GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
if_ipsec(4) FreeBSD Kernel Interfaces Manual if_ipsec(4)

if_ipsecIPsec virtual tunneling interface

The if_ipsec network interface is a part of the FreeBSD IPsec implementation. To compile it into the kernel, place this line in the kernel configuration file:

options IPSEC

It can also be loaded as part of the ipsec kernel module if the kernel was compiled with

options IPSEC_SUPPORT

The if_ipsec network interface is targeted for creating route-based VPNs. It can tunnel IPv4 and IPv6 traffic over either IPv4 or IPv6 and secure it with ESP.

if_ipsec interfaces are dynamically created and destroyed with the ifconfig(8) create and destroy subcommands. The administrator must configure IPsec tunnel endpoint addresses. These addresses will be used for the outer IP header of ESP packets. The administrator can also configure the protocol and addresses for the inner IP header with ifconfig(8), and modify the routing table to route the packets through the if_ipsec interface.

When the if_ipsec interface is configured, it automatically creates special security policies. These policies can be used to acquire security associations from the IKE daemon, which are needed for establishing an IPsec tunnel. It is also possible to create needed security associations manually with the setkey(8) utility.

Each if_ipsec interface has an additional numeric configuration option reqid id. This id is used to distinguish traffic and security policies between several if_ipsec interfaces. The reqid can be specified on interface creation and changed later. If not specified, it is automatically assigned. Note that changing reqid will lead to generation of new security policies, and this may require creating new security associations.

The example below shows manual configuration of an IPsec tunnel between two FreeBSD hosts. Host A has the IP address 192.168.0.3, and host B has the IP address 192.168.0.5.

On host A:

ifconfig ipsec0 create reqid 100
ifconfig ipsec0 inet tunnel 192.168.0.3 192.168.0.5
ifconfig ipsec0 inet 172.16.0.3/16 172.16.0.5
setkey -c
add 192.168.0.3 192.168.0.5 esp 10000 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!1";
add 192.168.0.5 192.168.0.3 esp 10001 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!2";
^D

On host B:

ifconfig ipsec0 create reqid 200
ifconfig ipsec0 inet tunnel 192.168.0.5 192.168.0.3
ifconfig ipsec0 inet 172.16.0.5/16 172.16.0.3
setkey -c
add 192.168.0.3 192.168.0.5 esp 10000 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!1";
add 192.168.0.5 192.168.0.3 esp 10001 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!2";
^D

Note the value 100 on host A and value 200 on host B are used as reqid. The same value must be used as identifier of the policy entry in the setkey(8) command.

gif(4), gre(4), ipsec(4), ifconfig(8), setkey(8)

Andrey V. Elsukov <ae@FreeBSD.org>

February 6, 2017 FreeBSD 14.3-RELEASE
Search for    or go to Top of page |  Section 4 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.