if_enc (4)

Leading comments

	$OpenBSD: enc.4,v 1.22 2006/05/26 08:51:29 jmc Exp $

 Copyright (c) 1999 Angelos D. Keromytis
 All rights reserved.

 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions
 are met:

 1. Redistributions of source code must retain the above copyright
    notice, this list of conditions and the following disclaimer.
 2. Redistributions in binary form must reproduce the above copyright
    notice, this list of con...

(The comments found at the beginning of the groff file "man4/if_enc.4freebsd".)

NAME

enc - Encapsulating Interface

SYNOPSIS

To compile this driver into the kernel, place the following line in your kernel configuration file:

device enc

DESCRIPTION

The interface is a software loopback mechanism that allows hosts or firewalls to filter ipsec(4) traffic using any firewall package that hooks in via the pfil(9) framework.

The interface allows an administrator to see incoming and outgoing packets before and after they will be or have been processed by ipsec(4) via tcpdump(1).

The ``enc0 '' interface inherits all IPsec traffic. Thus all IPsec traffic can be filtered based on ``enc0 '' and all IPsec traffic could be seen by invoking tcpdump(1) on the ``enc0 '' interface.

What can be seen with tcpdump(1) and what will be passed on to the firewalls via the pfil(9) framework can be independently controlled using the following sysctl(8) variables:

Name  Defaults        Suggested

"net.enc.out.ipsec_bpf_mask       0x00000003      0x00000001"

"net.enc.out.ipsec_filter_mask0x000000010x00000001"

"net.enc.in.ipsec_bpf_mask0x000000010x00000002"

"net.enc.in.ipsec_filter_mask0x000000010x00000002"

For the incoming path a value of
0x1 means ``before stripping off the outer header '' and 0x2 means ``after stripping off the outer header '' For the outgoing path 0x1 means ``with only the inner header '' and 0x2 means ``with outer and inner headers ''

incoming path                                          |------|
---- IPsec processing ---- (before) ---- (after) ----> |      |
                                                       | Host |
<--- IPsec processing ---- (after) ----- (before) ---- |      |
outgoing path                                          |------|

Most people will want to run with the suggested defaults for ipsec_filter_mask and rely on the security policy database for the outer headers.

EXAMPLES

To see the packets the processed via ipsec(4), adjust the sysctl(8) variables according to your need and run:

"tcpdump -i enc0"

SEE ALSO

tcpdump(1), bpf(4), ipf(4), ipfw(4), ipsec(4), pf(4), tcpdump(8)