe ipsec	# only if klips is compiled as a module
	ipsec tncfg --attach --virtual $ipsecdev --physical $physdev
	ifconfig $ipsecdev $local_public_ip \
		broadcast $local_public_bcast \
		netmask $local_public_nmask

Unload

These commands must be run before the module can be unloaded.

	ipsec tncfg --detach --virtual $ipsecdev
	ifconfig $ipsecdev down
	rmmod ipsec	# only if klips is compiled as a module

Warning: Each of the Setup scripts first deletes the route for the destinations it needs to protect, if it exists. When the route gets deleted with the deletion of the protected connection, that route will no longer exist. This route must be put back manually, or reboot the network configuration if it was installed automatically.

Transport mode

Transport mode is used between two hosts that each have IPSEC capabilities. They don't rely on a security gateway since they are by definition same. This mode has a lower overhead per packet and is therefore more efficient. The outside header is protected against modification if authentication is used.

Assumptions: Both machines have had networking set up and can pass packets.

Setup
Delete

Setup

	# forward path
	ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
		--esp 3des-md5-96 \
		--enckey $enckey24 \
		--authkey $authkey16

	ipsec eroute --add --src $local_public_ip/$hmask \
		--dst $remote_public_ip/$hmask \
		--edst $remote_public_ip --spi 0x225 --proto esp

	route del $remote_public_ip
	route add -host $remote_public_ip dev $ipsecdev \
	        gw $local_public_nexthop

	# Return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
		--esp 3des-md5-96 \
		--enckey $enckey24 \
		--authkey $authkey16

Delete

	# forward path
	route del $remote_public_ip

	ipsec eroute --del --src $local_public_ip/$hmask \
		--dst $remote_public_ip/$hmask

	ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp --del

	# Return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del

Tunnel mode

Tunnel mode is used between two security gateways to protect their own traffic to another security gateway, or any combination of hosts behind it who may or may not be IPSEC aware. Only the inner headers are protected if authentication is enabled. There is extra overhead since there is an internal IP header. This mode is often preferable to make traffic analysis more difficult.

Assumptions: Any subnets have been set up and all machines can see the internet.

Security Gateway to Security Gateway
Subnet to subnet
Road warrior mode (Security Gateway to Subnet)
Subnet to subnet masqeraded
Extruded Subnet to Internet

Security Gateway to Security Gateway

This configuration is essentially the same as tunnel mode, except that traffic analysis is not as easy.

Setup
Delete

Setup

	# forward path
	ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --ip4 \
		--src $local_public_ip --dst $remote_public_ip
	ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
		--esp 3des-md5-96 \
		--enckey $enckey24 \
		--authkey $authkey16

	ipsec spigrp $remote_public_ip 0x223 tun \
		$remote_public_ip 0x225 esp

	ipsec eroute --add --src $local_public_ip/$hmask \
		--dst $remote_public_ip/$hmask \
		--edst $remote_public_ip --spi 0x223 --proto tun

	route del $remote_public_ip
	route add -host $remote_public_ip dev $ipsecdev \
		gw $local_public_nexthop

	# return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
		--esp 3des-md5-96 \
		--enckey $enckey24 \
		--authkey $authkey16

Delete

	# forward path
	route del $remote_public_ip

	ipsec eroute --del --src $local_public_ip/$hmask \
		--dst $remote_public_ip/$hmask

	ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --del

	# return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del

Subnet to Subnet

Valid internet subnet to valid internet subnet is the simplest subnet configuration. It processes all traffic from one subnet behind a security gateway to another subnet behind its security gateway with the selected encryption and/or authentication transforms, effectively protecting all that traffic from interference from the internet.

