IPSECIF(4) | Device Drivers Manual | IPSECIF(4) |
ipsecif
—
pseudo-device ipsecif
ipsecif
interface is targeted for route-based VPNs.
It can tunnel IPv4 and IPv6 traffic over either IPv4 or IPv6 and secure it
with ESP.
ipsecif
interfaces are dynamically created
and destroyed with the
ifconfig(8)
create
and destroy
subcommands. The administrator must configure
ipsecif
tunnel endpoint addresses. These addresses
will be used for the outer IP header of ESP packets. The administrator also
configures the protocol and addresses for the inner IP header with the
ifconfig(8)
inet
or inet6
subcommands,
and modify the routing table to route the packets through the
ipsecif
interface.
The packet processing is similar to
gif(4) over
ipsec(4) transport mode,
however the security policy management is different.
gif(4) over
ipsec(4) transport mode expects
userland programs to manage their security policies. In contrast,
ipsecif
manages its security policies by itself:
when the administrator sets up an ipsecif
tunnel
source and destination address pair, the related security policies are
created automatically in the kernel. They are automatically deleted when the
tunnel is destroyed.
It also means that ipsecif
ensures that
both the in and out security policy pairs exist, that is,
ipsecif
avoids the trouble caused when only one of
the in and out security policy pair exists.
There are four security policies generated by
ipsecif
: one in and out pair for IPv4 and IPv6 each.
These security policies are equivalent to the following
ipsec.conf(5)
configuration where src and dst are IP addresses specified to the
tunnel:
spdadd "src" "dst" ipv4 -P out ipsec esp/transport//unique; spdadd "dst" "src" ipv4 -P in ipsec esp/transport//unique; spdadd "src" "dst" ipv6 -P out ipsec esp/transport//unique; spdadd "dst" "src" ipv6 -P in ipsec esp/transport//unique;
The ipsecif
configuration will fail if
such security policies already exist, and vice versa.
The related security associates can be established by an IKE
daemon such as racoon(8). They
can also be manipulated manually by
setkey(8) with the
-u
option which sets a security policy's unique
id.
Some ifconfig(8)
parameters change the behaviour of ipsecif
. link0
can enable NAT-Traversal, link1 can enable ECN friendly mode like
gif(4), and link2 can enable
forwarding inner IPv6 packets. Only link2 is set by default. If you use only
IPv4 packets as inner packets, you would want to do
ifconfig ipsec0 -link2
to reduce security associates for IPv6 packets.
Out IP addr = 172.16.100.1 Out IP addr = 172.16.200.1 wm0 = 192.168.0.1/24 wm0 = 192.168.0.2/24 wm1 = 10.100.0.1/24 wm1 = 10.200.0.1/24 +------------+ +------------+ | NetBSD_A | | NetBSD_B | |------------| |------------| | [ipsec0] - - - - - - - - (tunnel) - - - - - - - - [ipsec0] | | [wm0]------------- ... --------------[wm0] | | | | | +---[wm1]----+ +----[wm1]---+ | | | | +------------+ +------------+ | Host_X | | Host_Y | +------------+ +------------+
Host_X and Host_Y will be able to communicate via an IPv4 IPsec tunnel.
On NetBSD_A:
# ifconfig wm0 inet 192.168.0.1/24 # ifconfig ipsec0 create # ifconfig ipsec0 tunnel 192.168.0.1 192.168.0.2 # ifconfig ipsec0 inet 172.16.100.1/32 172.16.200.1 start IKE daemon or set security associates manually. # ifconfig wm1 inet 10.100.0.1/24 # route add 10.200.0.1 172.16.100.1
On NetBSD_B:
# ifconfig wm0 inet 192.168.0.2/24 # ifconfig ipsec0 create # ifconfig ipsec0 tunnel 192.168.0.2 192.168.0.1 # ifconfig ipsec0 inet 172.16.200.1/32 172.16.100.1 start IKE daemon or set security associates manually. # ifconfig wm1 inet 10.200.0.1/24 # route add 10.100.0.1 172.16.200.1
ipsecif
device first appeared in
NetBSD 8.0.
ipsecif
interface supports the ESP
protocol only. ipsecif
supports default port number
(4500) only for NAT-Traversal.
January 25, 2018 | NetBSD 9.4 |