diff options
Diffstat (limited to 'static/freebsd/man4/if_ipsec.4 3.html')
| -rw-r--r-- | static/freebsd/man4/if_ipsec.4 3.html | 102 |
1 files changed, 102 insertions, 0 deletions
diff --git a/static/freebsd/man4/if_ipsec.4 3.html b/static/freebsd/man4/if_ipsec.4 3.html new file mode 100644 index 00000000..70eee8f8 --- /dev/null +++ b/static/freebsd/man4/if_ipsec.4 3.html @@ -0,0 +1,102 @@ +<table class="head"> + <tr> + <td class="head-ltitle">if_ipsec(4)</td> + <td class="head-vol">Device Drivers Manual</td> + <td class="head-rtitle">if_ipsec(4)</td> + </tr> +</table> +<div class="manual-text"> +<section class="Sh"> +<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1> +<p class="Pp"><code class="Nm">if_ipsec</code> — <span class="Nd">IPsec + virtual tunneling interface</span></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1> +<p class="Pp">The <code class="Cm">if_ipsec</code> network interface is a part + of the <span class="Ux">FreeBSD</span> IPsec implementation. To compile it + into the kernel, place this line in the kernel configuration file:</p> +<div class="Bd Pp Bd-indent"><code class="Cd">options IPSEC</code></div> +<p class="Pp">It can also be loaded as part of the <code class="Cm">ipsec</code> + kernel module if the kernel was compiled with</p> +<div class="Bd Pp Bd-indent"><code class="Cd">options IPSEC_SUPPORT</code></div> +</section> +<section class="Sh"> +<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1> +<p class="Pp">The <code class="Nm">if_ipsec</code> network interface is targeted + for creating route-based VPNs. It can tunnel IPv4 and IPv6 traffic over + either IPv4 or IPv6 and secure it with ESP.</p> +<p class="Pp"><code class="Nm">if_ipsec</code> interfaces are dynamically + created and destroyed with the <a class="Xr">ifconfig(8)</a> + <code class="Cm">create</code> and <code class="Cm">destroy</code> + subcommands. The administrator must configure IPsec + <code class="Cm">tunnel</code> endpoint addresses. These addresses will be + used for the outer IP header of ESP packets. The administrator can also + configure the protocol and addresses for the inner IP header with + <a class="Xr">ifconfig(8)</a>, and modify the routing table to route the + packets through the <code class="Nm">if_ipsec</code> interface.</p> +<p class="Pp">When the <code class="Nm">if_ipsec</code> interface is configured, + it automatically creates special security policies. These policies can be + used to acquire security associations from the IKE daemon, which are needed + for establishing an IPsec tunnel. It is also possible to create needed + security associations manually with the <a class="Xr">setkey(8)</a> + utility.</p> +<p class="Pp">Each <code class="Nm">if_ipsec</code> interface has an additional + numeric configuration option <code class="Cm">reqid</code> + <var class="Ar">id</var>. This <var class="Ar">id</var> is used to + distinguish traffic and security policies between several + <code class="Nm">if_ipsec</code> interfaces. The + <code class="Cm">reqid</code> can be specified on interface creation and + changed later. If not specified, it is automatically assigned. Note that + changing <code class="Cm">reqid</code> will lead to generation of new + security policies, and this may require creating new security + associations.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="EXAMPLES"><a class="permalink" href="#EXAMPLES">EXAMPLES</a></h1> +<p class="Pp">The example below shows manual configuration of an IPsec tunnel + between two FreeBSD hosts. Host A has the IP address 192.168.0.3, and host B + has the IP address 192.168.0.5.</p> +<p class="Pp">On host A:</p> +<div class="Bd Pp Bd-indent Li"> +<pre>ifconfig ipsec0 create reqid 100 +ifconfig ipsec0 inet tunnel 192.168.0.3 192.168.0.5 +ifconfig ipsec0 inet 172.16.0.3/16 172.16.0.5 +setkey -c +add 192.168.0.3 192.168.0.5 esp 10000 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!1"; +add 192.168.0.5 192.168.0.3 esp 10001 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!2"; +^D</pre> +</div> +<p class="Pp">On host B:</p> +<div class="Bd Pp Bd-indent Li"> +<pre>ifconfig ipsec0 create reqid 200 +ifconfig ipsec0 inet tunnel 192.168.0.5 192.168.0.3 +ifconfig ipsec0 inet 172.16.0.5/16 172.16.0.3 +setkey -c +add 192.168.0.3 192.168.0.5 esp 10000 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!1"; +add 192.168.0.5 192.168.0.3 esp 10001 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!2"; +^D</pre> +</div> +<p class="Pp">Note the value 100 on host A and value 200 on host B are used as + reqid. The same value must be used as identifier of the policy entry in the + <a class="Xr">setkey(8)</a> command.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE + ALSO</a></h1> +<p class="Pp"><a class="Xr">gif(4)</a>, <a class="Xr">gre(4)</a>, + <a class="Xr">ipsec(4)</a>, <a class="Xr">ifconfig(8)</a>, + <a class="Xr">setkey(8)</a></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1> +<p class="Pp"><span class="An">Andrey V. Elsukov</span> + <<a class="Mt" href="mailto:ae@FreeBSD.org">ae@FreeBSD.org</a>></p> +</section> +</div> +<table class="foot"> + <tr> + <td class="foot-date">February 6, 2017</td> + <td class="foot-os">FreeBSD 15.0</td> + </tr> +</table> |