ipsecif(4) - NetBSD Manual Pages

Command: Section: Arch: Collection:  
IPSECIF(4)              NetBSD Kernel Interfaces Manual             IPSECIF(4)

ipsecif -- IPsec interface
pseudo-device ipsecif
The ipsecif interface is targeted for route-based VPNs. It can tunnel IPv4 and IPv6 traffic over either IPv4 or IPv6 and secure it with ESP. ipsecif interfaces are dynamically created and destroyed with the ifconfig(8) create and destroy subcommands. The administrator must con- figure ipsecif tunnel endpoint addresses. These addresses will be used for the outer IP header of ESP packets. The administrator also config- ures the protocol and addresses for the inner IP header with the ifconfig(8) inet or inet6 subcommands, and modify the routing table to route the packets through the ipsecif interface. The packet processing is similar to gif(4) over ipsec(4) transport mode, however the security policy management is different. gif(4) over ipsec(4) transport mode expects userland programs to manage their secu- rity policies. In contrast, ipsecif manages its security policies by itself: when the administrator sets up an ipsecif tunnel source and des- tination address pair, the related security policies are created automat- ically in the kernel. They are automatically deleted when the tunnel is destroyed. It also means that ipsecif ensures that both the in and out security pol- icy pairs exist, that is, ipsecif avoids the trouble caused when only one of the in and out security policy pair exists. There are four security policies generated by ipsecif: one in and out pair for IPv4 and IPv6 each. These security policies are equivalent to the following ipsec.conf(5) configuration where src and dst are IP addresses specified to the tunnel: spdadd "src" "dst" ipv4 -P out ipsec esp/transport//unique; spdadd "dst" "src" ipv4 -P in ipsec esp/transport//unique; spdadd "src" "dst" ipv6 -P out ipsec esp/transport//unique; spdadd "dst" "src" ipv6 -P in ipsec esp/transport//unique; The ipsecif configuration will fail if such security policies already exist, and vice versa. The related security associates can be established by an IKE daemon such as racoon(8). They can also be manipulated manually by setkey(8) with the -u option which sets a security policy's unique id. Some ifconfig(8) parameters change the behaviour of ipsecif. link0 can enable NAT-Traversal, link1 can enable ECN friendly mode like gif(4), and link2 can enable forwarding inner IPv6 packets. Only link2 is set by default. If you use only IPv4 packets as inner packets, you would want to do ifconfig ipsec0 -link2 to reduce security associates for IPv6 packets.
Configuration example: Out IP addr = Out IP addr = wm0 = wm0 = wm1 = wm1 = +------------+ +------------+ | NetBSD_A | | NetBSD_B | |------------| |------------| | [ipsec0] - - - - - - - - (tunnel) - - - - - - - - [ipsec0] | | [wm0]------------- ... --------------[wm0] | | | | | +---[wm1]----+ +----[wm1]---+ | | | | +------------+ +------------+ | Host_X | | Host_Y | +------------+ +------------+ Host_X and Host_Y will be able to communicate via an IPv4 IPsec tunnel. On NetBSD_A: # ifconfig wm0 inet # ifconfig ipsec0 create # ifconfig ipsec0 tunnel # ifconfig ipsec0 inet start IKE daemon or set security associates manually. # ifconfig wm1 inet # route add On NetBSD_B: # ifconfig wm0 inet # ifconfig ipsec0 create # ifconfig ipsec0 tunnel # ifconfig ipsec0 inet start IKE daemon or set security associates manually. # ifconfig wm1 inet # route add
gif(4), inet(4), inet6(4), ipsec(4), ifconfig(8), racoon(8), setkey(8)
The ipsecif device first appeared in NetBSD 8.0.
Currently, the ipsecif interface supports the ESP protocol only. ipsecif supports default port number (4500) only for NAT-Traversal. NetBSD 9.1 January 25, 2018 NetBSD 9.1
Powered by man-cgi (2024-03-20). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.