Whether to copy the DF bit to the outer IPv4 header in tunnel mode

Pads ESP packets with additional data to have a consistent ESP packet size for improved Traffic Flow Confidentiality

Optional interface name to restrict outbound IPsec policies.

Updown script to invoke on CHILD_SA up and down events.

Fixed reqid to use for this CHILD_SA

Enable IPComp compression before encryption

Whether to install IPsec policies or not

Whether to copy the ECN (Explicit Congestion Notification) header field to/from the outer IP header in tunnel mode

List of remote selectors to include in CHILD_SA

Time range from which to choose a random value to subtract from rekey_time

Optional fixed priority for IPsec policies

Hostaccess variable to pass to updown script

Maximum lifetime before CHILD_SA gets closed

Byte range from which to choose a random value to subtract from rekey_bytes

XFRM interface ID set on inbound policies/SA

Timeout before closing CHILD_SA after inactivity

Maximum bytes processed before CHILD_SA gets closed

HMAC-SHA-256 is used with 128-bit truncation with IPsec

IPsec Mode to establish CHILD_SA with.

• tunnel negotiates the CHILD_SA in IPsec Tunnel Mode,
• whereas transport uses IPsec Transport Mode.
• transport_proxy signifying the special Mobile IPv6 Transport Proxy Mode.
• beet is the Bound End to End Tunnel mixture mode, working with fixed inner addresses without the need to include them in each packet.
• Both transport and beet modes are subject to mode negotiation; tunnel mode is negotiated if the preferred mode is not available.
• pass and drop are used to install shunt policies which explicitly bypass the defined traffic from IPsec processing or drop it, respectively

List of local traffic selectors to include in CHILD_SA

XFRM interface ID set on outbound policies/SA

Action to perform for this CHILD_SA on DPD timeout

Packet range from which to choose a random value to subtract from rekey_packets

Netfilter mark and mask for output traffic

Netfilter mark and mask for input traffic

Whether to copy the DSCP (Differentiated Services Field Codepoint) header field to/from the outer IP header in tunnel mode

Enable hardware offload for this CHILD_SA, if supported by the IPsec implementation

Whether to set mark_in on the inbound SA

Maximum number of packets processed before CHILD_SA gets closed

Time to schedule CHILD_SA rekeying

IPsec replay window to configure for this CHILD_SA

Action to perform after a CHILD_SA gets closed by the peer.

• The default of none does not take any action,
• trap installs a trap policy for the CHILD_SA.
• start tries to re-create the CHILD_SA.

close_action does not provide any guarantee that the CHILD_SA is kept alive

Number of bytes processed before initiating CHILD_SA rekeying

Netfilter mark applied to packets after the inbound IPsec SA processed them

Enable per-CPU CHILD_SAs

Netfilter mark applied to packets after the outbound IPsec SA processed them

Action to perform after loading the configuration.

• The default of none loads the connection only, which then can be manually initiated or used as a responder configuration.
• The value trap installs a trap policy, which triggers the tunnel as soon as matching traffic has been detected.
• The value start initiates the connection actively.
• Since version 5.9.6 two modes above can be combined with trap|start, to immediately initiate a connection for which trap policies have been installed

Number of packets processed before initiating CHILD_SA rekeying

Whether to install outbound FWD IPsec policies or not

AH proposals to offer for the CHILD_SA

ESP proposals to offer for the CHILD_SA