1.\" Copyright (c) 2017 Andrey V. Elsukov <ae@FreeBSD.org> 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" 25.Dd February 6, 2017 26.Dt if_ipsec 4 27.Os 28.Sh NAME 29.Nm if_ipsec 30.Nd IPsec virtual tunneling interface 31.Sh SYNOPSIS 32The 33.Cm if_ipsec 34network interface is a part of the 35.Fx 36IPsec implementation. 37To compile it into the kernel, place this line in the kernel 38configuration file: 39.Bd -ragged -offset indent 40.Cd "options IPSEC" 41.Ed 42.Pp 43It can also be loaded as part of the 44.Cm ipsec 45kernel module if the kernel was compiled with 46.Bd -ragged -offset indent 47.Cd "options IPSEC_SUPPORT" 48.Ed 49.Sh DESCRIPTION 50The 51.Nm 52network interface is targeted for creating route-based VPNs. 53It can tunnel IPv4 and IPv6 traffic over either IPv4 or IPv6 and secure 54it with ESP. 55.Pp 56.Nm 57interfaces are dynamically created and destroyed with the 58.Xr ifconfig 8 59.Cm create 60and 61.Cm destroy 62subcommands. 63The administrator must configure IPsec 64.Cm tunnel 65endpoint addresses. 66These addresses will be used for the outer IP header of ESP packets. 67The administrator can also configure the protocol and addresses for the inner 68IP header with 69.Xr ifconfig 8 , 70and modify the routing table to route the packets through the 71.Nm 72interface. 73.Pp 74When the 75.Nm 76interface is configured, it automatically creates special security policies. 77These policies can be used to acquire security associations from the IKE daemon, 78which are needed for establishing an IPsec tunnel. 79It is also possible to create needed security associations manually with the 80.Xr setkey 8 81utility. 82.Pp 83Each 84.Nm 85interface has an additional numeric configuration option 86.Cm reqid Ar id . 87This 88.Ar id 89is used to distinguish traffic and security policies between several 90.Nm 91interfaces. 92The 93.Cm reqid 94can be specified on interface creation and changed later. 95If not specified, it is automatically assigned. 96Note that changing 97.Cm reqid 98will lead to generation of new security policies, and this 99may require creating new security associations. 100.Sh EXAMPLES 101The example below shows manual configuration of an IPsec tunnel 102between two FreeBSD hosts. 103Host A has the IP address 192.168.0.3, and host B has the IP address 104192.168.0.5. 105.Pp 106On host A: 107.Bd -literal -offset indent 108ifconfig ipsec0 create reqid 100 109ifconfig ipsec0 inet tunnel 192.168.0.3 192.168.0.5 110ifconfig ipsec0 inet 172.16.0.3/16 172.16.0.5 111setkey -c 112add 192.168.0.3 192.168.0.5 esp 10000 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!1"; 113add 192.168.0.5 192.168.0.3 esp 10001 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!2"; 114^D 115.Ed 116.Pp 117On host B: 118.Bd -literal -offset indent 119ifconfig ipsec0 create reqid 200 120ifconfig ipsec0 inet tunnel 192.168.0.5 192.168.0.3 121ifconfig ipsec0 inet 172.16.0.5/16 172.16.0.3 122setkey -c 123add 192.168.0.3 192.168.0.5 esp 10000 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!1"; 124add 192.168.0.5 192.168.0.3 esp 10001 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!2"; 125^D 126.Ed 127.Pp 128Note the value 100 on host A and value 200 on host B are used as reqid. 129The same value must be used as identifier of the policy entry in the 130.Xr setkey 8 131command. 132.Sh SEE ALSO 133.Xr gif 4 , 134.Xr gre 4 , 135.Xr ipsec 4 , 136.Xr ifconfig 8 , 137.Xr setkey 8 138.Sh AUTHORS 139.An Andrey V. Elsukov Aq Mt ae@FreeBSD.org 140