Setup
Delete

Setup

	# forward path
	ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --ip4 \
		--src $local_public_ip --dst $remote_public_ip
	ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
		--esp 3des-md5-96 \
		--enckey $enckey24 \
		--authkey $authkey16

	ipsec spigrp $remote_public_ip 0x223 tun\
		$remote_public_ip 0x225 esp

	ipsec eroute --add --src $local_private_net/$local_private_nmask \
		--dst $remote_private_net/$remote_private_nmask \
		--edst $remote_public_ip --spi 0x223 --proto tun

	route del $remote_private_net
	route add -net $remote_private_net netmask $remote_private_nmask \
		dev $ipsecdev gw $local_public_nexthop

	# return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
		--esp 3des-md5-96 \
		--enckey $enckey24 \
		--authkey $authkey16

Delete

	route del $remote_private_net

	ipsec eroute --del --src $local_private_net/$local_private_nmask \
		--dst $remote_private_net/$remote_private_nmask

	ipsec spi --edst $remote_public_ip --spi 0x223 --proto esp --del

	# return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto tun --del

Road warrior mode (Subnet to Security Gateway)

"Road Warriors" are single machines that connect to a protected network via the internet and must keep the tunnel secure. It acts as a security gateway and speaks to the protected subnet via another security gateway. This is a hybrid of the security_gateway-to-security_gateway and subnet-to-subnet scenarios.

Assumptions: All machines are set up to see each other and the internet.

Local road warrior to remote subnet
Local subnet to remote road warrior

Setup

	# forward path
	ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --ip4 \
		--src $local_public_ip --dst $remote_public_ip
	ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
		--esp 3des-md5-96 \
		--enckey $enckey24 \
		--authkey $authkey16

	ipsec spigrp $remote_public_ip 0x223 tun \
		$remote_public_ip 0x225 esp

	ipsec eroute --add --src $local_public_ip/$hmask \
		--dst $remote_private_net/$remote_private_nmask \
		--edst $remote_public_ip --spi 0x223 --proto tun

	route del $remote_private_net
	route add -net $remote_private_net netmask $remote_private_nmask \
		dev $ipsecdev gw $local_public_nexthop

	# return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
		--esp 3des-md5-96 \
		--enckey $enckey24 \
		--authkey $authkey16

Delete

	# forward path
	route del $remote_private_net

	ipsec eroute --del --src $local_public_ip/$hmask \
		--dst $remote_private_net/$remote_private_nmask

	ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --del

	# return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del

Local subnet to remote road warrior

Setup
Delete

Setup

	# forward path
	ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --ip4 \
		--src $local_public_ip --dst $remote_public_ip
	ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
		--esp 3des-md5-96 \
		--enckey $enckey24 \
		--authkey $authkey16

	ipsec spigrp $remote_public_ip 0x223 tun \
		$remote_public_ip 0x225 esp

	ipsec eroute --add --src $local_private_net/$local_private_nmask \
		--dst $remote_public_ip/$hmask \
		--edst $remote_public_ip --spi 0x223 --proto tun

	route del $remote_public_ip
	route add -host $remote_public_ip dev $ipsecdev \
		gw $local_public_nexthop

	# return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
		--esp 3des-md5-96 \
		--enckey $enckey24 \
		--authkey $authkey16

Delete

	# forward path
	route del $remote_public_ip

	ipsec eroute --del --src $local_private_net/$local_private_nmask \
		--dst $remote_public_ip/$hmask

	ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --del

	# return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del

Subnet to Subnet masqueraded

Traffic from a valid internet subnet to a reserved address subnet can still be protected by IPSEC so long as all the reserved subnets that the valid subnet wishes to speak to are unique. Perhaps some IPMASQ work needs to be done to make this independant.

Note: The ipfwadm command serves to knock a hole in the existing masquerading setup.

Assumptions: The masqueraded subnet has been set up and all machines can see the internet.

