Updated: 2022/Sep/29

Please read Privacy Policy. It's for your privacy.

IPSECIF(4)                   Device Drivers Manual                  IPSECIF(4)

     ipsecif - IPsec interface

     pseudo-device ipsecif

     The ipsecif interface is targeted for route-based VPNs.  It can tunnel
     IPv4 and IPv6 traffic over either IPv4 or IPv6 and secure it with ESP.

     ipsecif interfaces are dynamically created and destroyed with the
     ifconfig(8) create and destroy subcommands.  The administrator must
     configure ipsecif tunnel endpoint addresses.  These addresses will be
     used for the outer IP header of ESP packets.  The administrator also
     configures the protocol and addresses for the inner IP header with the
     ifconfig(8) inet or inet6 subcommands, and modify the routing table to
     route the packets through the ipsecif interface.

     The packet processing is similar to gif(4) over ipsec(4) transport mode,
     however the security policy management is different.  gif(4) over
     ipsec(4) transport mode expects userland programs to manage their
     security policies.  In contrast, ipsecif manages its security policies by
     itself: when the administrator sets up an ipsecif tunnel source and
     destination address pair, the related security policies are created
     automatically in the kernel.  They are automatically deleted when the
     tunnel is destroyed.

     It also means that ipsecif ensures that both the in and out security
     policy pairs exist, that is, ipsecif avoids the trouble caused when only
     one of the in and out security policy pair exists.

     There are four security policies generated by ipsecif: one in and out
     pair for IPv4 and IPv6 each.  These security policies are equivalent to
     the following ipsec.conf(5) configuration where src and dst are IP
     addresses specified to the tunnel:

           spdadd "src" "dst" ipv4 -P out ipsec esp/transport//unique;
           spdadd "dst" "src" ipv4 -P in ipsec esp/transport//unique;
           spdadd "src" "dst" ipv6 -P out ipsec esp/transport//unique;
           spdadd "dst" "src" ipv6 -P in ipsec esp/transport//unique;

     The ipsecif configuration will fail if such security policies already
     exist, and vice versa.

     The related security associates can be established by an IKE daemon such
     as racoon(8).  They can also be manipulated manually by setkey(8) with
     the -u option which sets a security policy's unique id.

     Some ifconfig(8) parameters change the behaviour of ipsecif.  link0 can
     enable NAT-Traversal, link1 can enable ECN friendly mode like gif(4), and
     link2 can enable forwarding inner IPv6 packets.  Only link2 is set by
     default.  If you use only IPv4 packets as inner packets, you would want
     to do

           ifconfig ipsec0 -link2

     to reduce security associates for IPv6 packets.

     Configuration example:

     Out IP addr =            Out IP addr =
     wm0 =                        wm0 =
     wm1 =                          wm1 =

     +------------+                                    +------------+
     |  NetBSD_A  |                                    |  NetBSD_B  |
     |------------|                                    |------------|
     |  [ipsec0] - - - - - - - - (tunnel) - - - - - - - - [ipsec0]  |
     |          [wm0]------------- ... --------------[wm0]          |
     |            |                                    |            |
     +---[wm1]----+                                    +----[wm1]---+
           |                                                  |
           |                                                  |
     +------------+                                    +------------+
     |   Host_X   |                                    |   Host_Y   |
     +------------+                                    +------------+

     Host_X and Host_Y will be able to communicate via an IPv4 IPsec tunnel.

     On NetBSD_A:

     # ifconfig wm0 inet
     # ifconfig ipsec0 create
     # ifconfig ipsec0 tunnel
     # ifconfig ipsec0 inet
     start IKE daemon or set security associates manually.
     # ifconfig wm1 inet
     # route add

     On NetBSD_B:

     # ifconfig wm0 inet
     # ifconfig ipsec0 create
     # ifconfig ipsec0 tunnel
     # ifconfig ipsec0 inet
     start IKE daemon or set security associates manually.
     # ifconfig wm1 inet
     # route add

     gif(4), inet(4), inet6(4), ipsec(4), ifconfig(8), racoon(8), setkey(8)

     The ipsecif device first appeared in NetBSD 8.0.

     Currently, the ipsecif interface supports the ESP protocol only.  ipsecif
     supports default port number (4500) only for NAT-Traversal.

NetBSD 10.99                   January 25, 2018                   NetBSD 10.99