Since IPSEC_DEBUG now is disabled by default, setkey -x is useful utility to debug some PF_KEY related problems.
Unfortunately the output that it produces is not easy to read. I modified it a bit and from my point of view, now it is much easier.
I added text names of SADB message types. This file is used to build setkey(8) in userland.
For example, before:
15:10:30.325443
sadb_msg{ version=2 type=11 errno=0 satype=1
len=2 reserved=0 seq=0 pid=96324
15:10:30.325481
15:10:35.328836
sadb_msg{ version=2 type=18 errno=0 satype=0
len=15 reserved=1 seq=3 pid=96325
sadb_ext{ len=3 type=5 }
sadb_address{ proto=255 prefixlen=0 reserved=0x0000 }
sockaddr{ len=16 family=2 addr=0.0.0.0 }
sadb_ext{ len=3 type=6 }
sadb_address{ proto=255 prefixlen=0 reserved=0x0000 }
sockaddr{ len=16 family=2 addr=0.0.0.0 }
sadb_ext{ len=7 type=18 }
sadb_x_policy{ type=2 dir=1 id=1 scope=2 ifindex=6 }
{ len=40 proto=50 mode=2 level=3 reqid=100
sockaddr{ len=16 family=2 addr=10.9.8.6 }
sockaddr{ len=16 family=2 addr=10.9.8.3 }
}After:
14:19:54.957112
sadb_msg{ version=2 type=11(X_PROMISC) errno=0 satype=1
len=2 reserved=0 seq=0 pid=96154
14:19:54.957142
14:19:58.715888
sadb_msg{ version=2 type=18(X_SPDDUMP) errno=0 satype=0
len=15 reserved=1 seq=3 pid=96155
sadb_ext{ len=3 type=5(ADDRESS_SRC) }
sadb_address{ proto=255 prefixlen=0 reserved=0x0000 }
sockaddr{ len=16 family=2 addr=0.0.0.0 }
sadb_ext{ len=3 type=6(ADDRESS_DST) }
sadb_address{ proto=255 prefixlen=0 reserved=0x0000 }
sockaddr{ len=16 family=2 addr=0.0.0.0 }
sadb_ext{ len=7 type=18(POLICY) }
sadb_x_policy{ type=2 dir=1 id=1 scope=2 ifindex=6 }
{ len=40 proto=50 mode=2 level=3 reqid=100
sockaddr{ len=16 family=2 addr=10.9.8.6 }
sockaddr{ len=16 family=2 addr=10.9.8.3 }
}