Setup
Delete

Setup

	# forward path
	ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --ip4 \
		--src $local_public_ip --dst $remote_public_ip
	ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
		--esp 3des-md5-96 \
		--enckey $enckey24 \
		--authkey $authkey16

	ipsec spigrp $remote_public_ip 0x223 tun \
		$remote_public_ip 0x225 esp

	ipsec eroute --add --src $local_private_net/$local_private_nmask \
		--dst $remote_private_net/$remote_private_nmask \
		--edst $remote_public_ip --spi 0x223 --proto tun

	route del $remote_private_net
	route add -net $remote_private_net netmask $remote_private_nmask \
		dev $ipsecdev gw $local_public_nexthop

	ipfwadm -F -i accept -S $local_private_net/$local_private_nmask \
		-D $remote_private_net/$remote_private_nmask

	# return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
		--esp 3des-md5-96 \
		--enckey $enckey24 \
		--authkey $authkey16

Delete

	# forward path
	ipfwadm -F -d accept -S $local_private_net/$local_private_nmask \
		-D $remote_private_net/$remote_private_nmask

	route del $remote_private_net

	ipsec eroute --del --src $local_private_net/$local_private_nmask \
		--dst $remote_private_net/$remote_private_nmask

	ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --del

	# return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del

Extruded Subnet to Internet

Subnet 'Extrusion' may be necessary if one site only has one IP routed to it and more IP's are needed, but the access provider is unable or unwilling to route more. This will extrude a valid subnet from another location (the site of the other security gateway) to the site needing more valid addresses and protect (encrypt or authenticate) all its traffic. This example combines a masqueraded subnet and the extruded subnet on the same physical media. Note that the traffic on the remote security gateway will be at least double that of the extruded subnet traffic to the rest of the internet and twice the turnaround time.

Assumptions: A masqueraded subnet has been set up and all machines can see the internet. Each machine on the extruded subnet will need to route all packets to the remote subnet (in this case the entire internet) via the I/F (direct or aliased) that has been configured with an extruded valid internet address.

Setup
Delete

Setup

	# set up superimposed valid internet subnet with interface aliases
	ifconfig $aliasdev $ext_private_ip broadcast $ext_private_bcast \
		netmask $ext_private_nmask

	route add -net $ext_private_net netmask $ext_private_nmask \
		dev $aliasdev

	# forward path
	ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --ip4 \
		--src $local_public_ip --dst $remote_public_ip
	ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
		--esp 3des-md5-96 \
		--enckey $enckey24 \
		--authkey $authkey16

	ipsec spigrp $remote_public_ip 0x223 tun \
		$remote_public_ip 0x225 esp

	ipsec eroute --add --src $ext_private_net/$ext_private_nmask \
		--dst $default_net/$default_nmask \
		--edst $remote_public_ip --spi 0x223 --proto tun

	route del $default_net
	route add -net $default_net netmask $default_nmask \
		dev $ipsecdev gw $local_public_nexthop

	ipfwadm -F -i accept -S $ext_private_net/$ext_private_nmask \
		-D $default_net/$default_nmask

	# return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
		--esp 3des-md5-96 \
		--enckey $enckey24 \
		--authkey $authkey16

Delete

	# forward path
	ipfwadm -F -d accept -S $ext_private_net/$ext_private_nmask \
		-D $default_net/$default_nmask

	route del $default_net

	ipsec eroute --del --src $ext_private_net/$ext_private_nmask \
		--dst $default_net/$default_nmask

	ipsec spi --edst $remote_public_ip --spi 0x223 --proto tun --del

	# return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del

Transform Examples

A number of different transforms can be used to provide the protection intended by the IPSEC protocol suite. All these examples are using transport mode, but the techniques are equally applicable to tunnel mode, adding the extra SA to the spigrp command as necessary.

Assumptions: Both machines have had networking set up and can pass packets.

Authentication
Encryption

Authentication

Authentication provides the service of guaranteeing the identity of the sender. It also provides protection against packet modification in transit. It does not hide data.

AH-MD5
AH-SHA1
ESP-NULL-MD5

AH-MD5

Authentication Header, using Message Digest-5 can be used to authenticate the contents of the packet and the immutable or predictable parts of the IP header outside the Authentication Header with a 128-bit key.

