ipsec-algparse — utility for verifying IKE and IPsec cryptographic proposal syntax


ipsec algparse [ -v1 | -v2 | -v | -verbose | -debug | -p1 | -p2 | -pfs { yes | no } | -fips { yes | no } | -ignore | -impair | -nsspw password ]
{ -tp | -ta | ike=proposals | esp=proposals | ah=proposals | proposals }


ipsec algparse is a utility that parses and expands and Internet Key Exchange cryptographic proposals using the same syntax as used in the file ipsec.conf (see the description of ike= and esp= in ipsec.conf(5) for details). In addition, ipsec algparse can be used to run the proposal parser or the cryptographic algorithm testsuites.

The following options control what ipsec algparse will parse:

ike=[proposals] , esp=[proposals] , ah=[proposals]

Parse the proposals using the IKE, ESP, or AH proposal parser. When proposals is omitted, display the default IKE, ESP, or AH proposals.


Try to parse the proposal using all three of the IKE, ESP, and AH proposal parsers.


run the proposal testsuite


run the algorithm testsuite

The following options alter the parser behaviour:

-v1 , -v2

Parse the proposals using either the IKEv1 or IKEv2 proposal syntax.

The default is IKEv2.


Specify PFS (Perfect Forward Privicy). When yes Diffi-Helman algorithms will be included in the proposal.

The default is --pfs=no.


Force NSS into FIPS mode.

The default is determined by the system environment.

-p1 , -p2

Specify the parser to use.

By default, IKEv1 uses the simple (p1) parser, and IKEv2 uses the more complex (p2) parser.


Specify the NSS database password.


Impair the parser, disabling all algorithm checks.


Ignore parser errors.

-v , -verbose

Be more verbose when invoking proposal parser.

-d , -debug

Enable full debug-logging when invoking the proposal parser.


Written for the Libreswan project by Andrew Cagney.


Andrew Cagney