NAME
ipsecif —
IPsec interface
SYNOPSIS
pseudo-device ipsecif
DESCRIPTION
The
ipsecif interface is targeted for route-based VPNs. It can
tunnel IPv4 and IPv6 traffic over either IPv4 or IPv6 and secure it with ESP.
ipsecif interfaces are dynamically created and destroyed with
the
ifconfig(8)
create and
destroy subcommands. The
administrator must configure
ipsecif tunnel endpoint
addresses. These addresses will be used for the outer IP header of ESP
packets. The administrator also configures the protocol and addresses for the
inner IP header with the
ifconfig(8)
inet or
inet6 subcommands, and modify the
routing table to route the packets through the
ipsecif
interface.
The packet processing is similar to
gif(4) over
ipsec(4) transport mode, however
the security policy management is different.
gif(4) over
ipsec(4) transport mode expects
userland programs to manage their security policies. In contrast,
ipsecif manages its security policies by itself: when the
administrator sets up an
ipsecif tunnel source and
destination address pair, the related security policies are created
automatically in the kernel. They are automatically deleted when the tunnel is
destroyed.
It also means that
ipsecif ensures that both the in and out
security policy pairs exist, that is,
ipsecif avoids the
trouble caused when only one of the in and out security policy pair exists.
There are four security policies generated by
ipsecif: one in
and out pair for IPv4 and IPv6 each. These security policies are equivalent to
the following
ipsec.conf(5)
configuration where src and dst are IP addresses specified to the tunnel:
spdadd "src" "dst" ipv4 -P out ipsec esp/transport//unique;
spdadd "dst" "src" ipv4 -P in ipsec esp/transport//unique;
spdadd "src" "dst" ipv6 -P out ipsec esp/transport//unique;
spdadd "dst" "src" ipv6 -P in ipsec esp/transport//unique;
The
ipsecif configuration will fail if such security policies
already exist, and vice versa.
The related security associates can be established by an IKE daemon such as
racoon(8). They can also be
manipulated manually by
setkey(8) with the
-u option which sets a security policy's unique id.
Some
ifconfig(8) parameters
change the behaviour of
ipsecif. link0 can enable
NAT-Traversal, link1 can enable ECN friendly mode like
gif(4), and link2 can enable
forwarding inner IPv6 packets. Only link2 is set by default. If you use only
IPv4 packets as inner packets, you would want to do
to reduce security associates for IPv6 packets.
EXAMPLES
Configuration example:
Out IP addr = 172.16.100.1 Out IP addr = 172.16.200.1
wm0 = 192.168.0.1/24 wm0 = 192.168.0.2/24
wm1 = 10.100.0.1/24 wm1 = 10.200.0.1/24
+------------+ +------------+
| NetBSD_A | | NetBSD_B |
|------------| |------------|
| [ipsec0] - - - - - - - - (tunnel) - - - - - - - - [ipsec0] |
| [wm0]------------- ... --------------[wm0] |
| | | |
+---[wm1]----+ +----[wm1]---+
| |
| |
+------------+ +------------+
| Host_X | | Host_Y |
+------------+ +------------+
Host_X and Host_Y will be able to communicate via an IPv4 IPsec tunnel.
On NetBSD_A:
# ifconfig wm0 inet 192.168.0.1/24
# ifconfig ipsec0 create
# ifconfig ipsec0 tunnel 192.168.0.1 192.168.0.2
# ifconfig ipsec0 inet 172.16.100.1/32 172.16.200.1
start IKE daemon or set security associates manually.
# ifconfig wm1 inet 10.100.0.1/24
# route add 10.200.0.1 172.16.100.1
On NetBSD_B:
# ifconfig wm0 inet 192.168.0.2/24
# ifconfig ipsec0 create
# ifconfig ipsec0 tunnel 192.168.0.2 192.168.0.1
# ifconfig ipsec0 inet 172.16.200.1/32 172.16.100.1
start IKE daemon or set security associates manually.
# ifconfig wm1 inet 10.200.0.1/24
# route add 10.100.0.1 172.16.200.1
SEE ALSO
gif(4),
inet(4),
inet6(4),
ipsec(4),
ifconfig(8),
racoon(8),
setkey(8)
HISTORY
The
ipsecif device first appeared in
NetBSD
8.0.
LIMITATIONS
Currently, the
ipsecif interface supports the ESP protocol
only.
ipsecif supports default port number (4500) only for
NAT-Traversal.