> So whereas Linux has both a Security Policy Database and a Security > Association Database in the kernel, I believe (and someone please correct me > if I'm wrong) that OpenBSD kernel has only an SAD. You put your policy into > ipsecctl, which passes it onto isakmpd, and isakmpd negotiates keys and > sticks them in the SAD.
You're wrong. Look at src/sys/netinet/ip_spd.c. You can manipulate the spd by using static flow esp rules and using the type keyword. flow esp from 192.168.0.0/24 to 192.168.1.0/24 peer 192.168.0.2 type require -- Mathieu Sauve-Frankel