Setup
Delete

Setup

	# forward path
	ipsec spi --edst $remote_public_ip --spi 0x225 --proto ah \
		--ah hmac-md5-96 \
		--authkey $authkey16

	ipsec eroute --add --src $local_public_ip/$hmask \
		--dst $remote_public_ip/$hmask \
		--edst $remote_public_ip --spi 0x225 --proto ah

	route del $remote_public_ip
	route add -host $remote_public_ip dev $ipsecdev \
		gw $local_public_nexthop

	# Return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto ah \
		--ah hmac-md5-96 \
		--authkey $authkey16

Delete

	# forward path
	route del $remote_public_ip

	ipsec eroute --del --src $local_public_ip/$hmask \
		--dst $remote_public_ip/$hmask

	ipsec spi --edst $remote_public_ip --spi 0x225 --proto ah --del

	# Return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto ah --del

AH-SHA1

Authentication Header, using Secure Hash Algorithm-1 can be used to authenticate the contents of the packet and the immutable or predictable parts of the IP header outside the Authentication Header with a 160-bit key.

Setup
Delete

Setup

	# forward path
	ipsec spi --edst $remote_public_ip --spi 0x225 --proto ah \
		--ah hmac-sha1-96 \
		--authkey $authkey20

	ipsec eroute --add --src $local_public_ip/$hmask \
		--dst $remote_public_ip/$hmask \
		--edst $remote_public_ip --spi 0x225 --proto ah

	route del $remote_public_ip
	route add -host $remote_public_ip dev $ipsecdev \
		gw $local_public_nexthop

	# Return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto ah \
		--ah hmac-sha1-96 \
		--authkey $authkey20

Delete

	# forward path
	route del $remote_public_ip

	ipsec eroute --del --src $local_public_ip/$hmask \
		--dst $remote_public_ip/$hmask

	ipsec spi --edst $remote_public_ip --spi 0x225 --proto ah --del

	# Return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto ah --del

ESP-NULL-MD5

Encapsulation Security Protocol, using the NULL transform with Secure Hash Algorithm-1 can be used to authenticate the contents of the packet only with a 160-bit key.

Setup
Delete

Setup

	# forward path
	ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
		--esp null-md5-96 \
		--authkey $authkey20

	ipsec eroute --add --src $local_public_ip/$hmask \
		--dst $remote_public_ip/$hmask \
		--edst $remote_public_ip --spi 0x225 --proto esp

	route del $remote_public_ip
	route add -host $remote_public_ip dev $ipsecdev \
		gw $local_public_nexthop

	# Return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
		--esp null-md5-96 \
		--authkey $authkey20

Delete

	# forward path
	route del $remote_public_ip

	ipsec eroute --del --src $local_public_ip/$hmask \
		--dst $remote_public_ip/$hmask

	ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp --del

	# Return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del

Encryption

Encryption provides the service of data hiding using symmetric key methods.

ESP-3DES-MD5
ESP-3DES with AH-MD5
ESP-DES-MD5
ESP-3DES-SHA1

ESP-3DES-MD5

Encapsulation Security Payload, using triple-Data Encryption Standard for encryption and Message Digest-5 can be used to hide the contents of the packet and authenticate both the contents of the packet and the immutable or predictable parts of the IP header outside the Encapsulation Security Payload with a 168-bit encryption key and a 128-bit authentication key.

Setup
Delete

Setup

	# forward path
	ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
		--esp 3des-md5-96 \
		--enckey $enckey24 \
		--authkey $authkey16

	ipsec eroute --add --src $local_public_ip/$hmask \
		--dst $remote_public_ip/$hmask \
		--edst $remote_public_ip --spi 0x225 --proto esp

	route del $remote_public_ip
	route add -host $remote_public_ip dev $ipsecdev \
		gw $local_public_nexthop

	# Return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
		--esp 3des-md5-96 \
		--enckey $enckey24 \
		--authkey $authkey16

Delete

	# forward path
	route del $remote_public_ip

	ipsec eroute --del --src $local_public_ip/$hmask \
		--dst $remote_public_ip/$hmask

	ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp --del

	# Return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del

ESP-3DES with AH-MD5

The combination of Encapsulation Security Payload, using triple-Data Encryption Standard for encryption with a 168-bit encryption key can be used to hide the contents of the packet with an external Authentication Header using Message Digest-5 can authenticate both the contents of the packet and the immutable or predictable parts of the IP header outside the Encapsulation Security Payload with a 128-bit authentication key.

