NAME
ipsecif —
IPsec interface
SYNOPSIS
pseudo-device ipsecif
DESCRIPTION
Theipsecif interface is targeted for route-based VPNs.
It can tunnel IPv4 and IPv6 traffic over either IPv4 or IPv6 and secure it
with ESP.
ipsecif interfaces are dynamically created
and destroyed with the
ifconfig(8) create and
destroy subcommands. The administrator must
configure ipsecif tunnel endpoint addresses. These
addresses will be used for the outer IP header of ESP packets. The
administrator also configures the protocol and addresses for the inner IP
header with the
ifconfig(8) inet or
inet6 subcommands, and modify the routing table to
route the packets through the ipsecif interface.
The packet processing is similar to
gif(4) over
ipsec(4) transport mode, however the security policy management is
different. gif(4) over
ipsec(4) transport mode expects userland programs to manage their
security policies. In contrast, ipsecif manages its
security policies by itself: when the administrator sets up an
ipsecif tunnel source and destination address pair,
the related security policies are created automatically in the kernel. They
are automatically deleted when the tunnel is destroyed.
It also means that ipsecif ensures that
both the in and out security policy pairs exist, that is,
ipsecif avoids the trouble caused when only one of
the in and out security policy pair exists.
There are four security policies generated by
ipsecif: one in and out pair for IPv4 and IPv6 each.
These security policies are equivalent to the following
ipsec.conf(5) configuration where src and dst are IP
addresses specified to the tunnel:
spdadd "src" "dst" ipv4 -P out ipsec esp/transport//unique; spdadd "dst" "src" ipv4 -P in ipsec esp/transport//unique; spdadd "src" "dst" ipv6 -P out ipsec esp/transport//unique; spdadd "dst" "src" ipv6 -P in ipsec esp/transport//unique;
The ipsecif configuration will fail if
such security policies already exist, and vice versa.
The related security associates can be established by an IKE
daemon such as racoon(8). They can also be manipulated manually by
setkey(8) with the -u option which sets a
security policy's unique id.
Some
ifconfig(8) parameters change the behaviour of
ipsecif. link0 can enable NAT-Traversal, link1 can
enable ECN friendly mode like
gif(4), and link2 can enable forwarding inner IPv6 packets. Only
link2 is set by default. If you use only IPv4 packets as inner packets, you
would want to do
ifconfig ipsec0 -link2
to reduce security associates for IPv6 packets.
EXAMPLES
Configuration example:
Out IP addr = 172.16.100.1 Out IP addr = 172.16.200.1
wm0 = 192.168.0.1/24 wm0 = 192.168.0.2/24
wm1 = 10.100.0.1/24 wm1 = 10.200.0.1/24
+------------+ +------------+
| NetBSD_A | | NetBSD_B |
|------------| |------------|
| [ipsec0] - - - - - - - - (tunnel) - - - - - - - - [ipsec0] |
| [wm0]------------- ... --------------[wm0] |
| | | |
+---[wm1]----+ +----[wm1]---+
| |
| |
+------------+ +------------+
| Host_X | | Host_Y |
+------------+ +------------+
Host_X and Host_Y will be able to communicate via an IPv4 IPsec tunnel.
On NetBSD_A:
# ifconfig wm0 inet 192.168.0.1/24 # ifconfig ipsec0 create # ifconfig ipsec0 tunnel 192.168.0.1 192.168.0.2 # ifconfig ipsec0 inet 172.16.100.1/32 172.16.200.1 start IKE daemon or set security associates manually. # ifconfig wm1 inet 10.100.0.1/24 # route add 10.200.0.1 172.16.100.1
On NetBSD_B:
# ifconfig wm0 inet 192.168.0.2/24 # ifconfig ipsec0 create # ifconfig ipsec0 tunnel 192.168.0.2 192.168.0.1 # ifconfig ipsec0 inet 172.16.200.1/32 172.16.100.1 start IKE daemon or set security associates manually. # ifconfig wm1 inet 10.200.0.1/24 # route add 10.100.0.1 172.16.200.1
SEE ALSO
gif(4), inet(4), inet6(4), ipsec(4), ifconfig(8), racoon(8), setkey(8)
HISTORY
The ipsecif device first appeared in
NetBSD 8.0.
LIMITATIONS
Currently, the ipsecif interface supports
the ESP protocol only. ipsecif supports default port
number (4500) only for NAT-Traversal.