static/freebsd/man4/enc.4 3.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

<table class="head">
  <tr>
    <td class="head-ltitle">ENC(4)</td>
    <td class="head-vol">Device Drivers Manual</td>
    <td class="head-rtitle">ENC(4)</td>
  </tr>
</table>
<div class="manual-text">
<section class="Sh">
<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
<p class="Pp"><code class="Nm">enc</code> &#x2014;
    <span class="Nd">Encapsulating Interface</span></p>
</section>
<section class="Sh">
<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<p class="Pp">To compile this driver into the kernel, place the following line
    in your kernel configuration file:</p>
<div class="Bd Pp Bd-indent"><code class="Cd">device enc</code></div>
<p class="Pp">Alternatively, to load the driver as a module at boot time, place
    the following line in <a class="Xr">loader.conf(5)</a>:</p>
<div class="Bd Pp Bd-indent Li">
<pre>if_enc_load=&quot;YES&quot;</pre>
</div>
</section>
<section class="Sh">
<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<p class="Pp">The <code class="Nm">enc</code> interface is a software loopback
    mechanism that allows hosts or firewalls to filter
    <a class="Xr">ipsec(4)</a> traffic using any firewall package that hooks in
    via the <a class="Xr">pfil(9)</a> framework.</p>
<p class="Pp">The <code class="Nm">enc</code> interface allows an administrator
    to see incoming and outgoing packets before and after they will be or have
    been processed by <a class="Xr">ipsec(4)</a> via
    <a class="Xr">tcpdump(1)</a>.</p>
<p class="Pp">The &#x201C;<code class="Li">enc0</code>&#x201D; interface
    inherits all IPsec traffic. Thus all IPsec traffic can be filtered based on
    &#x201C;<code class="Li">enc0</code>&#x201D;, and all IPsec traffic could be
    seen by invoking <a class="Xr">tcpdump(1)</a> on the
    &#x201C;<code class="Li">enc0</code>&#x201D; interface.</p>
<p class="Pp">What can be seen with <a class="Xr">tcpdump(1)</a> and what will
    be passed on to the firewalls via the <a class="Xr">pfil(9)</a> framework
    can be independently controlled using the following
    <a class="Xr">sysctl(8)</a> variables:</p>
<table class="Bl-column">
  <tr id="Name">
    <td><a class="permalink" href="#Name"><b class="Sy">Name</b></a></td>
    <td>Defaults</td>
    <td>Suggested</td>
  </tr>
  <tr>
    <td>net.enc.out.ipsec_bpf_mask</td>
    <td>0x00000003</td>
    <td>0x00000001</td>
  </tr>
  <tr>
    <td>net.enc.out.ipsec_filter_mask</td>
    <td>0x00000001</td>
    <td>0x00000001</td>
  </tr>
  <tr>
    <td>net.enc.in.ipsec_bpf_mask</td>
    <td>0x00000001</td>
    <td>0x00000002</td>
  </tr>
  <tr>
    <td>net.enc.in.ipsec_filter_mask</td>
    <td>0x00000001</td>
    <td>0x00000002</td>
  </tr>
</table>
<p class="Pp">For the incoming path a value of <code class="Li">0x1</code> means
    &#x201C;<code class="Li">before stripping off the outer
    header</code>&#x201D; and <code class="Li">0x2</code> means
    &#x201C;<code class="Li">after stripping off the outer
    header</code>&#x201D;. For the outgoing path <code class="Li">0x1</code>
    means &#x201C;<code class="Li">with only the inner header</code>&#x201D; and
    <code class="Li">0x2</code> means &#x201C;<code class="Li">with outer and
    inner headers</code>&#x201D;.</p>
<div class="Bd Pp Li">
<pre>incoming path                                          |------|
---- IPsec processing ---- (before) ---- (after) ----&gt; |      |
                                                       | Host |
&lt;--- IPsec processing ---- (after) ----- (before) ---- |      |
outgoing path                                          |------|</pre>
</div>
<p class="Pp">Most people will want to run with the suggested defaults for
    <code class="Cm">ipsec_filter_mask</code> and rely on the security policy
    database for the outer headers.</p>
<p class="Pp">Note that packets are captured by BPF before firewall processing.
    The special value 0x4 can be configured in the
    <var class="Ar">ipsec_bpf_mask</var> and packets will be also captured after
    firewall processing.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="EXAMPLES"><a class="permalink" href="#EXAMPLES">EXAMPLES</a></h1>
<p class="Pp">To see the packets processed via <a class="Xr">ipsec(4)</a>,
    adjust the <a class="Xr">sysctl(8)</a> variables according to your need and
    run:</p>
<p class="Pp"></p>
<div class="Bd Bd-indent"><code class="Li">tcpdump -i enc0</code></div>
</section>
<section class="Sh">
<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
  ALSO</a></h1>
<p class="Pp"><a class="Xr">tcpdump(1)</a>, <a class="Xr">bpf(4)</a>,
    <a class="Xr">ipf(4)</a>, <a class="Xr">ipfw(4)</a>,
    <a class="Xr">ipsec(4)</a>, <a class="Xr">pf(4)</a></p>
</section>
</div>
<table class="foot">
  <tr>
    <td class="foot-date">August 9, 2017</td>
    <td class="foot-os">FreeBSD 15.0</td>
  </tr>
</table>