Setup
Delete

Setup

	# forward path
	ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
		--esp 3des \
		--enckey $enckey24
	ipsec spi --edst $remote_public_ip --spi 0x226 --proto ah \
		--ah hmac-md5-96 \
		--authkey $authkey16

	ipsec spigrp $local_public_ip 0x225 esp\
		$local_public_ip 0x226 ah

	ipsec eroute --add --src $local_public_ip/$hmask \
		--dst $remote_public_ip/$hmask \
		--edst $remote_public_ip --spi 0x225 --proto esp

	route del $remote_public_ip
	route add -host $remote_public_ip dev $ipsecdev \
		gw $local_public_nexthop

	# Return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
		--esp 3des \
		--enckey $enckey24
	ipsec spi --edst $local_public_ip --spi 0x236 --proto ah \
		--ah hmac-md5-96 \
		--authkey $authkey16

Delete

	# forward path
	route del $remote_public_ip

	ipsec eroute --del --src $local_public_ip/$hmask \
		--dst $remote_public_ip/$hmask

	ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp --del

	# Return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del

ESP-DES-MD5

Encapsulation Security Payload, using Data Encryption Standard for encryption and Message Digest-5 can be used to hide the contents of the packet and authenticate both the contents of the packet and the immutable or predictable parts of the IP header outside the Encapsulation Security Payload with a 56-bit encryption key and a 128-bit authentication key.

Setup
Delete

Setup

	# forward path
	ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
		--esp des-md5-96 \
		--enckey $enckey8 \
		--authkey $authkey16

	ipsec eroute --add --src $local_public_ip/$hmask \
		--dst $remote_public_ip/$hmask \
		--edst $remote_public_ip --spi 0x225 --proto esp

	route del $remote_public_ip
	route add -host $remote_public_ip dev $ipsecdev \
		gw $local_public_nexthop

	# Return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
		--esp des-md5-96 \
		--enckey $enckey8 \
		--authkey $authkey16

Delete

	# forward path
	route del $remote_public_ip

	ipsec eroute --del --src $local_public_ip/$hmask \
		--dst $remote_public_ip/$hmask

	ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp --del

	# Return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del

ESP-3DES-SHA1

Encapsulation Security Payload, using triple-Data Encryption Standard for encryption and Secure Hash Algorithm-1 can be used to hide the contents of the packet and authenticate both the contents of the packet and the immutable or predictable parts of the IP header outside the Encapsulation Security Payload with a 168-bit encryption key and a 160-bit authentication key.

Setup
Delete

Setup

	# forward path
	ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp \
		--esp 3des-sha1-96 \
		--enckey $enckey24 \
		--authkey $authkey20

	ipsec eroute --add --src $local_public_ip/$hmask \
		--dst $remote_public_ip/$hmask \
		--edst $remote_public_ip --spi 0x225 --proto esp

	route del $remote_public_ip
	route add -host $remote_public_ip dev $ipsecdev \
		gw $local_public_nexthop

	# Return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp \
		--esp 3des-sha1-96 \
		--enckey $enckey24 \
		--authkey $authkey20

Delete

	# forward path
	route del $remote_public_ip

	ipsec eroute --del --src $local_public_ip/$hmask \
		--dst $remote_public_ip/$hmask

	ipsec spi --edst $remote_public_ip --spi 0x225 --proto esp --del

	# Return path
	ipsec spi --edst $local_public_ip --spi 0x235 --proto esp --del

IPSEC Status

The files in /proc/net/ipsec_* will reveal the current status of the Klips subsystem. If they don't exist, then IPSEC is not available.

	cat /proc/net/ipsec_*