kame_ipsec(4) - NetBSD Manual Pages

Command: Section: Arch: Collection:   
KAME_IPSEC(4)           NetBSD Kernel Interfaces Manual          KAME_IPSEC(4)


NAME

     ipsec -- IP security protocol


SYNOPSIS

     #include <sys/types.h>
     #include <netinet/in.h>
     #include <netinet6/ipsec.h>

     options KAME_IPSEC
     options IPSEC_ESP
     options IPSEC_NAT_T
     options IPSEC_DEBUG


DESCRIPTION

     ipsec is the first implemtation of IPSEC in NetBSD.  It is being replaced
     by fast_ipsec(4).

     The following kernel options are available:

     options IPSEC
     Includes support for the IPsec protocol.  IPSEC will enable secret key
     management part, policy management part, AH and IPComp.  Kernel binary
     will not be subject to export control in most of countries, even if com-
     piled with IPSEC.  For example, it should be okay to export it from the
     United States of America.  INET6 and IPSEC are orthogonal so you can get
     IPv4-only kernel with IPsec support, IPv4/v6 dual support kernel without
     IPsec, and so forth.  This option requires INET at this moment, but it
     should not.

     options IPSEC_DEBUG
     Enables debugging code in IPsec stack.  This option assumes IPSEC.

     options IPSEC_ESP
     Includes support for IPsec ESP protocol.  IPSEC_ESP will enable source
     code that is subject to export control in some countries (including the
     United States), and compiled kernel binary will be subject to certain
     restriction.  This option assumes IPSEC.

     options IPSEC_NAT_T
     Includes support for IPsec Network Address Translator Traversal (NAT-T),
     as described in RFCs 3947 and 3948.  This feature might be patent-encum-
     bered in some countries.  This option assumes IPSEC and IPSEC_ESP.


SEE ALSO

     ioctl(2), socket(2), ipsec_set_policy(3), fast_ipsec(4), icmp6(4),
     intro(4), ip6(4), ipsec(4), racoon(8), setkey(8), sysctl(8)


STANDARDS

     Daniel L. McDonald, Craig Metz, and Bao G. Phan, PF_KEY Key Management
     API, Version 2, RFC, 2367.


HISTORY

     The implementation described herein appeared in WIDE/KAME IPv6/IPsec
     stack.


BUGS

     The IPsec support is subject to change as the IPsec protocols develop.

     There is no single standard for policy engine API, so the policy engine
     API described herein is just for KAME implementation.

     AH and tunnel mode encapsulation may not work as you might expect.  If
     you configure inbound ``require'' policy against AH tunnel or any IPsec
     encapsulating policy with AH (like ``esp/tunnel/A-B/use
     ah/transport/A-B/require''), tunneled packets will be rejected.  This is
     because we enforce policy check on inner packet on reception, and AH
     authenticates encapsulating (outer) packet, not the encapsulated (inner)
     packet (so for the receiving kernel there's no sign of authenticity).
     The issue will be solved when we revamp our policy engine to keep all the
     packet decapsulation history.

     Under certain condition, truncated result may be raised from the kernel
     against SADB_DUMP and SADB_SPDDUMP operation on PF_KEY socket.  This
     occurs if there are too many database entries in the kernel and socket
     buffer for the PF_KEY socket is insufficient.  If you manipulate many
     IPsec key/policy database entries, increase the size of socket buffer or
     use sysctl(8) interface.

NetBSD 6.0                     January 16, 2012                     NetBSD 6.0
Powered by man-cgi (2024-03-20). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.